What is the difference between a private vulnerability advisory and a public one?

Coordinated disclosure uses a two-stage advisory process: a private advisory shared with maintainers to coordinate the fix, and a public advisory released after publication to inform everyone. The private advisory is accessible only to project maintainers and trusted parties handling the remediation, which helps fix the vulnerability without giving attackers details to exploit it. Once the vulnerability is fixed and the advisory is published, it becomes visible to the public, ensuring users and stakeholders are informed. That aligns with the idea that private advisories are for coordinated disclosure among maintainers, while public advisories are shown to the public after publication. Statements suggesting private advisories are publicly viewable or that public advisories require authentication don’t fit this flow, and describing private advisories as merely for feature rollout misses the security-focused purpose of managing vulnerability information.