Vulnerability Root Cause Mapping with CWE
CVE/FIRST VulnCon 2025 · Main Stage
This talk, presented at VulnCon, delves into the critical importance and evolving landscape of **vulnerability root cause mapping** using the **Common Weakness Enumeration (CWE)**. Speakers Alec Summers, the MITRE CVE and CWE Project Lead, and Chris Madden, a key contributor to the Root Cause Mapping Working Group, highlight how identifying the fundamental causes of vulnerabilities is crucial for effective product security, both within individual organizations and across the broader cybersecurity community. They argue that robust root cause analysis enables better trend analysis, informs strategic investments in security practices, and provides invaluable feedback loops into the Software Development Lifecycle (SDLC).
AI review
A competent, well-structured presentation on a real problem — CWE mapping coverage is genuinely terrible and the data quality issue is chronic. Summers and Madden are the right people to be giving this talk, and the LLM grounding approach is sensible rather than hype-driven. The $15/7,000-CVE proof of concept and the graph-distance evaluation metric are concrete contributions worth knowing about. But this is infrastructure tooling work dressed up as research, and the audience for whom this is genuinely new and actionable is narrow. The 'LLMs are good at classification tasks when grounded'…