PSIRT / SBOM Starter for device and software manufacturers
We stand up a repeatable product vulnerability handling process, so your company knows what to do when a report of an actively exploited vulnerability arrives.
What it covers
- Coordinated vulnerability disclosure (CVD) policy.
- A security.txt file and a vulnerability reporting channel.
- Report triage procedure.
- SBOM-lite, that is, a list of software components.
- Advisory template for customers.
- Update and patch distribution process.
- CRA art. 14 runbook: who reports a vulnerability and within what deadline.
- Tabletop, that is, a dry-run exercise: what we do after a report of an actively exploited vulnerability.
Short definitions
PSIRT is the team and process for handling product vulnerabilities. SBOM (software bill of materials) is a machine-readable list of software components, required under CRA Annex I Part II. CVD is coordinated vulnerability disclosure, that is, an agreed way of receiving and handling reports.
For manufacturers covered by the CRA, art. 14 sets deadlines for reporting an actively exploited vulnerability: an early warning within 24 hours, a notification within 72 hours, and a final report up to 14 days after a patch is made available, to the CSIRT acting as coordinator and to ENISA.
Who it is for and how it connects
The PSIRT / SBOM Starter is the natural next step after CRA Snapshot. We stand up the process and can then maintain it under an ongoing engagement. We prepare the vulnerability handling process, but we do not guarantee that the product is free of vulnerabilities.
- CRA Snapshot as a starting point.
- Cyber Insurance Evidence Check for evidence supporting a policy.
- OT / IEC 62443 Mini-Gap for industrial products.