From NIST to FIRST: How GitHub’s Product Security Response Organization Transitioned
CVE/FIRST VulnCon 2025 · Main Stage
In this VulnCon talk, GitHub’s Sarah Clemens and Jeff detail their organization's methodical journey in evolving its security incident response capabilities. The presentation focuses on GitHub’s strategic transition from a monolithic incident response team to a specialized **Product Security Incident Response Team (PSIRT)**, emphasizing how this transformation was guided and benchmarked against industry-leading frameworks. The speakers illuminate the critical decision to separate product-focused security from broader corporate incident response, a move driven by the need for enhanced prioritization and specialized expertise in a rapidly growing company.
AI review
A competent, honest case study from GitHub on splitting a unified CERT into CSIRT and PSIRT functions and then walking those functions up the SIM3/FIRST maturity ladder. The speakers clearly lived this work — the details about internal stakeholder rolodexes, HackerOne integration, reverse-shadowing training, and the swag-shop gamification of bug bounty are the kind of specifics you only get from people who actually built the thing. But the talk never escapes the gravitational pull of the frameworks it describes: NIST 800-61, SIM3, FIRST PSIRT Services Framework. These are all public…