Nothing to Risk but Risk Itself: Expanding Vulnerability Risk with Internet-Scale Data
CVE/FIRST VulnCon 2025 · Main Stage
In this VulnCon talk, Benjamin Edwards and Sander Vinberg from Bitsite challenge conventional notions of vulnerability risk, advocating for a more comprehensive and data-driven approach that extends beyond traditional metrics. Titled "Nothing to Risk but Risk Itself," a play on FDR's famous quote, the presentation argues that a progressive vision for risk requires shedding preconceived ideas and embracing a richer understanding of contextual factors. The speakers aim to bridge a perceived divide in the security community: between those who champion large-scale data modeling and those who rely on expert, "ethnographic" analysis of individual vulnerability instances.
AI review
Edwards and Vinberg are doing legitimate empirical work — the Gini coefficient application to CVE concentration is genuinely clever, the EPSS-versus-remediation-speed disconnect is a finding worth hearing, and the supply chain risk quantification using market share against patch velocity is the kind of thing practitioners should be thinking about. The internet-scale dataset (Groma's 4.9B IPv4 addresses, 40M orgs) gives them a real empirical foundation that most vulnerability management talks don't have. But this is squarely a 3-star talk: solid, competent, grounded in actual data — and not…