security-reporting
How to write security findings for systems that are still being implemented
Security reports on work in progress often fail in one of two directions: caveat-laden mush or false certainty. The job is to make implementation state, evidence, intent, timing, and residual uncertainty legible to both implementors and management.