October 30–31, 2016: Training
October 31–November 2, 2016: Tutorials & Conference
New York, NY

Building a product security incident response team: Lessons learned from the hivemind

Kymberlee Price (Bugcrowd)
4:45pm–5:25pm Tuesday, 11/01/2016
The human element
Location: Grand Ballroom West Level: Intermediate
Average rating: ***..
(3.67, 3 ratings)

Prerequisite knowledge

  • At least two years' experience in product security
  • Familiarity with the complexities of supporting in-market products while simultaneously developing new products

What you'll learn

  • Explore templates and actionable recommendations for effective PSIRT structure and processes based on successful best practices of multiple software vendors with mature security response organizations


You’ve received vulnerability reports in your application or product. Now what? There is an abundance of incident response guidance for network security, and a number of companies have published their product security incident response team (PSIRT) process. Yet there is a dearth of detailed resources on how to implement PSIRT processes for organizations that have reached Stage 7 of the SDL process (response).

To build and maintain secure products, organizations need to enable their incident response teams to receive and respond to vulnerability reports and effectively partner with development, customer support, and communications teams. Kymberlee Price shares best practices and actionable recommendations for supporting these teams’ product incident response programs and offers several free templates you can put to use right away.

Photo of Kymberlee Price

Kymberlee Price


Kymberlee Price is the senior director of researcher operations at Bugcrowd, where she draws on her 14+ years of experience specializing in application security incident response and investigations to direct the efforts of over 35,000 crowd members in web app, mobile app, and IoT penetration testing. Previously, Kymberlee pioneered the first security researcher outreach program in the software industry, served as a principal investigator in the Zotob criminal investigation, analyzed APTs at Microsoft, and spent four years on BlackBerry’s Security Response Team investigating product vulnerabilities, specializing in third-party library security. Kymberlee cochairs the Department of Commerce NTIA Working Group on Multi-Party Vulnerability Disclosure and speaks regularly on vulnerability management and product incident response at Black Hat USA, RSA, Kaspersky Security Analyst Summit, and other events.