Researcher Security Advisory Writing Guidelines

[This was originally published on the OSVDB blog.]

Researcher Security Advisory Writing Guidelines
Open Security Foundation /
moderators at

This document has been prepared by the Open Security Foundation (OSF) to assist security researchers in working with vendors and creating advisories. Security advisories help convey important information to the community, regardless of your goals or intentions. While you may have an intended audience in mind as you write an advisory, they will not be the only ones to read it. There is a lot of information that can be included in a properly written advisory, and leaving any out makes your advisory something less than it could be.

The OSF encourages researchers to use this document as a guideline for writing security advisories. We will focus on the content of the advisory, not the style. While there is a logical order of presentation, what ultimately matters is including the necessary information, though some things are most beneficial at the start of an advisory. Remember; more information is better, and including information for other parties ultimately helps more people.

How you disclose a vulnerability is your choice. The debate about “responsible” or “coordinated” disclosure has raged for over two decades. There is no universal accord on what is an appropriate period of time for a vendor to reply to a vulnerability report, or fix the issue, though it is generally agreed that it is at the least more than a day and less than a year. Researchers, we fully encourage you to work with vendors and coordinate disclosure if possible; your goal is to improve security after all, right? The following material will give you additional information and considerations for this process.

Brian Martin & Daniel Moeller

View the Researcher Security Advisory Writing Guidelines

Box of Shit: Space Rogue

At some point around 2008 I put together a box with a bunch of random shit laying around. Nothing of value, all stuff you question why you even kept it in the first place basically. Off it went to an unsuspecting victim/friend. From there, the box-of-shit was born. Since then, I have sent out hundreds of boxes or envelopes of shit. On occasion, people document what they receive with comedic flair. This is one of the boxes I received and wrote about. This was originally published on

For those who aren’t up on curmudgeon history, Space Rogue, who I lovingly call ‘Sprog’, and I go way back. Not like that, it wasn’t romantic, it was purely a writer and tech editor relationship. The total bromance came years later. Pretty sure we sealed the deal over a meal in China Town last year. Or was that my desperate attempt to order a ‘Purple Squirrel’ from a bar that didn’t want my money, not really sure.

Anyway, for X-mas this year, Sprog sent me a box of shit. It was so epic, so awesome, and so me, I didn’t write it up until now because I didn’t want anyone to miss out in the holiday clusterfuck. In fact, if 100 people don’t acknowledge just how awesome this box is, I will have to start re-Tweeting it every day like a retarded rabbit.

Yes, he sent me wonderful paperwork, including this awesome sticker of squirrel and .. hey wait, that fucker sent my own sticker back to me! On the up side, if I want to go to a creepy amusement park and run the risk of ending up the plot of a CSI episode, I now have plenty of tickets. He was also very generous and sent me two gift cards! I have a strong feeling if I check the balances, I may come out with $1.32 between them. Hey, I am not complaining, that can buy me four tacos; it’s Denver, I know which trucks to go to.

Last time we were in a dive bar, I asked Sprog about ‘Ass Pirates’. Pretty sure the booze hit him, as months later, he sent me literature on the “Pirate Party of Massachusetts”. It’s OK though, my mails to info AT have been answered promptly every time.

Most boxes of shit come with a whole bunch of … well, shit. This box? Oh no, it broke the mold. In fact, after breaking the mold, it bent the mold over and sodomized it thoroughly. This box is pure awesome. Not only did it come with working crap, it came with practical working crap!

A wall mount bottle opener. This is perfect for the guy who didn’t have one in his spare bedroom, and it gets installed tomorrow. That ‘Apple Computer’ pencil? Collector’s item. That has to be worth more than Steve Jobs’ diary, which I will return when I am done with it. The ‘Blackberry Security’ keychain? This is a perfect analogy as it is big, and only performs 3 functions, much like the average Crackberry device: opens beer, provides light, and organizes your keys. A green rubber light-up bouncy ball that says “Enterprise Security”! Now, when we’re playing buzz-word bingo, I don’t have to say it, I can just slap that against their noggin for double the enjoyment.

Look closely; notice the 32M SD card that has been run through the ‘Sprog Enlarger Ray’? Don’t ask what else he uses that on BTW. The value isn’t in the 32M of porn storage, but the proof he has that technology. Actually, wonder if that will fit my Motorola Brick phone? Excalibur 4GB USB 2.0 storage thingy. Again, it isn’t about 4GB of porn storage; it is about hitting the button and watching the USB plug flip out ninja-style. Next time I am in line getting groped by the TSA, I can use this as a surprise weapon to regain my dignity. The ‘Griffin’ thing at the bottom, I really don’t know what that is, but is has buttons and a USB plug, so I know it is hot tech. The 1GB of RAM he sent? Hot shit, that will help better power my bunker computer which has no ties to the outside world. That thing is solid, a beast I tell you. The other USB device (notice a theme here?) from IBM looks like it will provide light, which is amusing as most things IBM only cast darkness over an organization. Oh, the floss you ask? That shit is valuable in jail, ask anyone. HNN shot glass? He’s sending one a year, letting me build up to an entire set for when I have guests over. Sprog is considerate if nothing else.

And now… for the awesome. Words fail me, and only liberal amounts of booze can coax these meager words from me. I can finally take down the collage of @Indi303 pictures I have above my mantle, and replace them with something truly worthy. No more plotting to end Indi in a blaze of fruit loops and pickles, I now have something positive to guide me through life. My new shrine begins with this epic glass sculpture of a squirrel, pictured below in all of its glory. By tomorrow, my squirrel minions will be lining up to worship at this alter, leaving little gifts of shelled almonds, Keebler Club Minis, and commuters’ spleens. This glorious squirrel-god will happily accept those offerings, and direct me how to proceed in pissing all over the security industry. Oh squirrel-god, please guide me…