# Security Advisory Process

This document defines how ExecuTrace handles vulnerability advisories.

## Advisory Workflow

1. Receive private report
2. Triaging and severity assessment
3. Patch development and review
4. Coordinated release
5. Public advisory publication and attribution

## Severity Guide

- Critical: Remote execution, full compromise
- High: Privilege escalation, data exposure
- Medium: Significant abuse with constraints
- Low: Limited impact

## Attribution

Contributors and researchers who responsibly disclose verified vulnerabilities are added to:

- `website/data/security_hof.json`
- website Security Hall of Fame section

## Advisory Template

- Title
- Affected versions
- CVSS/severity
- Technical summary
- Reproduction
- Mitigation
- Fixed version
- Credits