Distributing Product Vulnerability Information: The Cisco VEXperience
CVE/FIRST VulnCon 2025 · Main Stage
In an era of increasingly complex software supply chains, understanding the impact of third-party software (TPS) vulnerabilities on commercial products is a critical challenge for both vendors and customers. Dario Sicaron, a Principal Engineer with Cisco’s Security and Trust Organization, presented "Distributing Product Vulnerability Information: The Cisco VEXperience" at VulnCon, detailing Cisco's strategic initiative to provide clear, machine-readable vulnerability exploitability eXchange (VEX) information. This talk highlights Cisco's journey to centralize and standardize the distribution of vulnerability data, particularly focusing on how vulnerabilities in common open-source components like OpenSSL and OpenSSH affect Cisco's extensive product portfolio.
AI review
A competent, practitioner-focused case study from Cisco's PSIRT-adjacent engineering team on building and operating a centralized TPS vulnerability repository with VEX output. The real value here is the empirical usage data — query distributions, CVE clustering, CVSS-vs-behavior gaps — which is genuinely useful signal for anyone building or consuming vulnerability tooling. This isn't research, it's an operational retrospective, and judged on that lane it delivers adequately. It won't set the conference on fire, but it's honest about what it is, and the data is more interesting than the…