diff --git a/_alerts/2015-10-12-upnp-vulnerability.md b/_alerts/2015-10-12-upnp-vulnerability.md
new file mode 100644
index 00000000..bb0ff59e
--- /dev/null
+++ b/_alerts/2015-10-12-upnp-vulnerability.md
@@ -0,0 +1,54 @@
+---
+## This file is licensed under the MIT License (MIT) available on
+## http://opensource.org/licenses/MIT.
+
+title: "Vulnerability in UPnP library used by Bitcoin Core"
+shorturl: "upnp-vulnerability"
+active: true
+#banner: "WARNING: serious vulnerability in UPnP library used by Bitcoin Core (click here to read)"
+bannerclass: "alert"
+---
+
+## Summary
+
+![Disabling UPnP in the GUI](disable_upnp.png)
+
+Either
+
+- turn off the checkbox in the GUI under Options → Network → Map port using UPNP (see above)
+- add `-upnp=0` to the command line options
+- add the line `upnp=0` to your `bitcoin.conf` file
+
+Alternatively, upgrade to a version of Bitcoin Core at least 0.10.3 or 0.11.1.
+These versions upgrade the library to a non-vulnerable version, as well as have
+upnp disabled by default to prevent this problem in the future.
+
+## Details
+
+Version before 1.9.20151008 of the miniupnpc library are vulnerable to a buffer
+overflow in the XML parser during initial network discovery. The
+vulnerable code triggers at startup of Bitcoin Core if upnp is enabled. 
+
+Details of the vulnerability can be found here: http://talosintel.com/reports/TALOS-2015-0035/
+
+It has been verified that the vulnerability can be used to crash the application at startup.
+
+To have more connectable nodes, the Bitcoin Core executables distributed by
+bitcoin.org include the library and have always had UPnP functionality enabled
+by default.
+
+This applies to the distributed executables only, not when building from source or
+using distribution provided packages. Self-built executables have UPnP disabled
+by default, unless `--enable-upnp-default` was provided to the configure script.
+
+Releases starting from 0.10.3 and 0.11.1, and the upcoming 0.12.0 will still ship
+with (a patched version) of the library, but no longer enable the functionality by default.
+
+## Mitigation
+
+Bitcoin Core executables are compiled with Address Space Layout Randomization (ASLR),
+Stack Smashing Protection (SSP), and non-executable stack and heap (DEP) enabled. This
+makes it harder to use this vulnerability for remote code execution or private
+key leaks. However, it is still advised to upgrade, or if not possible, disable
+UPnP as soon as possible.
+
diff --git a/_alerts/disable_upnp.png b/_alerts/disable_upnp.png
new file mode 100644
index 00000000..d069d7e0
Binary files /dev/null and b/_alerts/disable_upnp.png differ