This project contains a generic copy of the resources historically used by Portcullis Computer Security to manage our Advisory Process prior to our acquisition by Cisco.
For background, our advisory process was managed by a dedicated vendor liason team who utilise an issue management system to track all of the issues we find from identification through to disclosure.
You can find further details about our processes in the docs subdirectory. The Co-ordinated Disclosure Policy is intended for public consumption whilst the Advisory Process is expected to have a primarily internal audience.
Portcullis published our advisories in two main forms, as text based summaries on mailing lists along with a full disclosure of the technical findings on our web site at:
To do so we utilised a generic XML schema (advisory.xml) which we could generate from the issue management system along with a number of XSLT templates which ensure constant formatting. We have templates to support text, HTML and markdown based publishing. These files can be found in the templates directory.
We are published this toolkit in an attempt to support the community at a time where the whole question of disclosure is again being discussed. Further details of our take on the philosophical debate around disclosure can found at:
This work is licensed under the Creative Commons Attribution 4.0 International License. You can find a copy of this license at:
Cheers,
Tim Brown (@timb_machine)
Head Of Research
Cisco CX Security Labs