Operationalizing SSVC
CVE/FIRST VulnCon 2025 · Main Stage
In the dynamic and often overwhelming landscape of cybersecurity, organizations face a relentless deluge of newly disclosed vulnerabilities. With tens of thousands of vulnerabilities reported annually, the critical challenge lies not just in identifying them, but in effectively prioritizing which ones demand immediate attention and action. This talk, "Operationalizing SSVC," presented by Lindsay Sirnik and Sean Latona from the Cybersecurity and Infrastructure Security Agency (CISA), addresses this fundamental problem head-on by detailing CISA's successful implementation of the **Stakeholder-Specific Vulnerability Categorization (SSVC)** framework.
AI review
Sirnik and Latona are the right people to give this talk — they built and operate CISA's SSVC pipeline, and they bring five years of real operational data to the table. The ZenBle case study is the strongest moment: a concrete example of SSVC doing what it's supposed to do, walking a high-CVSS panic back with actual contextual reasoning. The public Vulnrichment/ADP data sharing angle is genuinely useful signal for practitioners who didn't know that enrichment existed. But the talk lands as a solid practitioner briefing rather than a must-see research contribution. SSVC itself is not new —…