Good question, I looked a little and couldn't find a simple link. I like the slightly more narrative and editorial style of our own
class 101 Jr. Researcher (you can search the FD archives for examples from them) but in general, I think we can make two lists (I'll
label them to ease any further discussion). I'll start, but I'm not any kind of authority in the field:

======================================================
1) Some considerations regarding reporting a vulnerability:

a) Think about whether or not to report the vulnerability - some cases exist where people have been prosecuted and/or become a
"person of intrst" for reporting vulnerabilities (I am sure will have opinions about this)

b) Decide what level of anonymity to use when reporting (see a above)

c) Decide whether to notify the vendor first and how much effort and how much time to wait before exposing the vulnerability further.
As has been discussed here recently, some people feel it is a moral imperative to give vendors at least a couple weeks before further
disclosure. Other say screw the vendors, it is solely the spectre of full disclosure that keeps them honest at all.

d) If and/or when you decide to disclose, choose which lists or other venues to use for your disclosure.
Some don't like the freestyle atmosphere here at FD, others post to several lists simultaneously.

e) Check the CVE http://www.cve.mitre.org/ and other lists/databases to see if your "new" vulnerability is already listed or
reported. See the FD list archives for numerous examples of re-runs. (Probably not applicable in your current case)

f) Decide whether to include POC exploit code and/or methodology to reproduce vulnerability. Some people publish reports without
these details for various reasons.

g) Decide what, if any restrictions to put on exploit code and/or other parts of the report. Some people do this because they want to
control what security companies put in their databases and lists. (See FD archives for examples)

==============================================
2) Things to Include in a Vulnerability Report:
(Hopefully others will chime in on these)

a) Overview/Summary - Nice but probably not necessary

b) Your Disclosure ID (If you track them and to prevent confusion for reports on the same product)

c) Date of Disclosure

d) Product Publisher and Product Name (or site) and link

e) List of tested versions, affected/at risk versions and patched/unaffected versions

f) Your estimate of Severity/Risk

g) Local or Remote Exploit (People have non-standard ways of reporting severity and local/remote/escalation risk)

h) General Description of the problem and/or the methods used in the process of working on the vulnerability.

i) Method of exposing vulnerability and/or POC code (Depending on your considerations from part 1)

j) Proposed fixes and/or patches

k) References - For instance, if you are discussing an obscure DNS vulnerability and you based some of your code on the ideas of Dan
Kaminsky, you might reference http://www.doxpara.com/

l) Timeline - It is important (again using my moral compass) to give proper credit to all parties who helped with topics covered.
Some unscrupulous security "professionals" have, in the past, exaggerated their role in discovering vulnerabilities - which tends to
piss off everyone who knows better, while the media at large tends to remain oblivious. Also, people like to document the timeline if
the vendor never responded and several attempts were made to contact them and report the vulnerability/exposure.

m) Credit & Disclaimers - In this section make clear any restrictions you wish to try to impose on the information and/or code.

n) Greets, Props and Shouts - Some people like to acknowledge others in the field.

m) Misc Notes that don't fit other headings

===========================================

That is all I can think of right now. Clear text user/password cookies are probably worth reporting (at least to the vendor) since
some unaware user may login at a library or other public machine and expose their info (even if the connection uses SSL) - as one
example of the multitude of ways the info could be exposed. If you can't find a way to report the vulnerability on their website, try
***@company.blah or ***@company.blah since RFC 2412 says they are supposed to have those as working addresses.

Good Luck.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

http://www.oisafety.com/guidelines/secresp.html

A detailed guideline used by major companies like Microsoft, Network
Associates, Oracle, etc

Kind regards,
Michael

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

you are looking for this...
http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf

http://www.oisafety.org

cheers,
Donnie Werner
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Who has access to error report data

Microsoft employees, contractors and vendors who have a business need
to use the error report data are provided access. If the error report
indicates that a third-party product is involved, Microsoft may send
the data to the vendor of that product, who may in turn send the data
to sub-vendors and partners.

http://oca.microsoft.com/en/dcp20.asp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFCcVVdpcZuLdmlFMsRAtDtAJwNK6aHB+Z6yLW7KguIsqww4ruHEQCfXydW
vL9A8T8caRcNgdpihE7Kg8k=
=Vmjj
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/