search menu icon-carat-right cmu-wordmark

Vulnerability Response Capability Development

This one-day course is designed for managers and project leaders who are trying to respond to vulnerabilities reported in their products. This course will provide a high-level overview of the key issues, processes, and decisions that must be made to build your organization's vulnerability response capability. As part of the course, attendees will develop an action plan that can be used as a starting point in planning and implementing their vulnerability response capability.

The course is composed of lectures and class exercises. Participants will learn the requirements for establishing an effective vulnerability response capability, the various organizational models, the variety and level of services that can be provided, and the types of resources and infrastructure needed to support a team. Additionally, attendees will identify policies and procedures that should be established and implemented when creating a vulnerability response capability.

By the end of this course, you will understand the importance of a vulnerability response capability and how it can demonstrate to current and potential customers, business partners, security researchers, the media, and the general public that you take product security seriously.


  • current and prospective product security managers; project leaders interested in establishing or starting a vulnerability response capability. Some technical understanding of software security issues is helpful, but a deep technical background is not required.
  • other staff who interact with product security teams and would like to gain a deeper understanding of how a vulnerability response capability should operate. For example, higher-level management; media relations, legal counsel, product engineers.


This course will help participants to

  • understand the requirements for establishing an effective vulnerability response capability
  • strategically plan the development and implementation of a new vulnerability response capability
  • identify policies and procedures that should be established and implemented
  • understand and take action on vulnerability disclosure issues
  • communicate and work with security researchers


  • the vulnerability ecosystem
  • relevant standards
  • prerequisites to planning a vulnerability response capability
  • responding to vulnerability reports
  • assigning CVE (Common Vulnerabilities and Exposures) IDs
  • triaging multiple vulnerability reports
  • writing and publishing advisories
  • coordinated vulnerability disclosure and vulnerability disclosure issues
  • dealing with researchers
  • dealing with the media
  • dealing with the government
  • infrastructure requirements
  • bug bounties
  • collaboration and communication issues


Participants will receive a course notebook, vulnerability response action plan, and a downloadable copy of course materials.


This course has no prerequisites.


This one-day course meets at the following times:

9:00 a.m.-5:00 p.m.

This course may be offered by special arrangement at customer sites. For details, please email or telephone at +1 412-268-7622.

Course Questions?

Phone: 412-268-7388
FAX: 412-268-7401

Related Courses

  • CERT Secure Coding in C and C++ Professional Certificate


    The CERT Secure Coding in C and C++ Professional Certificate provides software developers with practical instruction based upon the CERT Secure Coding Standards. The CERT Secure Coding Standards have been curated from the contribution of 1900+ experts for the C and C++ programming language. The CERT Secure Coding team teaches the essentials of...

    Learn More
  • Secure Coding in C and C++

    4 - Day Course

    Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in C and C++ programming. This four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code...

    Learn More

Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.