Move Related Work Check from section 12 to section 8 in report template

ColtonWilley · ColtonWilley · commit d5038f1a4313 · 2026-04-22T19:07:36.000-07:00
Related Work Check is a triage prerequisite and belongs with the other
due-diligence sections, not at the end after disclosure coordination.
Previous sections 8-11 shift to 9-12. Content unchanged; no internal
cross-references point to the shifted sections.
diff --git a/SECURITY-REPORT-TEMPLATE.md b/SECURITY-REPORT-TEMPLATE.md
@@ -160,15 +160,34 @@ The following are not proofs-of-concept and will not satisfy this requirement:
 
 ---
 
-## 8. Caller API Usage
+## 8. Related Work Check
+
+**Have you verified this defect is not already being addressed?** _required_:
+describe your review of open pull requests and recent commits in the
+relevant wolfSSL repository that touch the same file or function. Include
+the search terms you used and any specific PRs or commits you examined
+(with URLs). AI-assisted tooling makes this search efficient and is a
+reasonable way to perform it.
+
+**If related work is ongoing or merged** _required_: explain how your
+report is novel relative to that work — e.g., your defect is in a
+different code path, a different return value, a different call site,
+or a different attacker reachability.
+
+Reports of issues already being addressed in open work are treated as
+duplicates and do not receive CVE consideration.
+
+---
+
+## 9. Caller API Usage
 
 **Does triggering the defect require the caller to use wolfSSL APIs outside
 their documented behavior?** _required_: answer yes or no, then describe the
 specific API calls, options, and sequences used.
 
 ---
 
-## 9. Severity Self-Assessment
+## 10. Severity Self-Assessment
 
 **Reporter-proposed severity** _required_: Critical, High, Medium, or Low.
 
@@ -182,7 +201,7 @@ assessment is input, not the final classification.
 
 ---
 
-## 10. Disclosure Coordination
+## 11. Disclosure Coordination
 
 **Requested embargo period** _required_: state your preferred embargo
 duration. Longer embargoes for ecosystem coordination may be requested.
@@ -197,32 +216,13 @@ so we can coordinate the advisory release.
 
 ---
 
-## 11. Suggested Fix _(optional)_
+## 12. Suggested Fix _(optional)_
 
 If you have a proposed patch, attach it. Patches are not required, but they
 accelerate the fix timeline.
 
 ---
 
-## 12. Related Work Check
-
-**Have you verified this defect is not already being addressed?** _required_:
-describe your review of open pull requests and recent commits in the
-relevant wolfSSL repository that touch the same file or function. Include
-the search terms you used and any specific PRs or commits you examined
-(with URLs). AI-assisted tooling makes this search efficient and is a
-reasonable way to perform it.
-
-**If related work is ongoing or merged** _required_: explain how your
-report is novel relative to that work — e.g., your defect is in a
-different code path, a different return value, a different call site,
-or a different attacker reachability.
-
-Reports of issues already being addressed in open work are treated as
-duplicates and do not receive CVE consideration.
-
----
-
 ## What Happens Next
 
 1. **Acknowledgment.** We acknowledge receipt as reports arrive.
