CVE/FIRST VulnCon 2025

April 7-10, 2025 · Raleigh, NC · 89 talks

The CVE Program and FIRST co-hosted VulnCon 2025 to advance the vulnerability management ecosystem — covering CVE/CWE/CVSS evolution, SBOM/VEX, EPSS, regulatory regimes (EU CRA, FedRAMP), and operational PSIRT/CNA practice.

→ See editor’s top picks at CVE/FIRST VulnCon 2025

• Vulnerability Root Cause Mapping with CWE

  This talk, presented at VulnCon, delves into the critical importance and evolving landscape of **vulnerability root cause mapping** using the **Common Weakness Enumeration (CWE)**. Speakers Alec…

• Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry

  In this insightful talk, Steve Christey Coley, the **CWE technical lead** and **co-founder** from the MITRE Corporation, delved into the persistent challenges faced by the **Common Weakness…

• Practical Software Bill of Materials: From Generation to Distribution Workshop

  In the rapidly evolving landscape of software supply chain security, the Software Bill of Materials (SBOM) has emerged as a critical artifact. However, merely generating an SBOM is no longer…

• The National Vulnerability Database (NVD) – Where It Is and Where It’s Going

  The National Vulnerability Database (NVD), maintained by the National Institute of Standards and Technology (NIST) under the Department of Commerce, serves as the United States government's…

• Modeling Asset Risk Using Grouped EPSS

  In an era of relentlessly escalating cybersecurity threats and an ever-growing deluge of vulnerabilities, traditional vulnerability management approaches are proving increasingly inadequate. This…

• How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?

  In an era where the volume of reported vulnerabilities (CVEs) continues to escalate year-over-year, security teams and software vendors face an immense challenge: how to effectively manage…

• State of Attack Surface Elimination in a World Plagued by Vulnerable Software

  In an era defined by an exponentially expanding threat landscape, the talk "State of Attack Surface Elimination in a World Plagued by Vulnerable Software" delivered by Mayur and Goro at VulnCon…

• AIBOM: Powering Transparency and Security in AI and Software Supply Chains

  In an era where Artificial Intelligence (AI) rapidly integrates into critical business operations, the security of AI models and their underlying supply chains has become paramount. This talk by…

• SBOMs in the Real World: Practical Guidance for Managing Three Common SBOM Scenarios

  In an insightful and opinionated presentation at VulnCon, Cortez Fraser Jr., Principal Product Manager at FASA, delved into the evolving landscape of Software Bill of Materials (**SBOMs**), moving…

• Exploited CVEs of 2024: Lessons for Vendors and Defenders

  Patrick Gity, a security researcher at Vone, delivered a compelling talk at VulnCon, shedding light on the landscape of **exploited vulnerabilities** in 2024. His presentation, titled "Exploited…

• State of EPSS and What to Expect from Version 4

  In this comprehensive talk at VulnCon, Jay Jacob, a pivotal figure in the development of the Exploit Prediction Scoring System (**EPSS**) and founder of Empirical Security, delved into the current…

• Breaking the Bot: GenAI Web App Attack Surface & Exploitation

  In this insightful talk from VulnCon, Ken Smith, Director of Learning and Development at Praetorian, delves into the burgeoning attack surface presented by Generative AI (GenAI) and Large Language…

• EU CRA TL/DR for PSIRTS - What Product Security Needs To Do To Be Compliant with the CRA

  In this insightful talk at VulnCon, Probe, a seasoned vulnerability coordination expert from the Open Source Security Foundation (a project of the Linux Foundation), demystifies the European Union’s…

• Lessons from OSV: Vulnerability Management for Open Source

  Oliver from Google's open source security team presented a comprehensive talk at VulnCon, detailing the journey and principles behind the **Open Source Vulnerability (OSV) schema**. This JSON…

• With VEX, The Possibilities are (Almost) Limitless!

  In this insightful talk at VulnCon, Vincent Dan, Vice President of Red Hat Product Security, delved into the transformative potential of **Vulnerability Exploitability eXchange (VEX)** documents…

• Securing the Future: Navigating AI Vulnerabilities and Evolving Security Practices

  This talk, "Securing the Future: Navigating AI Vulnerabilities and Evolving Security Practices," delivered by Lisa Bradley and Sarah Evans of Dell Technologies at VulnCon 2025, addresses the…

• EU Cyber Resilience Act - A Product Owner’s Approach

  The European Union’s Cyber Resilience Act (CRA) represents a landmark legislative initiative set to profoundly reshape how software and hardware vendors operate within the EU market. In this VulnCon…

• The EU Cybersecurity Resilience Act (CRA) - Boring, Scary or Exciting?

  Mike Bessel, a prominent figure in the open-source community as the co-chair of the OpenSSF Global Cyber Policy Working Group and Executive Director of the Confidential Computing Consortium…

• Validating Vulnerability Analysis with Statistical Analysis of Metadata

  In an era defined by a relentless surge in reported vulnerabilities, security teams face the daunting challenge of maintaining analytical rigor amidst growing volume. This talk, presented by…

• Using Jupyter Notebooks to Explore Public CVE Data

  In this VulnCon workshop, Jerry Gamblin, a Principal Engineer in Cisco’s Threat Detection Response Group, presented a compelling case for democratizing and enhancing the analysis of **Common…

• Identifying and Assigning AI Model Vulnerabilities

  In an era defined by the rapid proliferation and integration of Artificial Intelligence (AI) across all sectors, understanding and managing its inherent vulnerabilities has become a critical…

• Building a PSIRT for a Standards Organization

  This talk, delivered at VulnCon, provides a detailed account of the speaker's experience in establishing a **Product Security Incident Response Team (PSIRT)** capability within a standards…

• BOF - Discussion Regarding False Positive Results from Vulnerability Scanners and the Use of VEX

  This Birds of a Feather (BoF) session, facilitated by Lisa from Microsoft and Pete from Red Hat, delved into the pervasive problem of **false positives** generated by vulnerability scanners and…

• Madness of Vulnerability Management in Modern Cloud, Container, How to Win the Battle...

  The rapid adoption of cloud-native architectures, containers, and open-source components has profoundly transformed the landscape of vulnerability management, escalating its complexity to…

• CVE Records: The Cybersecurity Glow-Up You Didn’t Know You Needed

  In a compelling presentation at VulnCon, Julia Turkovich and Reena Rakipi from the U.S. government's Cybersecurity and Infrastructure Security Agency (**CISA**) illuminated the critical need for…

• Unlocking the Power of SBOMs: A Deep Dive into Risk Management and Cybersecurity Posture

  This talk, "Unlocking the Power of SBOMs: A Deep Dive into Risk Management and Cybersecurity Posture," delivered by John Bergland and Zardia Alden from IBM, addresses the critical challenge of…

• Operationalizing SSVC

  In the dynamic and often overwhelming landscape of cybersecurity, organizations face a relentless deluge of newly disclosed vulnerabilities. With tens of thousands of vulnerabilities reported…

• CVE Record Format - Past, Present, and Future

  This talk, presented by Chris Coffin from MITRE and MZ from F5—both co-chairs of the CVE Quality Working Group (QWG) and CVE Board members—delves into the evolution and future trajectory of the…

• BOF: Vulnerability Data Consumers

  This Birds of a Feather (BOF) session at VulnCon brought together security practitioners and data engineers to openly discuss the pervasive challenges associated with consuming and leveraging…

• When it Comes to Managing Risk, Context is King

  In the rapidly evolving landscape of cybersecurity, organizations face an overwhelming deluge of vulnerabilities, making traditional vulnerability management (VM) strategies increasingly untenable…

• Managing Risk Across the Vulnerability Ecosystem

  In an increasingly interconnected software supply chain, managing vulnerabilities effectively has become a paramount challenge for enterprises. This VulnCon talk, "Managing Risk Across the…

• CVSS v4.0 By The Numbers

  In this insightful talk, Nick Leali, a co-chair of the CVSS Special Interest Group (SIG) and an Incident Manager at Cisco PERT, delves into the numerical and qualitative shifts introduced by **CVSS…

• CISA’s North Star Vision for the CVE Program

  This panel discussion, held at VulnCon, delves into the past, present, and future of the **CVE (Common Vulnerabilities and Exposures)** program, celebrating its 25-year milestone while charting…

• Don’t Forget the Little Guy: Vulnerability Management in Operational Technology

  This talk, "Don’t Forget the Little Guy: Vulnerability Management in Operational Technology," delivered by Kyling Ranahan (CTO of Bazo) and Alex Asante (Security Consultant at A Coming), offers a…

• Streamlining Vulnerability Management: The Power of VEX Inheritance in Container Ecosystems

  This talk, presented by God from Nvidia's Product Security Tools team at VulnCon, addresses a critical challenge in modern software development: the redundant and inefficient process of managing…

• Product Security Incident Response at a Fortune 500 SaaS

  This talk, presented by Garrett at VulnCon, delves into the intricate world of Product Security Incident Response Teams (PSIRTs) within a large Software-as-a-Service (SaaS) organization…

• Vulnrichment: Year One

  This talk, "Vulnrichment: Year One," delves into the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) initiative to enhance the utility and completeness of Common Vulnerabilities and…

• Who’s Vulnerability Is It Anyway? Harmonizing Stakeholder Roles in Vulnerability Management

  This panel discussion, born from spontaneous conversations at VulnCon 2024, delves into the intricate and often contentious landscape of vulnerability management. Moderated by Yam Yam, the panel…

• The Open Source Paradox: Unpacking Risk, Equity, and Acceptance

  In this thought-provoking VulnCon presentation, Vincent Dan, VP of Product Security at Red Hat, addresses the inherent paradox in how the security of open source software is perceived and managed…

• No Action Required: CVE for Software as a Service

  This talk, "No Action Required: CVE for Software as a Service," delves into the evolving landscape of vulnerability management and disclosure in the age of cloud computing. Moderated by Art…

• Towards a Minimum Viable Enumeration of Vulnerabilities

  In an era defined by the rapid proliferation of vulnerability data sources, the challenge of effectively managing and responding to security flaws has grown exponentially. The talk "Towards a…

• Models and Systems: How to Think About Vulnerabilities and Artificial Intelligence

  In this insightful talk at VulnCon, Eric O'Lincoln delves into the critical distinction between vulnerabilities found in Artificial Intelligence *models* and those residing within the broader…

• Breaking the Build: How Attackers Abuse GitHub Actions

  In his VulnCon talk, "Breaking the Build: How Attackers Abuse GitHub Actions," Jonathan Evans, a GitHub Advisory Coordinator/Curator, meticulously dissects the critical security vulnerabilities…

• Vulnerability Data Analysis with Google Spreadsheets and Apps Script for Fun and Profit

  In this insightful VulnCon presentation, Andrew van der Stock, a key figure in the OSV (Open Source Vulnerability) project and formerly of Google, unveiled a practical and accessible methodology for…

• The Enriched CVE Record: Redefining Completeness and Quality for Greater Impact

  In this insightful talk from VulnCon, Alex Summers, MITRE's CVE and CWE project lead, illuminated the critical evolution of the Common Vulnerabilities and Exposures (CVE) program, focusing on the…

• From NIST to FIRST: How GitHub’s Product Security Response Organization Transitioned

  In this VulnCon talk, GitHub’s Sarah Clemens and Jeff detail their organization's methodical journey in evolving its security incident response capabilities. The presentation focuses on GitHub’s…

• Belgian Federal Government invites Ethical Hackers for First-Ever 'Hack the Government' Event

  This talk details the ambitious journey of the Belgian Federal Government to transition from a stance of prosecuting ethical hackers to actively inviting them to secure national digital assets…

• Vulnerability Response of Last Resort

  Diogo Yogu's talk, "Vulnerability Response of Last Resort: Dealing with Undermaintained Packages in the Open Source Ecosystem," addresses a critical and growing challenge in software security: the…

• What's New in CSAF and OpenEoX

  In this VulnCon session, Omar Santos from Cisco provided a comprehensive update on the advancements in two critical standards for cybersecurity: the **Common Security Advisory Framework (CSAF)** and…

• Distributing Product Vulnerability Information: The Cisco VEXperience

  In an era of increasingly complex software supply chains, understanding the impact of third-party software (TPS) vulnerabilities on commercial products is a critical challenge for both vendors and…

• Exploit Maturity: Your New Best Friend in CVSS

  In her VulnCon talk, "Exploit Maturity: Your New Best Friend in CVSS," Shelby Cunningham, a member of GitHub's advisory database curation team and a CNA (Common Vulnerabilities and Exposures…

• Outpacing Attackers: How Data-Driven Insights Speed Up Vulnerability Remediation

  In an era of rapidly escalating cyber threats and an overwhelming volume of newly disclosed vulnerabilities, organizations face an unprecedented challenge in effectively managing and remediating…

• Software Identity in the Vulnerability Management Ecosystem

  This panel discussion, moderated by Alex Hmers, MITRE CVE and CW Project Lead, delves into the intricate world of software identification within the vulnerability management ecosystem. The core…

• Efficient Vulnerability Management in Hierarchical Supply Chains

  In an increasingly interconnected world, where software supply chains grow in complexity and depth, managing vulnerabilities efficiently has become a critical challenge for organizations of all…

• CNA Birds of a Feather: Open Forum with Certified Numbering Authorities

  This VulnCon Birds of a Feather session, titled "CNA Birds of a Feather: Open Forum with Certified Numbering Authorities," brought together a panel of seasoned experts from leading technology…

• CVE Unmoored: Implications of the Removal of the Technology Requirement

  Jonathan Evans, a seasoned expert from GitHub's Advisory Database and a former member of MITRE's CVE team, delivered a compelling talk at VulnCon titled "CVE Unmoored: Implications of the Removal of…

• Quick Start Session For Using CPE Within the CVE Record Format

  This talk, presented by Chris Coffin of the MITRE Corporation, introduces significant enhancements to the **CVE Record Format**, specifically the integration of robust support for **Common Platform…

• Challenges in Open Source Software Identification

  In this insightful talk at VulnCon, Martin Seysen from Red Hat's Product Security Team tackled the complex and often overlooked challenges inherent in **open source software identification**. Seysen…

• From Idea to Open-Source: Building CNA-GURU, a Generative AI Assistant for Security Advisories

  In the dynamic and ever-expanding landscape of cybersecurity, the process of scoring vulnerabilities and drafting security advisories is a critical yet often challenging and time-consuming endeavor…

• Applying Cybersecurity Regulations and Industry Standards to Open Source Projects

  In an era where open source software forms the bedrock of nearly every technological stack, the intersection of open source development with stringent cybersecurity regulations and industry…

• OpenEoX

  The "OpenEoX" talk, presented by Shamusaf Roguski (known as Rogue), a Principal Security Engineer at Red Hat, introduces a nascent project aimed at standardizing and exchanging product lifecycle…

• Establishing a Global Community of Practice on Coordinated Vulnerability Disclosure (CVD)

  In an increasingly interconnected digital landscape, the effective management and disclosure of cybersecurity vulnerabilities are paramount. This talk, delivered by Tommoito of JPCERT/CC and Justin…

• Adversarial Intelligence: Redefining Application Security Through the Eyes of an Attacker

  In this thought-provoking VulnCon presentation, "Adversarial Intelligence: Redefining Application Security Through the Eyes of an Attacker," Roy, an expert from Codem Security with a notable…

• Where Do We Aim? A Look at the State of Vulnerable Software Identification and Its Future

  In this insightful talk, Andrew Sudter of BlackBerry's PERT team addresses the critical and often overlooked challenges in accurately identifying vulnerable software components, exploring the…

• Managing Vulnerabilities through SSDLC

  In this insightful talk at VulnCon, Luchi Stanescu, Security Engineering Manager at Canonical, delves into the critical lessons learned from implementing a robust **Security Software Development…

• Nothing to Risk but Risk Itself: Expanding Vulnerability Risk with Internet-Scale Data

  In this VulnCon talk, Benjamin Edwards and Sander Vinberg from Bitsite challenge conventional notions of vulnerability risk, advocating for a more comprehensive and data-driven approach that extends…

• Resolution Revolution: Turbocharging Security Ticketing Timelines

  In an era defined by an exponential surge in software vulnerabilities, security teams are perpetually overwhelmed, struggling to manage an ever-increasing volume of security tickets with limited…

• Open Interchange on CPE - Purl Between Communities of Interest and the CVE and NVD Programs

  This VulnCon session delves into the intricate challenges of software identification within the vulnerability management ecosystem, focusing on the interplay between **Common Platform Enumeration…

• Ask Not Whether CVSSv3.1 and v4 Scores are Inconsistent, But What Can You Do About It

  This talk, presented by Monan and Chisan from VU Amsterdam, delves into the critical issue of inconsistencies between Common Vulnerability Scoring System (CVSS) versions 3.1 and 4.0. As…

• Weaving a VEX Feed Through the Kubernetes Project

  In this insightful talk, Adolfo Garcia, known as "Puerto," from Carabiner Systems and a key contributor to Kubernetes Release Engineering and the OpenVEX project, delves into the complex yet…

• Building Trust Through Proactive Security - Key Parts of the Trusted Software Supply Chain

  In an era of increasing supply chain attacks and software vulnerabilities, the concept of a "trusted software supply chain" has become paramount. This talk, delivered by Premaruski, also known as…

• Diagnosing the Hurdles in the Medical Device Regulatory Landscape

  This talk delves into the complex and rapidly evolving regulatory landscape surrounding the integration of Artificial Intelligence (AI) into medical devices, primarily focusing on the United States…

• Open Discussion - International Challenges with CVD, CNA, and CVE

  This VulnCon talk, "Open Discussion - International Challenges with CVD, CNA, and CVE," provided a critical forum for cybersecurity professionals to engage in a candid conversation about the complex…

• Evolving Secure Development through FedRAMP Continuous Monitoring Trends

  This talk by Stephanie Harris and Christopher Lusk from Red Hat delves into the intricate world of **FedRAMP (Federal Risk and Authorization Management Program)** continuous monitoring and its…

• Distribution Builders Meet VEX

  In this insightful talk, Marta Rybczynska, a seasoned expert in open-source security, delves into the complex intersection of **Vulnerability Exploitability eXchange (VEX)** and the **Yocto…

• CPE Metadata: Know IT ALL

  In the rapidly evolving landscape of cybersecurity, effective vulnerability management is paramount for organizations striving to maintain robust security postures and ensure compliance. This talk…

• Identifying Malicious OSS Across Ecosystems

  This talk, delivered by Justin Smith of Microsoft's Open Source Security Team at VulnCon, shifts focus from traditional vulnerabilities to the pervasive and growing threat of **malicious open-source…

• Context Matters: Qualitative Insights into Developers’ Approaches and Challenges with Software...

  In this insightful talk from VulnCon, Elizabeth, a PhD student from NC State's Whisper Lab, presented a qualitative study examining the real-world experiences of developers interacting with…

• Merging Security and Compliance: Perspectives on Emerging Regulations and Best Practices

  This talk, presented at VulnCon, delves into the intricate and increasingly vital intersection of security, compliance, and open source software, with a particular focus on emerging global…

• Airflow Beach Cleaning - Supply Chain Security with Community in Mind

  In this compelling talk from VulnCon, Michael Windsor, co-founder of Alpha Omega, and Jarrick, an Apache Airflow maintainer, shed light on a pragmatic and community-focused approach to securing the…

• Securing Citizen Developers: A New Opportunity to Build Safe Applications

  In "Securing Citizen Developers: A New Opportunity to Build Safe Applications," Kayla Underoffer, Lead Security Engineer in the CTO office at Zenity, addresses a burgeoning and often overlooked…

• Let’s Talk About Fitness for Purpose: Comparing and Contrasting the CVE List with OSV.dev

  Andrew, a member of Google's open source security team, delivered a compelling talk at VulnCon, expanding on his previous discussions regarding the challenges in vulnerability metadata quality. His…

• UC2 Risk Ruler for CVSS 4.0: Visualizing Vulnerability Severity and Data Confidence

  This talk introduces the **UC2 Risk Ruler for CVSS 4.0**, a novel estimation methodology and toolkit designed to augment the widely used Common Vulnerability Scoring System (CVSS) scores. Developed…

• The Quality Imperative for CVEs: The Need For Enhancing Vulnerability Reporting Standards

  In an insightful and candid presentation at VulnCon, Jerry Gamblin, a prominent figure in Cisco's Threat Detection and Response group, delivered a critical assessment of the current state of…

• Updates from the CVSS SIG

  This talk, presented by Nick Leali, a co-chair of the Common Vulnerability Scoring System (CVSS) Special Interest Group (SIG), provides a comprehensive update on the state of CVSS version 4 (v4)…

• Alpha-Omega: What We've Learned From Funding Open Source Security Over the Past 3Years, What's Ahead

  In this VulnCon talk, Michael Windsor, co-founder of Alpha-Omega, a project under the Linux Foundation, shared profound insights from three years of dedicated efforts to bolster open-source software…

• Where The Wild Things Are: The State Of Open Source Supply Chain Risk Management In Three Stories

  In this insightful talk at VulnCon, "Where The Wild Things Are: The State Of Open Source Supply Chain Risk Management In Three Stories," speaker Maui delves into the critical challenges facing…

• Towards a Vulnerability Reporting Specification

  In an era of escalating cybersecurity regulations, the talk "Towards a Vulnerability Reporting Specification" at VulnCon addressed a critical need for open-source software projects. Presented by…

• Production, Consumption, and the Data: The Open Source Security Sandwich

  In his insightful VulnCon presentation, "Production, Consumption, and the Data: The Open Source Security Sandwich," Mike Lieberman, Co-founder and CTO of Casari, dissected the pervasive and…