A part of the Vendor SIG activity is organizing meetings of Product Security Teams. The aim is to bring together product security teams and enable them exchange their experiences and best practices. This includes teams that are either handling technical or coordination aspects of the product security. The field of product security is unique in the sense that it is not related only to a specific technical challenges (e.g., testing, programing) but also includes aspects of project management, legal and managerial issues.

These meetings are open to all vendor teams irrespective if the are members of Vendor SIG or FIRST or not. Relevant guests are also welcomed. However, the forum moderators can use their discretion and refuse participation if necessary.

The encrypted file with presentations from all meetings is available here. If you have not received the decryption key, contact sigiiv-moderators at The key will be handed out only to vendors involved in this forum.

  • Sixth Meeting of Product Security Teams 23 June 2008, Vancouver, Canada
  • Fifth Meeting of Product Security Teams 18 June 2007, Seville, Spain
  • Fourth Meeting of Product Security Teams 25 June 2006, Baltimore, USA
  • Third Meeting of Product Security Teams 16 March 2006, San Jose(CA), USA
  • Second Meeting of Product Security Teams 16 November 2005, Redwood City (CA), USA
  • Inaugural meeting of Product Security Teams 9 Febuary 2005, Paris, France

Standardization Activites


FIRST established a number Category C liaison relationship with ISO/IEC JTC 1/SC 27. The relationship is established with Working Group 3 (WG3) and WG4. Damir Rajnovic () is appointed as a liaison officer. You can read more about SC 27 activities at SC 27 home page.

The list of all standards that are developing within JTC 1/SC 27 are visible here.

Currently Vendor SIG is actively working and/or monitoring the following ISO activities:

  • ISO 27010 - Guidance for Information Security Management for Inter-sector Communications
  • ISO 27032 - Guidelines for Cybersecurity
  • ISO 27035 - Information Security Incident Management
  • ISO 27037 - Evidence Acquisition Procedure for Digital Forensics
  • ISO 29147 - Responsible Vulnerability Disclosure

Further information on ISO related activities can be found at: ISO activities page.


In April 2008 Vendor SIG provided comments to ENISA's request for feedback on "Analysing Barriers and Incentives for Network and Information Security in the Internal Market for e-Communication".

More information available at:

Internet Infrastructure Vendors SIG