Building a PSIRT for a Standards Organization
CVE/FIRST VulnCon 2025 · Main Stage
This talk, delivered at VulnCon, provides a detailed account of the speaker's experience in establishing a **Product Security Incident Response Team (PSIRT)** capability within a standards organization, specifically the **Trusted Computing Group (TCG)**. The speaker, identified as Jim, aims to present a template that other groups can adapt for their own vulnerability response needs. The core challenge addressed is how to build a robust vulnerability response process in a collaborative environment where member companies are often competitors, intellectual property is paramount, and traditional incident response paradigms may not directly apply.
AI review
A competent, well-structured case study from someone with genuine credentials — first full-time PSIRT operator at Cisco, FIRST since 1990, real hands-on work building the TCG's vulnerability response capability. Jim clearly did the work himself, and the talk delivers a credible, transferable template for other standards bodies or multi-stakeholder consortia navigating the same minefield. The IP-as-existential-concern angle, the two-officer approval shortcut, the pre-allocated legal hours, and the careful SME engagement protocol are all concrete, specific, and hard-won. This is not a vendor…