Cybersecurity Style Guide

A U.S. work visa for specialty occupations.

A video compression standard.

Do not use in formal writing. Try exploit, access, steal, or a more context-specific verb. In old-school discussions, hacking vs. cracking was an important distinction between the exploratory intent of hackers accessing systems without authorization vs. the often criminal intent of crackers accessing and damaging those same systems.

Do not use in formal writing. Use attacker, external threat, malicious user, consultant, security researcher, data scientist, or their job title, depending on the context.

A Bay Area tech community center founded in 2009.

A vulnerability coordination and bug bounty platform.

A 1995 movie about hacking the planet.

An unofficial title for the grouping of security conferences in Las Vegas every year in late summer.

A site for practicing pen testing.

An Apache framework for storing and processing big data.

A fictional AI from 2001: A Space Odyssey.

AMC TV show about hacking, set in the 1980s.

An icon with three horizontal lines that shows hidden menu options when selected. If the three lines are reduced to dots, it can be called a kebab menu instead.

When a server or computer hangs, it is nonresponsive. If the requesting computer gives up waiting for a response, it times out.

If it’s a type of drive, use the normal font, as in “SATA drive.” If discussing a drive by name, use the tech font, as in “the C: drive.”

To configure applications, systems, or services in a more secure manner, often using common guidelines.

Always hyphenate.

A physical device used in multi-factor authentication, such as a YubiKey fob. Also called a hardware token.

A tool used for password recovery.

Call the [ # ] character a hashtag when indicating a category. Otherwise it’s a pound sign. To avoid confusion with cryptographic hashes, avoid calling this character a hash.

A hazard and operability study.

Human-computer interaction. Spell out on first use.

High-Definition Multimedia Interface. Do not spell out.

High-definition television. Do not spell out.

An act of frustration and defeat. Informal.

Introductory content or navigational aids at the beginning of a block of data. Headers are also electrical connectors that join hardware components such as chips and circuit boards. For HTTP headers, if it’s a type of header, use the normal font. If it’s a named header, use the tech font, as in “an Origin header.”

An OpenSSL bug.

Traditionally, this is the first program written when learning a programming language.

Short for hexadecimal, the base-16 number system.

Human interface device. The USB Rubber Ducky is a keyboard HID. Spell out on first use.

Host-based intrusion detection system. Spell out or define on first use. Avoid using the acronym in the plural if possible.

Describes an account or user with elevated permissions. To avoid ambiguity, use the name of the role or permission instead of this term on first mention.

Short for high-resolution, as in images or video. Pronounced “high-rezz.” Informal.

An umbrella term for attacks that take over controls or assume the role of a user and compromise the system. Avoid the verb when possible in formal writing. Try take over or take advantage of instead.

The Health Insurance Portability and Accountability Act. Pronounced as “hippa.” Spell out on first use.

Human-in-the-loop. Describes simulations that involve human interaction to modify the automated steps of a process. Spell out on first use.

HTTP Live Streaming. A communications protocol. Spell out on first use.

Hash-based message authentication code. Pronounced as “H-mack.” Do not spell out; briefly define on first use.

An open source email server for Windows.

Apple smart speaker.

Often used as a prefix when describing decoys or bait used as part of security monitoring.

A Twitterbot troll.

Hackers On Planet Earth. A conference that is typically held every two years in New York City.

A reverse engineering tool.

Always hyphenate.

Use the tech font, as in 10.0.7.180.

A direct link to a resource hosted on a site.

HMAC-based one-time password. Pronounced as letters. Spell out on first use.

To change out parts of a machine without interrupting the system.

Online bitcoin storage.

A security tool. Pronounced as “H-ping.”

HTTP parameter pollution. Spell out on first use.

Hardware random number generator. Sometimes spelled as HWRNG on Linux systems. Spell out on first use.

Hardware security module. Spell out on first use.

HTTP Strict Transport Security. Spell out on first use.

Hat tip. A way of thanking someone online for being or providing a source. Informal.

Hypertext Markup Language. Do not spell out.

Hypertext transfer protocol. Pronounced as letters. Do not spell out.

No need to include these in URIs unless the presence or lack of secure HTTP is relevant to the narrative.

The first word in an HTTP request. Write in the normal font.

A flag for protecting HTTP cookies from cross-site scripting attacks.

A group of vulnerabilities in CGI environments that involve the HTTP Proxy header. It was disclosed in 2016.

A web application vulnerability.

Information provided in the first line in an HTTP response. Capitalize HTTP statuses in the normal font as if they were titles. Use quotation marks if they might be confused with nearby text.

A kernel-mode driver.

Simulations that involve human interaction to modify the automated steps of a process. Spell out on first use.

A 1970s computer game that is now used to teach basic programming skills.

A fictional fast travel system in Star Wars that allows ships to travel into hyperspace at lightspeed.

The “HT” in HTML and HTTP.

An Intel technology that allows simultaneous processing of multiple tasks on a single CPU core. Also known as simultaneous multithreading. Always spell out.

Also known as a virtual machine monitor (VMM).