Postmarket Vulnerability Response Template
When a researcher emails or a CVE drops on Friday afternoon, you don't want to be designing a process. Use this as the skeleton of your PSIRT playbook.
1. Intake
Make it easy for researchers, customers, and ISAOs to reach you.
2. Triage
Score on technical severity AND clinical impact.
3. Communication
Patients, clinicians, and HDOs need timely, useful information.
4. Remediation
Ship the fix or a documented compensating control.
5. Regulatory Reporting
Know which thresholds trigger which filings.
6. Lessons Learned
Close the loop so the next one is faster.
Frequently asked questions
Quick answers to the questions teams most often ask about this topic.
A Product Security Incident Response Team (PSIRT) is the cross-functional team that receives, triages, fixes, and communicates security vulnerabilities affecting your devices. It typically spans engineering, regulatory, quality, legal, support, and communications, and is required in practice to meet FDA postmarket expectations.
When the vulnerability represents an uncontrolled risk that could cause serious harm or death, or when remediation cannot be deployed quickly enough to keep risk acceptable. The FDA's 2016 postmarket cybersecurity guidance and Section 524B together set the criteria and reporting timelines.
Industry norms (and most published CVD policies) call for an initial acknowledgment within 1–3 business days and a triage decision within 10 business days. Your CVD policy should publish your specific SLAs for acknowledgment, triage, and fix release.
Yes. The FDA expects manufacturers to coordinate disclosure with CISA's ICS-MEDICAL advisory program where applicable, and to reserve and publish CVEs for vulnerabilities affecting their devices. CVE issuance is essential for downstream vulnerability tracking by hospitals.