Supplier PSIRT Maturity: How to Assess Your Supply Chain's Incident Response Readiness Before It's Too Late
PSIRT maturity — your supplier's ability to detect, handle, and disclose vulnerabilities — determines whether a third-party flaw stays contained or cascades into your product. The EU Cyber Resilience Act doesn't just apply to your product; it applies to every component inside it. If your supplier can't handle a vulnerability, it becomes your vulnerability.
Your Product Is Only as Secure as Your Weakest Supplier
In 2024, the MOVEit vulnerability didn't just hit Progress Software. It cascaded through thousands of organizations that had integrated MOVEit into their workflows — organizations that had no visibility into Progress Software's ability to detect, respond to, and disclose security vulnerabilities.
That's not a software bug. That's a supply chain security failure.
And with the EU Cyber Resilience Act (CRA) entering enforcement in September 2026, this kind of failure is about to become a legal liability. Article 13(6) is explicit: manufacturers must exercise due diligence when integrating third-party components. Annex I, Part II requires that vulnerabilities can be addressed through security updates — including vulnerabilities in components you didn't write.
The question is no longer "does my supplier have a vulnerability?" — it's "can my supplier handle one when it appears?"
What Is PSIRT Maturity — and Why Should You Measure It?
A Product Security Incident Response Team (PSIRT) is the organizational function responsible for identifying, managing, and disclosing vulnerabilities in a company's products. The FIRST (Forum of Incident Response and Security Teams) published the PSIRT Services Framework to define what a mature PSIRT looks like.
PSIRT maturity is the degree to which a supplier has operationalized these capabilities:
- Vulnerability intake — Can external researchers report vulnerabilities? Is there a public channel?
- Coordinated Vulnerability Disclosure (CVD) — Does the supplier have a published CVD policy with defined timelines?
- security.txt — Does the supplier publish a machine-readable RFC 9116 file at
/.well-known/security.txt? - Advisory publishing — Does the supplier issue security advisories in CSAF or VEX format?
- Contact accessibility — Can you actually reach their security team?
A supplier with high PSIRT maturity will detect vulnerabilities early, coordinate disclosure responsibly, and ship patches fast. A supplier with low maturity will leave you exposed — and under the CRA, you'll be the one explaining why to regulators.
The Problem: Nobody Measures This
Here's the gap in the market that nobody talks about:
SBOM tools (Cybellum, OneKey, FOSSA, Snyk) tell you what components are in your product and which CVEs affect them. That's valuable. But it tells you nothing about whether the organization behind that component can actually respond to the next vulnerability.
GRC platforms (ServiceNow, OneTrust, ComplyDo) assess supplier compliance at the organizational IT level — ISO 27001 certifications, SOC 2 reports, questionnaires. But they don't evaluate product security incident response capabilities.
Threat modeling tools (IriusRisk, ThreatModeler) help you analyze risks at design time. But they have zero supplier intelligence.
The result? A blind spot. You know what is in your supply chain (SBOM), and you might know whether your supplier passed an audit (GRC), but you have no idea how your supplier will behave when a zero-day drops on a Friday afternoon.
That behavioral readiness is PSIRT maturity. And until now, there hasn't been a systematic way to assess it.
What a Supplier PSIRT Assessment Actually Looks Like
At Complioty, we built the Tracer to close this gap. Here's the assessment model:
Signal 1: security.txt Presence and Quality
RFC 9116 defines a standard for organizations to communicate security contact information. Under BSI TR-03183, it's a recommended practice for CRA compliance.
Tracer checks:
- Does
/.well-known/security.txtexist? - Does it include a
Contactfield? - Is there a
Policylink (CVD policy)? - Is there a valid
Expiresdate? - Is PGP encryption offered?
A complete, current security.txt signals that a supplier takes vulnerability intake seriously. An absent or expired one is a red flag.
Signal 2: CVD Policy Existence
Does the supplier publish a Coordinated Vulnerability Disclosure policy? A CVD policy defines:
- How to report vulnerabilities
- Expected response timelines
- Disclosure coordination process
- Safe harbor provisions for researchers
Under the CRA, manufacturers are required to have CVD processes. If your supplier doesn't, they're not just immature — they may be non-compliant.
Signal 3: Advisory Publishing Capability
Does the supplier publish security advisories? In what format?
- CSAF (Common Security Advisory Format) — Machine-readable, BSI-recommended, CRA-aligned
- VEX (Vulnerability Exploitability eXchange) — Communicates whether a vulnerability actually affects a specific product
- Free-form advisories — Better than nothing, but not automatable
Tracer evaluates whether the supplier has a visible advisory feed and whether its format supports automated processing.
Signal 4: Legal Entity Verification
Is the supplier who they say they are? Tracer cross-references supplier data against the GLEIF (Global Legal Entity Identifier Foundation) database to verify legal entity status and corporate hierarchy. This matters because:
- CRA obligations follow the legal entity chain
- Mergers, acquisitions, and shell companies can obscure responsibility
- Regulatory enforcement needs a clear legal target
Signal 5: Compliance Framework Alignment
Tracer evaluates supplier readiness against BSI TR-03183, the German Federal Office for Information Security's technical guideline for CRA implementation. This includes:
- Vulnerability handling process requirements
- SBOM provision obligations
- Security update delivery mechanisms
- End-of-support communication
From Assessment to Action: The Tracer Workflow
Tracer doesn't just score suppliers — it drives a structured enrichment workflow:
1. CreateSupplier → Register supplier with basic metadata
2. IdentifyCompany → Web search, domain crawling, company identification
3. EnrichMetadata → GLEIF verification, geocoding, normalized data
4. AnalyzePSIRT → security.txt, contact discovery, PSIRT signal evaluation
5. CheckCompliance → BSI TR-03183 gap analysis, readiness scoring
Each step fires domain events that trigger the next, building a comprehensive supplier security profile without manual research.
The output: a clear, evidence-based view of which suppliers are CRA-ready, which need improvement, and which pose unacceptable risk to your product's compliance posture.
Why This Matters Now
The CRA enforcement timeline is tight:
- September 2026: Vulnerability handling and reporting obligations begin
- 2027: Full conformity assessment requirements apply
If your product includes third-party components — and every product does — your compliance depends on your suppliers' ability to handle vulnerabilities. Discovering on enforcement day that a critical supplier has no PSIRT, no security.txt, and no CVD policy is not a defensible position.
Start assessing now. The CRA doesn't give you credit for good intentions — only for due diligence.
The Closed Loop: Tracer in the Complioty Ecosystem
Tracer doesn't work in isolation. It's part of a four-app product security platform:
- Designer identifies threats at design time — including supply chain attack vectors
- Observer aggregates vulnerability intelligence — including advisories from your suppliers' CSAF feeds
- Tracer evaluates whether suppliers can actually handle those vulnerabilities
- Notifier manages your own CVD process — so you practice what you require of your supply chain
When Observer detects a new CVE affecting a component from a supplier that Tracer has flagged as PSIRT-immature, you don't just know you have a vulnerability — you know you have a supply chain risk. That's the difference between vulnerability management and supply chain security.
Ready to assess your supply chain's incident response readiness? Contact us to see Tracer in action.