Replying to myself here.
Maxim, Igor, Andrei, Valentin, Ruslan, &c,
I think that there’s room for improvement on the security advisory
Make it official: nginx-sa-01-2012 with an official numbering
Get a CVE identifier.
Publish it also on security lists like full-disclosure and bugtraq,
I know that Nginx has been a labour of love of a few people until
But now that you’re an established company I think that having in place
more formal procedure for security advisories would bring great benefits
to Nginx as a free software project with its community and as a company
Just my unsolicited $.02