Org Blueprint
R-097HumanTrust & SafetyP0 · CriticalUnfilled

PSIRT Lead

Owns the Product Security Incident Response Team — vulnerability handling, disclosure coordination, customer notification.

Live Ops

Due-diligence relevance

An EU consumer-data product without a named PSIRT function fails the most basic strategic-acquirer security readiness check. Acquirers will require this gap closed before close — typically a 30-60 day extension or a representations-and-warranties carve-out. This is one of the four honest P0 gaps a Series-A consumer-AI company should staff before serious acquirer conversations.

Responsibilities

  • Vulnerability triage and severity scoring
  • Coordination with engineering on patches
  • Customer / regulator notification
  • Responsible-disclosure programme owner
  • Post-incident write-ups and lessons learned

Inputs

  • · Vulnerability reports
  • · Customer disclosures
  • · External security research

Outputs

  • · Triaged vulnerabilities
  • · Patch coordination
  • · Customer notifications

Qualifications

  • Security incident response experience
  • Strong written communication

KPIs

Time to triageTime to patchDisclosure timeliness

Interfaces

R-023Penetration Test LeadR-036CISOR-090SOC Lead