Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Vulnerability Response Capability Development

This one-day course is designed for managers and project leaders who are trying to respond to vulnerabilities reported in their products. This course will provide a high-level overview of the key issues, processes, and decisions that must be made to build your organization's vulnerability response capability. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their vulnerability response capability.

The course is composed of lectures and class exercises. Participants will learn the requirements for establishing an effective vulnerability response capability, the various organizational models, the variety and level of services that can be provided, and the types of resources and infrastructure needed to support a team. Additionally, attendees will identify policies and procedures that should be established and implemented when creating a vulnerability response capability.

By the end of this course, you will understand the importance of a vulnerability response capability and how it can demonstrate to current and potential customers, business partners, security researchers, the media, and the general public that you take product security seriously.

Who should attend?

  • current and prospective product security managers; project leaders interested in establishing or starting a vulnerability response capability. Some technical understanding of software security issues is helpful, but a deep technical background is not required.
  • other staff who interact with product security teams and would like to gain a deeper understanding of how a vulnerability response capability should operate. For example, higher-level management; media relations, legal counsel, product engineers.


  • the vulnerability ecosystem
  • relevant standards
  • prerequisites to planning a vulnerability response capability
  • responding to vulnerability reports
  • assigning CVE (Common Vulnerabilities and Exposures) IDs
  • triaging multiple vulnerability reports
  • writing and publishing advisories
  • coordinated vulnerability disclosure and vulnerability disclosure issues
  • dealing with researchers
  • dealing with the media
  • dealing with the government
  • infrastructure requirements
  • bug bounties
  • collaboration and communication issues


This course will help participants to

  • understand the requirements for establishing an effective vulnerability response capability
  • strategically plan the development and implementation of a new vulnerability response capability
  • identify policies and procedures that should be established and implemented
  • understand and take action on vulnerability disclosure issues
  • communicate and work with security researchers


This course has no prerequisites.


Participants will receive a course notebook, vulnerability response action plan, and a downloadable copy of course materials.


This one-day course meets at the following times:
9:00 a.m.-5:00 p.m.

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials.

Course Details

Course Fees [USD]

U.S. Industry: $650

U.S. Government/Academic: $525

International: $1100

This course may be offered by special arrangement at customer sites.

For More Information

Phone: 412-268-7622