What is a security advisory?
Last reviewed June 2, 2026
A security advisory is an official notice, usually published by a software vendor or a coordinating body, that describes one or more vulnerabilities in a product. It typically identifies the affected versions, references the relevant CVE IDs, gives a severity rating such as a CVSS score, and tells users how to remediate, whether by patching, upgrading, or applying a workaround. Advisories are the authoritative source defenders act on when a vulnerability is disclosed.
Security advisory in one sentence
A security advisory is a published statement that tells users a vulnerability exists in a product and what to do about it. Vendors issue advisories for their own software, and coordinators such as CERT/CC issue them for issues that span multiple vendors or have no single owner.
Where a CVE record is a terse, structured identifier and description, an advisory is the human-facing communication built around it: the official word from the people responsible for the fix.
What an advisory contains
- A title and an advisory identifier (vendors often use their own scheme, such as a bulletin number).
- The affected products and version ranges, and the fixed versions.
- One or more CVE IDs linking the advisory to the canonical vulnerability records.
- A severity rating, frequently a CVSS score and vector.
- A description of the vulnerability and its impact.
- Remediation guidance: patches, upgrades, configuration changes, or workarounds.
- Credits, disclosure timeline, and references to related material.
Advisory vs CVE
The two are closely linked but distinct. A CVE is the shared identifier and base record for a vulnerability; an advisory is the publisher's narrative communication that references it. A single advisory can cover several CVEs at once, such as a monthly patch release, and one CVE can be referenced by advisories from multiple vendors when a shared component is affected.
In the CVE record itself, advisories appear as references, which is how a scanner or analyst pivots from a CVE ID to the official remediation guidance.
Machine-readable advisories
Advisories increasingly ship in structured, machine-readable formats so tools can ingest them automatically. The Common Security Advisory Framework (CSAF) is an OASIS standard for this, and many open-source ecosystems publish GitHub Security Advisories in a structured form.
These formats let downstream systems match advisories to installed software, extract affected version ranges, and even carry VEX statements about whether a given product is actually affected, reducing the manual effort of reading prose advisories one by one.
Keep exploring
- What is a CVE?The identifier advisories reference.
- What is VEX?Statements about whether a product is actually affected.
- Coordinated vulnerability disclosureThe process that leads to an advisory.
- What is a CNA?Vendors that assign CVEs and publish advisories.
- What is CVSS?The severity rating advisories usually include.
- What is a GHSA?GitHub Security Advisories and how they map to CVEs.
Frequently asked questions
- What is the difference between a security advisory and a CVE?
- A CVE is the shared identifier and base record for a vulnerability. A security advisory is the official notice, usually from a vendor, that describes the vulnerability, its affected products, severity, and how to remediate, and it references the relevant CVE IDs.
- Who publishes security advisories?
- Software vendors publish advisories for their own products, and coordinators such as CERT/CC publish them for multi-vendor or unowned issues. Many vendors are also CNAs that assign the CVE IDs their advisories reference.
- Can one advisory cover multiple CVEs?
- Yes. A single advisory, such as a monthly security update, commonly addresses many CVEs at once, and a single CVE can be referenced by advisories from several vendors.
- What is CSAF?
- CSAF, the Common Security Advisory Framework, is an OASIS standard for machine-readable security advisories, letting tools automatically parse affected products, severity, and remediation, and carry VEX statements.
