technical-program-manager-security-cvd

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Technical Program Manager, Security (Coordinated Vulnerability Disclosure)

安全领域技术项目经理（协调漏洞披露）

When to Use

使用场景

Stand up or improve CVD / responsible disclosure policy and operating model
Run intake triage queue (email, portal, bounty platform) with SLAs
Coordinate researcher communication, extensions, and safe harbor questions
Track remediation milestones across product and platform teams
Manage embargo, coordinated disclosure date, and publication checklist
Operate bug bounty scope, rewards, and platform workflows
Produce program status, RAID, and steering updates for security leadership
Plan advisory/CVE release with legal and communications

建立或优化CVD / 负责任披露政策及运营模式
按照SLA管理漏洞接收与分类队列（邮件、门户、赏金平台）
协调研究人员沟通、延期申请及安全港相关问题
跟踪跨产品与平台团队的修复里程碑
管理禁运期、协调披露日期及发布检查清单
运营漏洞赏金范围、奖励机制及平台工作流
为安全领导层提供项目状态、RAID（风险、行动、问题、决策）及指导更新
与法务和公关团队协作规划安全公告/CVE发布

When NOT to Use

不适用于场景

Execute authorized exploitation or write PoCs →
```
offensive-security-analyst
```
Triage SOC alerts or tune detections →
```
defensive-security-analyst
```
Implement scanner gates, SBOM, pipeline fixes →
```
devsecops
```

Remediate findings in code (own the fix) →

information-security-engineer

senior-software-engineer

Enterprise security architecture or GRC strategy →
```
cybersecurity
```
,
```
compliance-engineer
```
Generic multi-team delivery (non-security) →
```
technical-program-manager
```
Customer contract security exhibits →
```
commercial-counsel
```
Public crisis comms narrative (non-advisory) →
```
communication-lead
```

执行授权渗透测试或编写PoC →
```
offensive-security-analyst
```
分类SOC告警或优化检测规则 →
```
defensive-security-analyst
```
实现扫描关卡、SBOM（软件物料清单）及流水线修复 →
```
devsecops
```
修复代码中的漏洞（负责具体修复工作） →
```
information-security-engineer
```
,
```
senior-software-engineer
```
企业安全架构或GRC（治理、风险与合规）战略 →
```
cybersecurity
```
,
```
compliance-engineer
```
通用跨团队交付项目（非安全领域） →
```
technical-program-manager
```
客户合同安全附件 →
```
commercial-counsel
```
公共危机公关叙事（非安全公告类） →
```
communication-lead
```

Related skills

Need	Skill
Generic TPM patterns (charter, RAID, status)	`technical-program-manager`
Security strategy and vuln management program	`cybersecurity`
Fix implementation and validation in infra	`information-security-engineer`
Pipeline scanning and CI evidence	`devsecops`
Pentest / offensive validation	`offensive-security-analyst`
Legal terms for bounty / safe harbor	`commercial-counsel`
Public messaging for security incidents	`communication-lead`
Audit evidence for vuln SLAs	`compliance-engineer`
AI-specific red team findings	`ai-redteam`

需求	技能
通用TPM模式（章程、RAID、状态报告）	`technical-program-manager`
安全战略与漏洞管理项目	`cybersecurity`
基础设施中的修复实施与验证	`information-security-engineer`
流水线扫描与CI证据	`devsecops`
渗透测试/攻击性验证	`offensive-security-analyst`
赏金/安全港相关法律条款	`commercial-counsel`
安全事件公共沟通	`communication-lead`
漏洞SLA审计证据	`compliance-engineer`
AI特定红队发现	`ai-redteam`

Core Workflows

核心工作流

1. CVD program charter

1. CVD项目章程

Policy scope, channels, SLAs, roles, escalation.

See
references/program_charter_cvd.md
.

政策范围、渠道、SLA、角色、升级流程。

详见
references/program_charter_cvd.md
。

2. Intake and triage

2. 漏洞接收与分类

Receive report, dedupe, severity, assign DRI, researcher ack.

See
references/intake_triage.md
.

接收报告、去重、评估严重程度、指定负责人、回复研究人员。

详见
references/intake_triage.md
。

3. Remediation and validation tracking

3. 修复与验证跟踪

Fix milestones, retest, waiver/exception path.

See
references/remediation_tracking.md
.

修复里程碑、复测、豁免/例外流程。

详见
references/remediation_tracking.md
。

4. Coordinated disclosure timeline

4. 协调披露时间表

Embargo, extensions, publication date, multi-party coordination.

See
references/disclosure_timeline.md
.

禁运期、延期、发布日期、多方协调。

详见
references/disclosure_timeline.md
。

5. Advisory and publication

5. 安全公告与发布

CVE, advisory draft, legal/comms gates, customer notification.

See
references/advisory_publication.md
.

CVE申请、公告草稿、法务/公关关卡、客户通知。

详见
references/advisory_publication.md
。

6. Bug bounty operations

6. 漏洞赏金运营

Scope, rewards, platform hygiene, researcher relations.

See
references/bug_bounty_operations.md
.

范围、奖励、平台维护、研究人员关系管理。

详见
references/bug_bounty_operations.md
。

Outputs

输出成果

Prefer structured artifacts:

Intake record — reporter, asset, severity, status, DRI, dates
Disclosure tracker — embargo end, parties, blockers, go/no-go
Weekly program status — inflow, SLA breaches, aging criticals, upcoming publications
RAID — risks (premature leak, incomplete fix), actions, decisions (severity disputes)
Publication checklist — signed advisory, CVE, comms, support/KB, bounty payout

优先采用结构化工件：

漏洞接收记录 — 报告人、资产、严重程度、状态、负责人、日期
披露跟踪表 — 禁运结束时间、参与方、障碍、发布决策
每周项目状态报告 — 新接收漏洞、SLA违规情况、未处理高危漏洞、即将发布的公告
RAID文档 — 风险（提前泄露、修复不完整）、行动、决策（严重程度争议）
发布检查清单 — 已签署的公告、CVE编号、公关材料、支持/知识库文档、赏金支付

Principles

原则

Coordinated disclosure by default — align publication with fix readiness unless active exploitation forces earlier notice
Single intake DRI — one queue owner; engineering DRIs per product/component
Document researcher comms — timestamps, promises, extension rationale
No legal advice — route safe harbor, bounty terms, and advisory language to qualified counsel
Separate incident response — active exploitation in production may parallel IR (
```
incident-management-engineer
```
) while CVD track continues

默认采用协调披露 — 除非存在主动利用漏洞的情况需提前通知，否则发布时间需与修复就绪时间保持一致
单一漏洞接收负责人 — 设立一名队列负责人；每个产品/组件由对应工程负责人负责
记录研究人员沟通内容 — 时间戳、承诺、延期理由
不提供法律建议 — 将安全港、赏金条款及公告语言相关问题转交合格法务人员
区分事件响应流程 — 生产环境中出现的主动漏洞利用情况可并行启动事件响应（
```
incident-management-engineer
```
），同时继续推进CVD流程