Where Do We Aim? A Look at the State of Vulnerable Software Identification and Its Future
CVE/FIRST VulnCon 2025 · Main Stage
In this insightful talk, Andrew Sudter of BlackBerry's PERT team addresses the critical and often overlooked challenges in accurately identifying vulnerable software components, exploring the current landscape of identification schemes and vulnerability enrichment programs. Titled "Where Do We Aim? A Look at the State of Vulnerable Software Identification and Its Future," the presentation dissects the limitations and strengths of established standards like **CPE (Common Platform Enumeration)** and the emerging **PURL (Package URL)**, while critically evaluating the scalability and accuracy of key initiatives from NIST's **NVD (National Vulnerability Database)** and CISA's **ADP (Authoritative Data Program)**.
AI review
Sudter delivers a methodical, data-backed dissection of a problem the vulnerability management community is sleepwalking into: the collapse of machine-readable affected-product data as CISA exits CPE enrichment and NVD drowns in its own backlog. This isn't a research talk dropping a new exploit — it's a threat/intel briefing on infrastructure rot, and judged in that lane it's genuinely useful. The empirical visualization of CISA's historical CPE contribution dominance, combined with the forward projection showing the data 'bottoming out' even under optimistic CNA participation assumptions…