Vulnerability Response of Last Resort
CVE/FIRST VulnCon 2025 · Main Stage
Diogo Yogu's talk, "Vulnerability Response of Last Resort: Dealing with Undermaintained Packages in the Open Source Ecosystem," addresses a critical and growing challenge in software security: the proliferation of vulnerabilities in open-source components that lack active maintenance. Yogu, an Engineering Manager at Canonical responsible for coordinating security support for Ubuntu LTS releases, likens his work to "boiling the neverending ever growing CVE ocean one spoonful at a time." This presentation dives deep into the systemic issues arising from the exponential growth of open-source packages coupled with a stagnant or declining pool of dedicated maintainers, creating a fertile ground for unaddressed security flaws.
AI review
Yogu is the right person to give this talk — he lives in this problem daily — and the framing of 'Vulnerability Responders of Last Resort' is a genuinely useful construct. The libSPF2 use-after-free example (unmerged PR sitting in public since 2016) is a concrete illustration of a real and underappreciated risk class. But the talk never fully escapes the gravitational pull of 'problem statement' and lands short of delivering the actionable framework the setup promises. The proposed solutions are directionally correct but stay at a level of abstraction that will leave most practitioners…