Vulnrichment: Year One
CVE/FIRST VulnCon 2025 · Main Stage
This talk, "Vulnrichment: Year One," delves into the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) initiative to enhance the utility and completeness of Common Vulnerabilities and Exposures (CVE) records. Presented by Art and Lindsay from CISA, the session reflects on the first year of the Vulnrichment program, a critical effort to democratize CISA's extensive internal vulnerability analysis and provide it as a public service. The program aims to bridge data gaps in CVEs, offering richer context and actionable intelligence for vulnerability management practitioners.
AI review
A competent, honest retrospective from the people who actually built and ran Vulnrichment. This is a policy/program talk, not a research drop, and judged in that lane it delivers real operational signal: candid admission that CPE enrichment failed and why, concrete metrics on community engagement, and a clear articulation of where CISA thinks the ecosystem needs to move. It won't set the room on fire, but it's the kind of unglamorous infrastructure work that actually matters for practitioners who use CVE data daily. The CPE post-mortem alone is more honest than most government program talks…