Rewriting the Playbook: Smarter Vulnerability Management with EPSSv3, CVSSv4, SSVC & VEX Frameworks
Unknown
BSides Las Vegas 2025 · Day 1
Avin delivers an introductory-to-intermediate talk aimed at vulnerability management leaders who feel buried in **CVE** noise. The speaker, who identifies as a **vulnerability analyst** at **Discover** working in an **application security** team while the organization also maintains separate infrastructure vulnerability management, walks through four public frameworks—**CVSSv4**, **EPSS** (with emphasis on **EPSSv4**), **VEX**, and **SSVC**—and proposes a **phased integration** model spanning months for a mid-sized enterprise (~**5,000–10,000** employees in the speaker’s example). A strong disclaimer anchors the session: the frameworks are **public** and the talk is **not** a description of Discover’s internal implementation strategy or undisclosed operational details.
AI review
Competent VM enablement talk: a readable map of CVSSv4/EPSS/VEX/SSVC and a sensible phased adoption path. Light on novel research, but exactly the consolidation many practitioners need—if they verify NVD/EPSS migration details independently.