Who’s Vulnerability Is It Anyway? Harmonizing Stakeholder Roles in Vulnerability Management
CVE/FIRST VulnCon 2025 · Main Stage
This panel discussion, born from spontaneous conversations at VulnCon 2024, delves into the intricate and often contentious landscape of vulnerability management. Moderated by Yam Yam, the panel brings together diverse perspectives from a **threat research lead**, a **vulnerability management operator**, a **security analyst** (also representing developers), and a **security architect/executive**. The core focus is to dissect the complexities, challenges, and inherent friction points arising from the varied priorities and operational realities of different stakeholders involved in the vulnerability lifecycle.
AI review
A competent panel discussion on vulnerability management stakeholder friction that covers familiar ground — CVSS limitations, false positive versus false negative tension, dev-sec misalignment, remediation ownership gaps — with enough practitioner honesty to make it useful for a VulnCon audience. The multi-persona framing is genuinely well-constructed, and a few moments (the Python zip 15-year CPE blind spot, the XZ Utils supply chain angle, James's package-layer remediation reframing) show real operational experience. But the panel never goes deep enough on any single thread to be…