In order to improve the interoperability of incident response teams, FIRST actively works to help our members standardize incident response processes and activities. We do so by contributing to external standards efforts where possible, and where no such initiatives exist, allow our members to develop and publish standards within the organization.


FIRST Standards

FIRST members are encouraged to initiate Special Interest Groups to develop standards that increase interoperability between security and incident response teams. SIGs are chartered based on an initial charter submitted by the interested parties. Below is a list of current standards maintained by FIRST SIGs.

Traffic Light Protocol

FIRST maintains a TLP SIG governing the definition of the Traffic Light Protocol, a standard intended to facilitate greater sharing of sensitive information.

Common Vulnerability Scoring System

FIRST maintains the Common Vulnerability Scoring System, an open framework for communicating the characteristics and severity of software vulnerabilities.

Information Exchange Policy

FIRST maintains the IEP SIG governing the Information Exchange Policy, an extensible information exchange policy framework intended for automating the exchange of security and threat information.

Passive DNS

FIRST maintains a common output format for Passive DNS servers, which clients can query. The standard proposes a common output format to make passive DNS information more universally usable.


FIRST contributions to external standards bodies

Where existing standards are in development, FIRST works to create opportunities for its members to participate in other standards bodies. Standards bodies in which FIRST participates on behalf of its membership are ISO and ITU.

International Organization for Standardization (ISO)

FIRST established a number Category C liaison relationship with ISO/IEC JTC 1/SC 27. The relationship is established with Working Group 3 (WG3) and WG4. Damir Rajnovic ( is appointed as a liaison officer. You can read more about SC 27 activities at SC 27 home page.

The list of all standards that are developing within JTC 1/SC 27 are visible here.

Currently Vendor SIG is actively working and/or monitoring the following ISO activities:

  • ISO 27010 - Guidance for Information Security Management for Inter-sector Communications
  • ISO 27032 - Guidelines for Cybersecurity
  • ISO 27035 - Information Security Incident Management
  • ISO 27037 - Evidence Acquisition Procedure for Digital Forensics
  • ISO 29147 - Responsible Vulnerability Disclosure

Further information on ISO related activities can be found at: ISO activities page (FIRST members only).

ITU Telecommunication Standardization Sector (ITU-T)

FIRST maintains a sector membership with ITU. In particular FIRST is focused in the work done within Study Group 17, Question 4 (SG17/Q4). Study Group 17 is working on recomendations related to security while Question 4 is focused on Cybersecurity. Damir Rajnovic ( is appointed as a liaison officer.

The main piece of work within Q4, in 2009-2012 study period, is centered around CYBEX framework. FIRST is contributing its CVSS as one of the components to the CYBEX framework. In addition to CVSS, FIRST is offering combined expertise of its members as a unique source of expertise in handling computer and computer related incident.

FIRST is also investigating how to work with ITU-T to further goals of Resolution 58 Encourage the creation of national computer incident response teams, particularly for developing countries.

More information on on CYBEX related activities can be found at ITU-T SG17/Q4 CYBEX Framework