Security Advisories: no guidance on what the file should contain after the TOML

[frasertweedale]

The security advisory spec does not state what the markdown file should contain,
apart from the TOML front matter.

Browsing the RustSec advisory DB shows that their advisories typically contain a write-up of
the issue: title, summary, attack description, mitigations, timeline, acknowledgements, etc.

Presumably the same is intended for the Haskell advisory DB. But the TP (or the official
documentation that arises from it) ought to include guidance on the advisory file contents
beyond the TOML.

[frasertweedale]

#39 might well be addressed by this. For example the guidance might include something like:

The advisory write-up should detail any assumptions made in the calculation of CVSS scores. See CVSS v3.1 User Guide section 3.7 for further explanation.

[david-christiansen]

I agree that this is a real limitation of the document as written - what you've described is what was in my head, but when the final guidelines come out, they need to make it explicit! Thanks.