Best practice for retrospective advisory identifier assignment & dating

[mbauman]

I'm trying to determine how to best create and assign advisories for a new ecosystem advisory database that will import many old upstream advisories with the appropriate versions and identifiers for our ecosystem's packages that directly shipped the vulnerable upstream. It seems the existing open source ecosystems do a mix of things here:

• PYSEC has used the original advisory's publication date for both its PYSEC-YYYY identifier prefix and the publication date. (e.g., https://osv.dev/vulnerability/PYSEC-2005-1)
• HSEC has used the date of their advisory's publication for both its identifier and the published date. (e.g., https://osv.dev/vulnerability/HSEC-2023-0005)

I'm leaning towards the latter behavior but was curious if this project had a view on the best practice as a downstream consumer of many such databases.

[jess-lowe]

We would also lean towards the latter behaviour for traceability purposes.