Skill Guide

Security report writing and vulnerability disclosure communication

The disciplined process of documenting technical vulnerabilities with precision and communicating their implications to stakeholders in a manner that maximizes remediation while minimizing legal and reputational risk.

This skill directly reduces organizational risk exposure and accelerates security posture improvement by transforming raw technical findings into actionable business intelligence. It ensures compliance with legal disclosure frameworks, protects brand reputation, and builds trust with users and regulators.

1 Careers

1 Categories

8.8 Avg Demand

25% Avg AI Risk

How to Learn Security report writing and vulnerability disclosure communication

1. Master CVE/CWE taxonomy and CVSS scoring. 2. Study standard report templates (e.g., from HackerOne, Bugcrowd, OWASP). 3. Practice writing clear, reproducible vulnerability descriptions for simple bugs like XSS or IDOR.

1. Navigate complex disclosure policies (coordinated disclosure, responsible disclosure, vendor-specific). 2. Write reports for vulnerabilities with non-trivial business logic flaws or chain exploits. 3. Engage in mock disclosure negotiations to understand timelines, vendor pushback, and escalation paths. Common mistake: conflating technical severity with business impact.

1. Architect disclosure strategies for zero-day vulnerabilities or critical infrastructures (ICS/SCADA). 2. Develop and mentor teams on disclosure playbooks and legal liaising. 3. Align vulnerability intelligence with C-suite risk management and compliance objectives (NIST, ISO 27001).

Practice Projects

Beginner

Case Study/Exercise

Report a Reflected XSS in a Sandbox Environment

Scenario

You've found a reflected XSS vulnerability in a web application's search function within a controlled testing environment.

How to Execute

1. Document the exact URL, payload, and browser context. 2. Write a clear 'Proof of Concept' (PoC) section with step-by-step reproduction instructions. 3. Draft the report using a standard template, focusing on clarity and impact description. 4. Get peer feedback on report clarity.

Intermediate

Case Study/Exercise

Manage a Coordinated Disclosure with a Vendor

Scenario

You discover a severe authentication bypass in a widely-used open-source library. The project has a formal disclosure policy.

How to Execute

1. Follow the policy to initiate contact via their secure channel. 2. Draft a technical advisory with CVE request procedures in mind. 3. Negotiate a reasonable disclosure timeline (e.g., 90 days). 4. Prepare a public-facing advisory draft for eventual release, balancing technical detail with user-actionable guidance.

Advanced

Case Study/Exercise

Disclose a Critical Zero-Day to a National CERT

Scenario

You are an independent researcher who has discovered a zero-day exploit in a critical infrastructure component (e.g., a network device OS) with active exploitation in the wild.

How to Execute

1. Contact the relevant national CERT (e.g., CISA, CERT/CC) using encrypted channels, providing a concise technical brief. 2. Prepare a full technical write-up under embargo. 3. Work with the CERT to coordinate a unified advisory with the vendor. 4. Draft executive-level communications for potential high-profile media inquiry, focusing on mitigation and risk management.

Tools & Frameworks

Methodologies & Frameworks

CVSS v3.1 CalculatorOWASP Risk Rating MethodologyCWE DictionaryISO/IEC 29147:2018 (Vulnerability Disclosure)ISO/IEC 30111:2019 (Vulnerability Handling)

Use CVSS for consistent technical severity scoring. OWASP Risk Rating contextualizes threat and impact. CWE standardizes vulnerability classification. ISO 29147/30111 provide the gold-standard process frameworks for ethical disclosure and vendor handling.

Software & Platforms

HackerOne / Bugcrowd PlatformsGitLab/GitHub Issues (Private)GPG/PGP for Encrypted CommunicationDraft.js / Ghostwriter for Professional Write-ups

Platforms manage report lifecycle, submission, and bounty payments. Use private issue trackers for internal team coordination. GPG is non-negotiable for encrypting sensitive reports to vendors. Specialized writing tools ensure clean, formatted advisories.

Interview Questions

Answer Strategy

Demonstrate technical confidence, professionalism, and adherence to process. Use the STAR method: Situation (briefly), Task (maintain report integrity), Action (reproduced with more detailed PoC, referenced CVSS/CWE standards, escalated to their security team lead), Result (vendor accepted, timeline preserved, relationship remained professional). Sample: 'I re-submitted the report with a step-by-step video PoC and a side-by-side CVSS vector breakdown. I cited the relevant CWE and invited a joint call to walk through the exploit. The vendor's senior engineer validated it, and we agreed on a patch timeline.'

Answer Strategy

Tests understanding of ethical boundaries, legal risk, and escalation. The strategy is: prioritize public safety, follow a structured escalation path, and document everything. Sample: 'First, I would attempt all alternate contacts listed in their security policy. After 30 days with no substantive engagement, I would consult the legal and ethical framework of a coordinated disclosure policy like CERT/CC's. If the risk of imminent exploitation is high, I would contact a trusted national CERT to act as an intermediary. My decision would be guided by minimizing public harm, with full documentation of my disclosure attempts.'