Program Overview

This presentation explores Adversarial Intelligence - an approach that views application security from an attacker’s perspective. Drawing from vulnerability research experience at the NSO Group, the speaker will highlight how overlooked low and medium vulnerabilities can be combined to execute successful attacks. By examining attack chains and application runtime behavior, attendees will see how gaps often missed by traditional methods are exposed. Attendees will learn about effective tools and techniques for detecting and mitigating these threats, especially in cloud-native and distributed systems. Designed for security practitioners and academics, this session provides a deeper understanding of defending against sophisticated attackers by adopting their mindset.

This session explores AIBOM's (AI Bill of Materials) critical role in securing AI ecosystems and mitigating software supply chain risks. Attendees will learn how AIBOM enables for effective AI vulnerability management, enhances transparency, enables compliance, and streamlines risk management to support AI innovation. Participants will gain insights into key use cases and best practices for AIBOM interoperability.

Helen Oakley, CISSP, GPCS, GSTRT, is a prominent leader in cybersecurity and AI transparency. She co-leads the AIBOM Tiger Team under CISA.gov SBOM working groups and contributes to pivotal initiatives like OWASPAI.org Agentic AI Security, evolving frameworks and best practices for AI security and transparency. As the Director of Secure Software Supply Chains and Secure Development at SAP’s Global Security and Cloud Compliance, Helen champions security-by-design practices across engineering teams. A Founding Partner of the AI Integrity and Safe Use Foundation (AISUF.org) and co-founder of LeadingCyberLadies.com, she is a trusted advisor to cybersecurity startups and a respected speaker at industry-defining events like RSA and BlackHat. Recognized among the Top 20 Canadian Women in Cybersecurity, Helen’s work focuses on advancing the future of secure AI ecosystems through thought leadership, innovation, and actionable solutions.

Dmitry Raidman is a visionary entrepreneur and cybersecurity innovator who has contributed to shaping the future of software supply chain security. Having held critical technology roles at leading companies like FLIR Systems and Sealights, as co-founder and CTO of Cybeats Technologies, he helped Fortune 500 companies to operationalize SBOM (Software Bill of Materials) management by inventing SBOM Studio in 2020. His groundbreaking work extends to AI security, where he co-leads SBOM implementation for AI systems and models and co-founded AISUF.org, the Open Framework for AI Security & Safe Use. A contributor to the NTIA's SBOM standards since 2018 and an active participant in critical security working groups, Dmitry brings over 25 years of expertise in application security, cloud architecture, and DevSecOps. His commitment to industry advancement extends beyond technology through co-founding the Security Architecture Podcast, where he shares insights on enterprise security solutions and architecture.

Putting safe harbour law to the test in practice, the Belgian Federal Government opened selected digital assets to ethical hackers to search for bugs over a 2-week period.

How is this different from bug bounties? Ethical hackers had to use their own identities to test for vulnerabilities, follow the strict legal guidelines as set in our CVDP law, and navigate the complexities of collaborating and competing with each other (strangers who quickly became allies) in a never-been-done-before event.

This presentation will outline the process from idea to execution and beyond. You will learn the groundwork that must be done to host your own event, success factors, and the essential "magic" that brings a disparate group together as a community wanting to be useful to society. And we will reveal the results - which are more than the numbers of vulnerabilities found.

Lisa Olson is a Senior Security Program Manager at Microsoft, has a lot to do with patch Tuesdays, and is a CVE Board member.

Peter Allor is the Senior Director, Product Security for Red Hat. He is been instrumental in Red Hat's secure development and incident response programs Red Hat and in upstream security groups such as CVE, CVSS, and PSIRTs. He focuses on developing solutions that integrate the full spectrum of security operations within an organizations domain in support of business.

Prior roles include Senior Director for security at Honeywell, Cybersecurity Strategist at BIM and managing vulnerability and incident coordination at IBM for the IBM X-Force. Prior to IBM acquiring Internet Security Systems (ISS), Peter was the Special Assistant to the CEO of ISS for working National Infrastructure Advisory Council (NIAC) problem sets and assisted in forming the Information Technology - Sector Coordinating Council (IT-SCC) where he recently returned to the Executive Committee and Treasurer. As the former Operations Center Director, he ran the Information Technology - Information Sharing & Analysis Center (IT-ISAC) operations and brought coordination across the sector ISACs.

Peter is a Member of the CVE Board, a former member Board of Director of the Forum of Incident Response and Security Teams (FIRST) and its Chief Financial Officer for FIRST. Peter was President to the Industry Consortium for Advancement of Security on the Internet (ICASI) and an Executive Committee Member of the IT Sector Coordinating Council (IT-SCC). A former Commissioner for the CSIS Cybersecurity Commission for the 44th Presidency, he assisted in developing recommendations for the Public and Private Sectors to work collaboratively on Cyber Security.

Peter is a retired Lieutenant Colonel from the US Army. He has Masters Degree from the University of Phoenix, a BS in Business Administration from Rollins College and is a Graduate of the US Army Command & General Staff College.

As security concerns continue to grow in the software industry, customers seek assurance that the software they rely on is built securely. While applying security patches is essential, it is equally important to understand the proactive measures taken throughout the development process to ensure that our software is built securely and is compliant with regulatory requirements and industry security standards.

Red Hat follows a comprehensive Secure Software Development Lifecycle (SDLC) framework to improve software security during the entire software lifecycle, mitigating risks, including vulnerabilities, before products are released to production and ensuring that customers can trust Red Hat’s products. We also use an end-to-end build and release environment, which uses SLSA (Supply-chain Levels for Software Artifacts) framework as a guide for reinforcing and gating the build process to better secure and fortify your software supply chain against various threats.

Przemysław “Rogue” Roguski is a Security Architect at Red Hat who specializes in shift-left security initiatives included in build and release processes. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security.

He is focused on the security data improvements, especially security data usability in the vulnerability management process and production of attestation data as a part of the Secure Software Development Lifecycle (SDLC) work to address security issues proactively.

An active participant of various upstream and downstream security initiatives and projects like CWE UEWG, OASIS OpenEoX Technical Committee, CISA VEX Working Group and Red Hat Vulnerability Scanner Certification program.

Modern vulnerability management relies on precise software component identification, yet our ecosystem has evolved multiple competing and overlapping identification schemes. This talk examines the fragmentation and interoperability challenges across identification systems including CPE, purl, and affected component references in the CVE and OSV record schemas. We'll analyze real-world examples of how different CNAs approach component identification, highlighting inconsistencies that complicate vulnerability tracking. We'll explore the complexity of mapping between upstream releases and downstream packages in major Linux distributions. The session concludes with recommendations for improving component identification standardization and coordination across the vulnerability management ecosystem.

This talk will benefit vulnerability management teams, security researchers, package maintainers, and vulnerability database operators who need to accurately track and correlate vulnerable components across different contexts and systems.

Martin Prpic is a Principal Product Security Engineer in the PSIRT organization of Red Hat Product Security, responsible for security data management and publishing.

This panel brings together a mix of government, FFRDC, and industry panelists who have different perspectives on software security and vulnerability management. The panel’s focus will be what we, as a community, need to do to make our ecosystem safer.

Alec Summers is a principal cybersecurity engineer at the MITRE Corporation with diverse and extensive experience in software assurance and vulnerability management, as well as cyber operations, assessments, and supply chain risk management. He is MITRE’s CVE and CWE Project Leader, managing teams that support vulnerability and weakness research & analysis, content production, program coordination, infrastructure and services development, and community engagement across a global stakeholder community comprising industry, government, and academia. He also serves as the moderator for the CVE Board.

Dr. Benjamin Edwards is a principal research scientist working at Bitsight. An expert in ML and statistics, Ben synthesized security data into actionable insights. He has led research on a wide variety of security topics including vulnerability management, application security, human risk, Next-gen SIEM, nation state cybersecurity policy, and the security of ML models.  He is an active member of the security community, contributing to open standards efforts including both EPSS and CVSSv4. His work has been published in leading industry and academic venues.

Bob Lord is a Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency (CISA). Previously he was the Chief Security Officer at the Democratic National Committee where he brought more than 20 years of experience in the information security space to the Committee, state parties, and campaigns. Before that he was Yahoo's Chief Information Security Officer, covering areas such as risk management, product security, security software development, e-crimes and APT programs. He was the Chief Information Security Officer in Residence at Rapid 7, and before that headed up Twitter's information security program as its first security hire.

Sandy J. Radesky serves as the Associate Director for Vulnerability Management at the Cybersecurity and Infrastructure Security Agency (CISA). Prior to this role, Ms. Radesky served as the Deputy Command Information Officer (CIO) for U.S. Fleet Cyber Command/ U.S. TENTH Fleet from December 2020 to February 2023. In this position she oversaw the cybersecurity, policy, design, and future plans for the Navy in order to support full spectrum Cyberspace Operations to enable FLTCYBERCOM as the central operating authority for Navy Networks. Her efforts continued to improve, integrate and directly support joint warfighters, national-level leaders, and other mission and coalition partners across the full spectrum of global operations.

Join a Birds of a Feather session hosted by Certified Naming Authorities (CNAs) to explore their role and contributions. This open forum will feature discussions with CNAs, members of CVE working groups, security tooling providers, and other notable organizations. Audience questions are welcome to encourage open and engaging dialogue.

David Welch is a seasoned industry leader with nearly 20 years of experience. Passionate about open source software, security, and compliance, he brings a unique perspective to the evolving tech landscape. As CTO of HeroDevs, David spearheads the technical direction of the Never-Ending Support program, delivering Long-Term Support for end-of-life open-source projects.

Jonathan Evans is an advisory curator for the GitHub Advisory Database. He works to ensure GitHub published relevant and accurate advisories. Prior to GitHub, Jonathan worked for the CVE Program at MITRE.

Lisa Olson: Senior Security Program Manager at Microsoft, has a lot to do with patch Tuesdays, CVE Board member.

Scott Moore: Collector of vulnerability data for 30 years. Creator of the ISS X-Force Vulnerability Database in 1997 and managed it through acquisition by IBM. CVE Numbering Authority for IBM PSIRT Operations Team, Office of the CISO.

Recent years have seen a shift towards a risk-based approach in various industries, prioritizing vulnerabilities based on factors like potential impact and exploitability. This approach requires consideration of industry-specific security requirements and threat analysis based on attacker intent, capabilities, and the threat landscape. OT/ICS environments, particularly nuclear facilities, have unique operational characteristics that necessitate prioritizing safety and availability alongside security. Existing safety design standards often fail to meet general security requirements, making immediate responses to vulnerabilities challenging. This highlights the need for a comprehensive approach considering the impact of vulnerabilities on both facility safety and security. The System Security Research Center at Chonnam National University, collaborating with the Korea Institute of Nuclear Nonproliferation and Control, has developed NVAS (Nuclear Vulnerability Analysis System) over four years of research. NVAS is a new security-safety cross-impact assessment framework for nuclear facilities that performs comprehensive vulnerability assessments for critical assets, including evaluation reflecting operational characteristics and potential attack risk assessment. It also conducts impact assessments through correlation analysis between security and safety requirements. This presentation focuses on vulnerability assessment methodologies considering nuclear facilities' unique characteristics and the analysis of interactions between security measures and safety design standards. NVAS aims to enhance both security effectiveness and operational safety in nuclear facilities, contributing significantly to strengthening security in the nuclear industry.

IECK-CHAE EUOM is currently a Professor with the Department of Data Science, Chonnam National University. Previously, he was a Researcher with the Institute of Cyber Security, KEPCOKDN. His research interests include industrial control systems, cyber physical systems, vulnerability assessment, the AI applied Internet of Things, digital forensic, and other issues of system security.

JOON-SEOK KIM is a Ph.D. candidate at the System Security Research Center, Chonnam National University. His research focuses on cybersecurity in industrial control system (ICS) environments, with interests in vulnerability assessment, regulatory analysis, and AI-based security technologies. Recently, he has been working on NLP-driven approaches to automate the linkage between safety requirements and security measures in ICS.

SEONG-SU YOON is a Ph.D. student in the Department of Convergence Security at Chonnam National University. His research interests include machine learning, natural language processing, industrial control systems, vulnerability analysis, and cyber threat intelligence. He has been involved in the development of a vulnerability analysis system for nuclear facilities and holds patented technologies related to this work. He has also participated in various projects on cybersecurity and AI-based threat detection.

Software Composition Analysis (SCA) is an important part in the software security lifecycle. Establishing the individual software components and versions that make up an application allows for identifying and remediating vulnerabilities. However, SCA tools have not kept up with the ever growing number of new vulnerabilities each year. Developers are flooded with vulnerability alerts and often struggle to quickly remediate critical issues with external components.

We conducted 16 interviews with developers to investigate their processes and challenges around using SCA in their software projects. Interviews covered how SCA tools are integrated into workflows, how reports are interpreted and acted upon, and what challenges were encountered. We find that SCA tools are most often integrated into build pipelines and that users report that information in SCA alerts is too generic and lack context. Based on our findings we conclude that context matters throughout the SCA process, including for evaluating impact, when to trigger SCA scan runners, and how to integrate and communicate tool findings.

Elizabeth Lin is a PhD student at North Carolina State University. She is currently part of the WSPR lab, focusing on security research and tools used by developers.

The CSAF Writing Workshop is designed to provide an interactive and collaborative workshop for participants to deepen their understanding of the Common Security Advisory Framework (CSAF) and its implementation using the standard's open source toolset. The workshop will guide participants through key elements of the CSAF standard. Attendees will have the opportunity to engage with experts, participate in hands-on exercises that simulate the process of writing CSAF security advisories and VEX documents, and receive feedback on their results. The CSAF Writing Workshop aims to equip participants with the skills necessary to produce accurate and effective CSAF security advisories that comply with the CSAF standard. By the end of the workshop, participants will have a better understanding of the CSAF standard and be well-prepared to create machine-readable security advisories that enhance communication and collaboration across the security community.

Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).

Justin Murphy works as a Vulnerability Analyst as part of the Coordinated Vulnerability Disclosure (CVD) team at the Cybersecurity and Infrastructure Security Agency (CISA). He helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s), ranging from industrial control systems (ICS), operational technology (OT), medical devices, Internet of Things (IoT), and traditional information technology (IT) vulnerabilities. Justin is involved with many other vulnerability management related efforts, including CISA's SBOM and VEX work, the OASIS Common Security Advisory Framework (CSAF) TC, and he also serves as a co-chair for the OASIS OpenEoX TC. Justin is a former high school mathematics teacher turned cybersecurity professional and has a M.Sc. in Computer Science from Tennessee Technological University, and a B.Sc. degree in Statistics from the University of Tennessee (Knoxville).

CVD table top exercise offers a realistic, scenario-based experience designed to enhance the understanding of the CVD process and to develop practical skills related to vulnerability coordination. Participants from government agencies, security teams, and critical infrastructure sectors will come together to practice collaboration in a simulated vulnerability scenario.

Participants will work through the steps of identifying, assessing, and disclosing vulnerabilities, coordinating across organizations to address key issues like information sharing and risk mitigation. The scenario will highlight the roles of various stakeholders, including reporters, vendors, downstream users, and third-party coordinators, and highlight the importance of following best practices while balancing transparency and security. Participants will leave with a deeper understanding of the CVD process, the critical role of communication, and actionable insights to improve their own vulnerability management and disclosure practices.

Working on CVD at JPCERT/CC for 9 years, Tomo Ito currently leads the Global CVD project of the organization, which aims to contribute to the global CVD ecosystem stability through collaborations with the stakeholders from different parts of the world.

Justin Murphy is a Vulnerability Analyst with the Cybersecurity and Infrastructure Security Agency (CISA). As part of CISA's Coordinated Vulnerability Disclosure (CVD) Team, he helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s), ranging from industrial control systems (ICS), medical devices, Internet of Things (IoT), and traditional information technology (IT) vulnerabilities. Justin also focuses on international collaboration regarding vulnerability management serving as co-chair for the Global Community of Practice on CVD (CVD-COP) as well as the OASIS Open technical committees for the Common Security Advisory Framework (CSAF) and OpenEoX standards.

This session will provide an overview of the CVE Record Format and how we got to where we are today. If you would like to learn about past, present, and future updates to the CVE Record Format, this session is for you. We also hope to get feedback and suggestions in the Q&A session that will help us shape future CVE Record Format features and enhancements.

Chris Coffin has been involved in the security industry for more than 25 years and has been involved in the CVE Program specifically since joining MITRE in 2012. Chris is also a CVE Board member and is co-chair of the Quality Working Group (QWG) where efforts are underway to update and improve the CVE Record Format.

MegaZone (yes, that's his name, call him MZ) has been with F5, Inc. since 2010, and the F5 SIRT (Security Incident Response Team) since 2016, where he is currently a Principal Security Engineer. Prior to F5 he did time at Xylogics, Livingston Enterprises, Lucent, GTE Internetworking (BBN), Sling Media, and a few others, after graduating from WPI in 1994. Outside of work he collects whisk(e)y, enjoys travel with his wife (often Disney-related), and volunteers to help a local non-profit in their small Massachusetts town with their tech issues.

MegaZone has been involved with the CVE program since F5 joined as a CNA in 2016 and has taken an increasingly active role over time, eventually running out of working groups to join. He is currently representing the CNA community in the AWG, CNACWG, OCWG, SPWG, TWG, QWG, and VECWG, including being a co-chair of the last two. He is honored to further represent the CNA community before the CVE Board in his new role as CNA Liaison.

CVE (Common Vulnerabilities and Exposures) records are the unsung heroes of the cybersecurity world. But are yours up to the task? This session will dive into how CVE Numbering Authorities (CNAs) can level up their CVE record submissions to create a lasting impact on the global cybersecurity landscape. From enriching CVE records with critical details like Common Weakness Enumeration assignments and Common Vulnerability Scoring System scores to ensuring timely and accurate data, we’ll explore the best practices that make all the difference. Whether you're a CNA or part of the cybersecurity community, this talk will show you how improving the quality of CVE records can strengthen defenses and enhance threat detection across the digital ecosystem. Get ready to take your CVE game to the next level and be a champion of cybersecurity!

Rina Rakipi specializes in cultivating strategic partnerships to enhance vulnerability programs through Secure by Design principles at the Cybersecurity and Infrastructure Security Agency (CISA). As a leader of the Secure by Design Alert publication series, she is dedicated to mitigating recurring vulnerabilities at scale in software products, fostering a more secure technological landscape for the nation. Rina also plays a key role in driving the enhancement of the CVE Program, ensuring that CVE records are complete, accurate, and published in a timely manner to improve cybersecurity resilience across the nation. Previously, she served as a lead technical editor and writer for major joint cybersecurity publications for the Agency. Rina holds a Bachelor of Arts in International Relations from Michigan State University and a Master of Engineering in Cybersecurity Policy and Compliance from the George Washington University. Much of her work falls at the intersection of the two increasingly interconnected disciplines.

Julia Turkevich leads CISA’s CVE Numbering Authority (CNA) Recruitment efforts. As a member of the Vulnerability Response and Coordination Branch in CISA-CSD-Vulnerability Management (VM) subdivision, Julia works to advance maturity across the cybersecurity ecosystem, particularly in the critical infrastructure, industrial control systems (ICS), and medical device sectors. Since becoming a Root in the CVE Program in 2020, CISA has announced over 50 new CNA Partners and continues to actively recruit CNA partners that are committed to proactive and responsible vulnerability disclosure.

CVSS v4.0 has been with us for a little over a year, and quite a bit of data exists out there to tell us about how vulnerability scores may change between CVSS v3.1 and v4.0 assessments.

If you are concerned about the impact that adopting CVSS v4.0 will have on your environment, interested in learning about how the numbers may change, or if you want to craft a narrative using math to either push for v4.0 adoption or avoid it entirely, then this talk is for you! I will go through an analysis of the changes between CVSS v3.1 and v4.0 scores, giving you the context necessary for understanding how adoption may impact vulnerability disclosure and vulnerability management.

In addition to the numbers, we'll discuss some of the shortcomings of CVSS v4.0 and how you can use the standard to its full extent. You can even use the tool I developed to create this talk to look at CVSS v3.1 and v4.0 data in your own environment!

Nick Leali is a current CVSS SIG co-chair, currently working on improving the adoption of CVSS v4.0 to make transition to the new version of the standard easier for vendors and consumers.

Nick works for Cisco as a PSIRT incident manager.

Coordinated Vulnerability Disclosure (CVD) is a process of gathering, coordinating, and disclosing of vulnerability information. As global cyber threats become increasingly sophisticated and widespread, CVD serves as an essential, structured approach for timely and effective communication of vulnerability information among the affected stakeholders. The recently established Global Community of Practice on CVD (CVD-COP) is an important initiative aimed at encouraging collaboration among governmental entities and national CERTs in their roles as third-party CVD coordinators. This presentation will explore the motivations behind the CVD-COP's formation, its key activities, and the challenges found thus far. The presentation will also facilitate an interactive discussion, inviting audience input on how the community can optimize its support for the vulnerability management ecosystem.

Justin Murphy is a Vulnerability Analyst with the Cybersecurity and Infrastructure Security Agency (CISA). As part of CISA's Coordinated Vulnerability Disclosure (CVD) Team, he helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s), ranging from industrial control systems (ICS), medical devices, Internet of Things (IoT), and traditional information technology (IT) vulnerabilities. Justin also focuses on international collaboration regarding vulnerability management serving as co-chair for the Global Community of Practice on CVD (CVD-COP) as well as the OASIS Open technical committees for the Common Security Advisory Framework (CSAF) and OpenEoX standards.

Working on CVD at JPCERT/CC for 9 years, Tomo Ito currently leads the Global CVD project of the organization, which aims to contribute to the global CVD ecosystem stability through collaborations with the stakeholders from different parts of the world.

Regulation (EU) 2024/2847, commonly known as the European Cyber Resilience Act, is a landmark piece of regulation focused on protecting consumers purchasing "products with digital elements" within the European Union. Articles 13 & 14 and Annex I lay out many requirements that manufacturers must begin following starting in 2025 with the full law going into effect in 2027.

But what is the TL/DR that PSIRT teams need to be aware of and start implementing today so that their organizations can demonstrate compliance tomorrow? Ideally with a few alterations and some new documentation, much of what the law tells us must be done are common tasks your vulnerability management program has already proven capable of delivering.

Christopher Robinson (aka CRob) is the Chief Security Architect for the Open Source Security Foundation. With over 25 years of Enterprise-class engineering, architectural, operational and leadership experience, CRob has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect.

Version 4.0 of the Common Vulnerability Scoring System (CVSS) introduces a new metric, exploit maturity, that scores where on the path from public claim to active exploitation a particular vulnerability rests. By choosing from the options of "Unreported" (the least serious status), "POC" (a somewhat serious status), and "Attacked" (the most serious status), you can use CVSS alone to indicate to readers whether a vulnerability has been exploited in the wild and adjust the overall severity score accordingly. This talk will show the audience how the addition of one metric with three straightforward severity levels can improve your severity assessments in multiple situations. Whether a vulnerability is at risk of overscoring and you indicate via a less serious exploit maturity metric that there is less to fear or a vulnerability is exploited in the wild and you want a brief and simple means to express that fact, using exploit maturity in CVSSv4 scores makes your data richer and more precise.

Shelby Cunningham has been an advisory curator for the GitHub Advisory Database for four years. Her duties include, but are not limited to, organizing and publishing vulnerability information for the GitHub Advisory Database and gathering vulnerability information from project maintainers on GitHub to submit to the CVE list. Working for a team with the responsibilities of a CVE Numbering Authority and a vulnerability database leads to her seeing a wide range of practices in vulnerability information disclosure, including watching CNAs transition their severity assessments from CVSSv3 to CVSSv4.

In 2024, over 750 CVEs were confirmed as exploited in the wild for the first time. This talk will focus on the trends and patterns observed in these known exploited vulnerabilities, offering comprehensive analysis to empower both vendors and defenders.

Key Takeaways: Insights into 2024 exploited CVE trends and patterns. A look at how known exploitation maps to common vulnerability metadata. A deep dive into examples of last year’s exploited vulnerabilities and how to identify risks before exploitation occurs. Recommendations on how vendors and defenders can get early indicators that a threat actor might exploit a vulnerability.

Patrick Garrity is a security researcher at VulnCheck where he focuses on vulnerabilities, vulnerability exploitation and threat actors. Patrick has spent the last decade helping building Cybersecurity companies including Duo Security, Censys, Blumira, Nucleus Security and VulnCheck.

This presentation will share the story of how an idea born at the VulnCon 2024 conference grew into CNA-GURU, an open-source generative AI assistant to help security professionals manage the complexities of working with security advisories. The speaker will discuss the motivation behind creating the tool, the challenges faced by security teams in keeping up with the volume and complexity of vulnerability reports, and the iterative process of developing CNA-GURU through collaboration with industry peers. The presentation will provide a detailed overview of the tool's features, its evolution from a proof-of-concept to a robust solution, and the techniques and technologies used to build it, including the leveraging of AWS Bedrock. The audience will gain insights into the benefits of using generative AI to streamline security advisory tasks and the potential for such tools to improve the efficiency and consistency of vulnerability management.

Ryan is AWS's Senior Security Engineer for the Outreach Team and CoAuthor of AWS Detective. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With almost 2 decades in the infosec field, Ryan has been on the development and operations side of companies such as Postman, Sqrrl, Carbon Black, Crossbeam Systems, SecureWorks and Fidelity Investments. Ryan has been an active speaker and writer on threat hunting and endpoint security.

• https://www.linkedin.com/in/cloudy-with-a-chance-of-security
• https://github.com/sonofagl1tch

The current software vulnerability ecosystem is composed of multiple standards that facilitate unique identification, naming, scoring and patching of software vulnerabilities. This ecosystem supports, among other things, vulnerability disclosure, coordination, and bug bounty programs. While there are efforts to adapt these disclosure programs to account for AI vulnerabilities, it is unclear whether vulnerabilities in ‘AI models’ are of a similar ‘type’ as traditional software vulnerabilities. Clearly, vulnerabilities in AI/ML software packages (e.g. python’s spacy) warrant CVEs, but it is unclear whether vulnerabilities that exploit tendencies of LLMs to hallucinate, or attacks that rely on the chaining of AI models in agentic-AI systems should also be classified as a CVE. Further, while taxonomies also exist for classifying AI/ML incidents, attacks, and types of weaknesses, these efforts don’t, themselves, assign specific vulnerabilities to specific models. The purpose of this discussion, therefore, is to consider how we should identify, enumerate, and assign vulnerabilities in AI models.

Sasha Romanosky is a Senior Policy Researcher at RAND where he researches topics on the economics of security and privacy, cyber insurance, cyber crime, and national security. He holds a Ph.D. in Public Policy and Management from Carnegie Mellon University and a B.S. in Electrical Engineering from the University of Calgary, Canada. He was a Microsoft research fellow in the Information Law Institute at New York University School of Law, and a security professional for over 10 years. Sasha is one of the original authors of CVSS, and co-creator of EPSS. Sasha is a former Cyber Policy Advisor in the Office of the Secretary of Defense for Policy (OSDP) at the Pentagon, and former member of DHS's Data Privacy and Integrity Committee (DPIAC) which advises the Secretary Chief Privacy Officer on policy, operational, and technology issues.

Kyle Kilian is an Artificial Intelligence and Information Security analyst at RAND focusing on global risks from emerging technologies. Prior to joining RAND, Kyle was a research lead at the Center for AI Risk Management & Alignment (CARMA) and the Deputy Director at the Transformative Futures Institute, focused on applying strategic foresight to anticipate risks from AI. Kyle has served for over a decade in the Defense and Intelligence Community (IC) in strategic, tactical, and joint operational environments. His research interests lie at the intersections of AI, complex adaptive systems, and international security. Kyle holds graduate degrees in Data Science and Cyber Intelligence from the National Intelligence University and International Affairs from the American University's School of International Service.

At the Product Security Center at Panasonic, we have a team dedicated to testing for vulnerabilities in products prior to shipment. The testing activities cover a wide range of products and has been ongoing for around 20 years.

Identifying and understanding vulnerabilities is easier for a security team than for product development teams. To fill this gap, I explored a way to match CWE's with each test item to both enhance the quality of our tests and vulnerability report outputs. In my talk, I will discuss the CWE assignment process I went through for the test items, some internal trends that I identified about our products, and how CWE has been useful when assigning to test items.. Lastly, I will discuss some of the challenges that I encountered during the CWE assignment process and some progress on the review of test items.

Yuichi Kikuchi joined Panasonic in 2019 out of school and joined the vulnerability testing team at the Product Security Center as his first job in the cyber security field.

His daily work involves vulnerability testing various products and devices for Panasonic business units and alongside that work he thinks about better ways to score and classify vulnerabilities.

Takayuki Uchiyama is a member of Panasonic PSIRT and is responsible for product security activities at the business divisions overseas. His main roles include, the handling of vulnerabilities, creating and conducting product security training to product developers and providing assistance to product development teams related to product security as necessary. Aside from his role in Panasonic, Takayuki has been a CVE Board Member since 2016. Prior to joining Panasonic, Takayuki worked at JPCERT/CC, where his main tasks involved the coordination of vulnerability reports with PSIRTs, taking part in various discussions groups related to the identification / analysis / coordination / disclosure of vulnerabilities.

Abstract: Navigating the Challenges of Risk-Based Vulnerability Management in a Cloud-Native World

Since 2015, the advent of containerized environments and modern software development practices has transformed how we build and secure applications. These advancements have redefined the cybersecurity landscape, introducing unprecedented challenges in vulnerability management related to scale, complexity, and data consistency. This panel discussion brings together two leading experts to explore how a risk-based approach can address these challenges, offering actionable insights and methodologies.

Key Topics:

• The Inconsistency of Data: Fragmented and siloed security data often hampers efforts to prioritize vulnerabilities effectively. The panel explores strategies to consolidate and normalize data from disparate tools and environments, enabling a unified view that supports informed decision-making.

• Vulnerability Management at Scale: Managing vulnerabilities in sprawling, dynamic infrastructures demands innovative approaches. The speakers share insights into automating prioritization and remediation workflows, addressing the unique challenges of containerized and serverless architectures.

• Reachability Analysis: Identifying exploitable vulnerabilities through reachability analysis has emerged as a game-changer. The panel discusses how contextualizing vulnerabilities within the software supply chain and runtime environments can help organizations focus their resources on the most critical risks.

Learning Objectives:

Attendees will gain a deeper understanding of:

• How to overcome the barriers posed by inconsistent data in vulnerability management workflows.
• Best practices for managing vulnerabilities across diverse and rapidly scaling environments.
• The value of incorporating reachability analysis into risk-based prioritization to reduce noise and focus on actionable threats.

This panel discussion explores the challenges of risk-based vulnerability management in a cloud-native world, focusing on overcoming data inconsistency, managing vulnerabilities at scale, and leveraging reachability analysis. As organizations navigate complex, dynamic infrastructures, fragmented security data and the sheer volume of vulnerabilities pose significant hurdles. The session highlights strategies for consolidating data, automating prioritization, and contextualizing vulnerabilities within their runtime and supply chain environments. Designed for security leaders, the talk provides practical insights, real-world use cases, and actionable methods to scale and modernize vulnerability management in an interconnected, containerized ecosystem.

Francesco Cipollone is a renowned entrepreneur and CISO, founder of Phoenix Security, an ASPM platform offering actionable, contextual code-to-runtime insights. A multi-award-winning podcast host, author, and global speaker, Francesco is known for his visionary contributions to cybersecurity. He serves on the UK&I Cloud Security Alliance Chapter board and is a faculty member at IANS on application and cloud security. His insights have appeared in Forbes, Helpnet Security, and Hacker Noon, and he has been featured in prominent podcasts like Application Security Weekly and Cloud Security Podcast. Francesco has keynoted at major conferences such as AppSec Cali and Cyber Security & Cloud Expo, and previously led application and cloud security at HSBC and served as Senior Security Consultant at AWS. An avid marathon runner, snowboarder, and whiskey enthusiast, Francesco balances his professional accomplishments with a passion for adventure and fine spirits.

Nate Sanders, also known as mauvehed, has traversed a long and winding career path through hacking, system and network administration, computer security, and leadership. Now leading people across security engineering and security operations, he takes great pride in building teams, developing individuals, and solving business challenges. With expertise spanning vulnerability management, application security, and the ever growing cloud, he combines technical acumen with strong leadership and collaboration skills to drive impactful results. Outside of his professional exploits, Nate is a vocal advocate for mental health, frequently speaking on topics such as ADHD, Autism, CBT/DBT, and EMDR, with a mission to normalize mental health conversations in the workplace and society.

Managing Risk Across the Vulnerability Ecosystem

This presentation focuses on managing risk across the vulnerability ecosystem to maintain robust product security. It covers four main areas:

• Third-Party Risk Management: Assessing and mitigating risks from external suppliers and partners, with insights into Dell's evaluation and compliance practices.
• Trustworthiness of Open-Source Software: Enhancing the security of open-source components using automated tools.
• Dependency Management: Identifying and managing software dependencies to reduce vulnerabilities, featuring insights into Dell's strategies.
• Product Security Incident Response Teams (PSIRTs): Exploring PSIRTs' role in handling security incidents and how Dell PSIRT is integrating with third-party risk and dependency management for improving operations.

The presentation emphasizes the interdependence of these workstreams and advocates for a cohesive security strategy to address vulnerabilities from multiple angles. Join to learn about Dell's approach to navigating the evolving product security landscape.

Julia Hopkins is a Senior Technical Program Manager for the Product Security Incident Response Team (PSIRT) at Dell Technologies. She manages end-to-end vulnerability response operations for multiple product groups and leads strategic initiatives that enhance security maturity and resilience. Before joining Dell, Julia was a Product Security Analyst at Lenovo, where she also played a key role in establishing Lenovo’s Chief Security Office and managing security initiatives across the global business. Prior to that, she worked as a Fraud Investigator and Computer Forensics Analyst for the Louisiana Department of Justice. With a Master’s degree in Cybersecurity and a collection of industry certifications, Julia is passionate about keeping systems secure. When she’s not navigating the digital battleground, she can be found pushing her limits at the gym, spoiling her dog, getting lost in a good romantasy novel, and embracing the magic of unicorns with her co-conspirator in chaos.

Cassi Rodano is a leader in the PSIRT at Dell Technologies. She leads a team that drives the end-to-end vulnerability response process, collaborating with global teams and product owners to execute Dell's vulnerability response strategy. Her focus is on modernizing PSIRT operations through standardization and automation, while building customer trust. Before joining Dell, she worked in product security at an industrial control systems (ICS) company, where she coordinated vulnerability response workstreams. In her free time, Cassi enjoys conquering virtual worlds in the video game Civilization.

Patricia Tarro is the Product Manager for Dependency Management at Dell Technologies. In this role, she is responsible for building and maintaining a platform that modernizes and adds efficiency to existing Dell processes related to the assessment of internal and external component security risk in product releases. Tricia has over 30 years of Information Technology experience, having spent the most recent years in Dell’s Product and Applications Security team. In 2020, she earned a master’s degree in Administration of Justice and Homeland Security with a concentration in Cybersecurity and Intelligence. Currently she is pursuing a doctoral degree in Homeland Security at St. John’s University in Queens, NY. Her research focus is software supply chain security. Tricia is the Branch Assistant for Supply Chain Risk Management in the U.S. Coast Guard Auxiliary Cybersecurity Directorate.

Join us for a discussion on the evolving world of vulnerability management and compliance requirements. We’ll focus on emerging legislation like the European Union’s Cyber Resilience Act (CRA) and how new rules are being shaped by the industry, open source community and various governments.

Experts in both the private sector and non-profits will share insights on the current state of security and vulnerability management in the open source community, as well as the challenges of keeping up with changing regulatory demands. We’ll also explore the role of open source organizations like the Linux Foundation’s OpenSSF and offer best practices to help open source projects as well as private companies strengthen their security posture and meet compliance requirements."

Michael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. Michael is an active member of the open-source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference Architecture whitepaper. He is an elected member of the OpenSSF Governing Board and Technical Advisory Council along with CNCF TAG Security Lead and an SLSA steering committee member.

Eddie Knight is a Software and Cloud Engineer with a background in banking technology. When he isn’t playing with his 2-year-old son, he combines his passion and job duties by working to improve the security of open source software. Eddie helps lead CNCF's Security Technical Advisory Group, the FINOS Technical Oversight Committee, the OpenSSF Security Baseline, and the FINOS Common Cloud Controls project.

Christopher Robinson (aka CRob) is the chief security architect for the Open Source Software Foundation (OpenSSF). With more than 25 years of experience in engineering and leadership, he has worked with Fortune 500 companies in industries like finance, healthcare, and manufacturing, and spent six years as program architect for Red Hat’s product security team.

In this lightning talk, the concept of Grouped EPSS (EPSSg) is presented. Using the "at least one" property of probability, we can calculate the probability that at least one CVE present on an asset will have observed exploitation activity in the next 30 days. Combined with certain asset attributes, this metric can be enriched and visualized to reduce uncertainty about risk, leading to better decisions about which actions are the most impactful for reducing risk.

Stephen Shaffer is a Principal Security Engineer at Moderna and the co-chair of the EPSS SIG. Stephen has over 10 years of experience in security engineering and vulnerability management in both the public and private sectors. He is passionate about data-driven decision support, leading with empathy, and cutting through the FUD in the industry.

Fixing or otherwise mitigating a vulnerability requires action. By someone. For user- or customer-controlled software, this “someone” is the user or customer who performs actions such as update, upgrade, patch, make a change configuration, rebuild, or fetch new dependencies. For software as a service, this “someone” is the service provider, while the user or customer may not need to take any material action. A browser refresh, session timeout, or a new API call uses the fixed software. What does it mean to assign CVE IDs to no-user-action” vulnerabilities? What are the costs and benefits? Is there danger of decreasing the CVE signal-to-noise ratio? How do changes in the CNA Operational Rules apply? A panel of major cloud service CNAs will discuss these questions and more.

Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).

Lisa Olson is a Principal Security Program Manager at Microsoft, has a lot to do with patch Tuesdays, and a CVE Board member since 2018.

Don "Beetle" Bailey Senior Principal Security Engineer at AWS, previously MITRE, previously U.S. Army.

Michael Coté is a veteran with 82nd Airborne. Lead for Google Cloud VRP and Vulnerability Response which includes publishing CVEs for critical vulnerabilities within Cloud.

Assessing vulnerability “risk” is challenging and the subject of vigorous research. The focus is generally on two broadly defined components of risk: “likelihood of exploitation” and “impact”. In this data-driven, visually compelling talk, we argue that despite being broadly defined, they are often narrowly examined and there are other measures that vulnerability management teams can and should consider. We explore the sophistication of the attackers, exploitation impact, the type of software involved, and the difficulty of remediation using Internet-scale scanning data and unique cyber threat intelligence.

We then shift perspective away from organizational risk to systematic risk, examining vulnerability footprints and vulnerability risk concentration in the global supply chain. We conclude by synthesizing some of these results to show that localized vulnerability risk is the product of a combination of local and global forces. Our results enable organizations to focus even more sharply on specific vulnerabilities and disregard others that may otherwise appear grave, adding precision to the problem of strategic vulnerability remediation.

Dr. Benjamin Edwards is a principal research scientist working at Bitsight. An expert in ML and statistics, Ben synthesized security data into actionable insights. He has led research on a wide variety of security topics including vulnerability management, application security, human risk, Next-gen SIEM, nation state cybersecurity policy, and the security of ML models.  He is an active member of the security community, contributing to open standards efforts including both EPSS and CVSSv4. His work has been published in leading industry and academic venues.

Sander Vinberg is a Security Research Manager at Bitsight. He was formerly a threat researcher at F5, where he led several of F5 Labs' threat intelligence projects, including F5 Labs' participation as data partners in the Exploit Prediction Scoring System (EPSS). He lives in rural Washington State.

Chris Coffin has been involved in the security industry for more than 25 years and has been involved in the CVE Program specifically since joining MITRE in 2012. Chris is also a CVE Board member and is co-chair of the Quality Working Group (QWG) where efforts are underway to update and improve the CVE Record Format.

Christopher Robinson (aka CRob) is the Chief Security Architect for the Open Source Security Foundation. With over 25 years of Enterprise-class engineering, architectural, operational and leadership experience, CRob has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect.

Peter Allor is the Senior Director, Product Security for Red Hat. He is been instrumental in Red Hat's secure development and incident response programs Red Hat and in upstream security groups such as CVE, CVSS, and PSIRTs. He focuses on developing solutions that integrate the full spectrum of security operations within an organizations domain in support of business.

Prior roles include Senior Director for security at Honeywell, Cybersecurity Strategist at BIM and managing vulnerability and incident coordination at IBM for the IBM X-Force. Prior to IBM acquiring Internet Security Systems (ISS), Peter was the Special Assistant to the CEO of ISS for working National Infrastructure Advisory Council (NIAC) problem sets and assisted in forming the Information Technology - Sector Coordinating Council (IT-SCC) where he recently returned to the Executive Committee and Treasurer. As the former Operations Center Director, he ran the Information Technology - Information Sharing & Analysis Center (IT-ISAC) operations and brought coordination across the sector ISACs.

Peter is a Member of the CVE Board, a former member Board of Director of the Forum of Incident Response and Security Teams (FIRST) and its Chief Financial Officer for FIRST. Peter was President to the Industry Consortium for Advancement of Security on the Internet (ICASI) and an Executive Committee Member of the IT Sector Coordinating Council (IT-SCC). A former Commissioner for the CSIS Cybersecurity Commission for the 44th Presidency, he assisted in developing recommendations for the Public and Private Sectors to work collaboratively on Cyber Security.

Peter is a retired Lieutenant Colonel from the US Army. He has Masters Degree from the University of Phoenix, a BS in Business Administration from Rollins College and is a Graduate of the US Army Command & General Staff College.

To perform various security activities like vulnerability management, license compliance or support model verification, software and hardware customers must rely on various metadata like CSAF, VEX or SBOM data. Unfortunately together with the market expansion it’s getting harder to easily find out and verify specific product lifecycles, especially in a machine readable format and easily accessible way. Almost all vendors publish their products' lifecycle data definitions, but there is no standardization around format and delivery method.

In this talk we will focus on both technical and non-technical aspects of precise product identification, product versioning, support model including target dates. We will discuss how significantly it can help customers with various lifecycle or support scope regulatory requirements and security implications.

Przemysław “Rogue” Roguski is a Security Architect at Red Hat who specializes in shift-left security initiatives included in build and release processes. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security.

He is focused on the security data improvements, especially security data usability in the vulnerability management process and production of attestation data as a part of the Secure Software Development Lifecycle (SDLC) work to address security issues proactively.

An active participant of various upstream and downstream security initiatives and projects like CWE UEWG, OASIS OpenEoX Technical Committee, CISA VEX Working Group and Red Hat Vulnerability Scanner Certification program.

The Stakeholder-Specific Vulnerability Categorization (SSVC), developed in 2019 by Carnegie Mellon University's Software Engineering Institute (SEI) in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), offers an innovative approach to vulnerability response. In a rapidly evolving threat landscape, prioritizing vulnerabilities for CISA is a considerable undertaking. CISA manages an incredible scope covering federal civilian (FCEB) agencies, State, Local, and Trivial Territorial (SLTT) governments, and the Critical Infrastructure (CI) sector. Effectively, vulnerability prioritization is essential for safeguarding critical systems. This talk will explain how CISA was pivotal in sponsoring SSVC's development and became the first organization to implement and operationalize the methodology in 2020. We will explore the core components of SSVC, including its four decision outcomes—Track, Track*, Attend, and Act—and the five key values: exploitation status, technical impact, automation potential, mission prevalence, and public well-being impact. Attendees will gain insight into the customized decision tree model developed by CISA and the lessons learned from implementing this framework at scale. It also covers the implementation of CISA's SSVC within multiple teams, the dynamics of having one branch doing centralized prioritization analysis, and how other teams use SSVC as a foundational tool in vulnerability response and coordination.

Sean Letona current duties include overseeing all cybersecurity assessment services offered by CISA's Vulnerability Management Subdivision. These services include penetration testing, vulnerability scanning, and architectural design reviews. Additionally, Sean helps to coordinate priority vulnerability posture and mitigation activities across CISA's Cybersecurity Division. Prior to joining CISA, Sean worked as a penetration tester/red team member with a focus on web application security. He also served as the Director of Professional Services for a cybersecurity company in Florida, where he oversaw technical assessment services and Governance, Risk, and Compliance capabilities.

Lindsey Cerkovnik is the Chief of CISA’s Vulnerability Response & Coordination (VRC) Branch. Her team is responsible for CISA’s Coordinated Vulnerability Disclosure (CVD) process, the Known Exploited Vulnerabilities (KEV) catalog, and CISA’s Stakeholder Specific Vulnerability Categorization (SSVC) process. Lindsey and her team help to maintain, support, and advance the global vulnerability ecosystem by funding and overseeing the CVE and CVE Numbering Authority (CNA) programs, leading the production and dissemination of machine-readable vulnerability enrichment information, and engaging in valuable technical collaboration with the vulnerability research community.

As threat actors increasingly exploit zero-day vulnerabilities and release public proofs-of-concept (PoCs) within days of disclosure, organizations urgently need to accelerate their patching efforts. Leveraging fully anonymized, large-scale data from the Qualys platform—spanning millions of enterprise assets and billions of scans—this session provides a data-driven analysis of remediation speed for both CISA Known Exploited Vulnerabilities (KEVs) and non-KEVs. By examining the impact of exploit availability, vendor patch responsiveness, vulnerability type, remediation complexity, and organizational practices, we identify industry benchmarks, highlight key delay drivers, and demonstrate the value of automated patching, risk-based prioritization, and advanced remediation management techniques.

Attendees will gain actionable insights to strengthen their vulnerability management programs, reduce prolonged exposure windows, and make more informed decisions about resource allocation. By closing the gap between vulnerability disclosure and patch application, cybersecurity leaders can enhance organizational resilience, keeping pace with rapidly evolving threats and improving overall security posture.

Saeed Abbasi is a cybersecurity leader with over a decade of hands-on experience in vulnerability research and product strategy. As Manager of Vulnerability Research at the Qualys Threat Research Unit, he guides international cross-functional teams to uncover emerging threats, innovate security solutions, and drive proactive risk mitigation. A recognized thought leader, Saeed’s insights appear in leading industry outlets, including The Wall Street Journal, Forbes, SC World, and Dark Reading, as well as in cutting-edge research published through Qualys. He hosts the popular “This Month in Vulnerabilities and Patches” webinar series, where he translates complex data into actionable guidance for CISOs, security engineers, and IT teams. With a strong focus on vulnerability research, zero-day vulnerabilities, and global threat landscapes, Saeed empowers organizations to adopt robust cybersecurity postures. He aims to illuminate critical challenges, shape strategic thinking, and advance secure digital innovation worldwide.

This workshop provides an in-depth overview of Software Bill of Materials (SBOMs) in real world usage. It details the SBOM generation lifecycle, covering effective generation using tools like Syft and Trivy, augmentation with essential metadata to meet NTIA Minimum Elements, and best practices for signing and consolidating SBOMs. It also emphasizes validation techniques to ensure schema compliance and outlines the use of tools like OpenSSF’s GUAC and OWASP Dependency-Track for analysis and continuous monitoring. Finally, it explores strategies for SBOM sharing and distribution, including OpenSSF naming conventions and ecosystem-specific approaches to facilitate widespread adoption and integration.

For the past couple of years, Adolfo García Veytia has been working to secure big open-source projects such as Kubernetes. Adolfo primarily focuses on SBOM tooling, provenance generators, and thinking and designing future uses and implementations at scale. Adolfo is a regular contributor to cloud native projects, the SPDX and OpenVEX projects, and regularly participate in SBOM groups and forums on the OpenSSF and elsewhere.

Ian Dunbar-Hall leads Lockheed Martin's Open Source Program Office and specializes in DevSecOps and full stack engineering. Additionally he is a maintainer on SBOMit and bomctl. He is also an OpenSSF Governing Board General Member Representative.

Michael Lieberman is co-founder and CTO of Kusari where he helps build transparency and security in the software supply chain. Michael is an active member of the open-source community, co-creating the GUAC and FRSCA projects and co-leading the CNCF’s Secure Software Factory Reference Architecture whitepaper. He is an elected member of the OpenSSF Governing Board and Technical Advisory Council along with CNCF TAG Security Lead and an SLSA steering committee member.

Rapid growth presents unique security challenges for scale-ups. Limited resources necessitate efficient vulnerability management practices to meet stringent security requirements. This presentation details a pragmatic approach to scaling vulnerability management, emphasizing the crucial role of metadata. We will share our journey of building a custom vulnerability management pipeline in Go, integrated with our SIEM system, and demonstrate how enriching vulnerability data with threat intelligence and business context drives effective prioritization. Attendees will gain practical insights into leveraging vulnerability metadata for actionable security decisions. Our approach centers on a custom-built Go pipeline that seamlessly integrates various vulnerability data sources, enriching them with threat intelligence and business impact assessments. We'll showcase how this data-driven approach informs prioritization and empowers stakeholders through self-service portals and SIEM dashboards, providing clear visibility into vulnerability trends and remediation progress. This presentation offers valuable takeaways for organizations seeking to optimize their vulnerability management processes and maximize their security posture with limited resources.

Niels Hofmans is the Head of Security at Intigriti, Europe's largest bug bounty platform which connects 125,000+ security researchers worldwide to customers' assets. He manages cloud security, SoC, threat intelligence, application security, compliance, detection & response, infrastructure, incident response & more. When not with his head in the trenches, he spends time writing experimental security tooling or consulting for customers to make the world a safer place.

The rise of citizen development platforms empowers everyone—from power users to business professionals—to build everything from simple automations to AI agents. While this democratization of development unlocks immense potential, it also presents new security challenges. The security community has struggled for years to instill secure practices in traditional development, often leaving critical vulnerabilities unchecked. With citizen development, we have a unique opportunity to learn from these past failures and establish a security-first foundation from the start.

This presentation explores the who, what, and how of citizen development, examining the risks inherent in low-code/no-code platforms and comparing strategies to mitigate them for citizen developers versus traditional coders. Backed by real numbers and success stories, we’ll share actionable insights for fostering a secure set of guardrails among these new builders, unlocking their potential without introducing new vulnerabilities.

Kayla Underkoffler is a senior security engineer in the CTO office with Zenity. Her professional career started in the United States Marine Corps, where she then left active duty to pursue a career in Cybersecurity. Throughout her years in security, she has served as a practitioner in vulnerability management, security operations, crowdsourced security, and most recently, Agentic AI security and governance.

With a passion for bridging the gap between business and technology, Kayla will continue to evangelize the importance of security for everyone.

As artificial intelligence (AI) becomes increasingly integrated into software products, it introduces new types of vulnerabilities that challenge traditional security practices. This talk will explore how AI-specific vulnerabilities, such as adversarial attacks and model poisoning, necessitate changes in product security vulnerability response. This talk will also propose areas of the AI supply chain that will need to evolve to improve vulnerability management. By examining the unique characteristics of AI supply chain components, vulnerabilities and the evolving landscape of AI security, we will discuss how organizations can adapt their vulnerability management strategies to address these emerging threats. The presentation will highlight current best practices, case studies, and future trends in AI security.

Dr. Lisa Bradley is a distinguished cybersecurity expert and visionary leader, currently serving as the Senior Director of Product & Application Security at Dell Technologies. With over two decades of experience in enterprise-class engineering, including 13 years in Product Security leadership, she has established herself as a trailblazer in product security and vulnerability management. In her current role, Dr. Bradley oversees Dell’s Product Security Incident Response Team (PSIRT), Bug Bounty Program, Dependency Management, and supports Dell’s SBOM initiative.

Outside of her professional life, Lisa enjoys quality time with her three children. She actively participates in cybersecurity speaking opportunities and podcasts, and supports industry growth through contributions such as being a co-author of the FIRST PSIRT Services Framework. Her unwavering dedication to cybersecurity and extensive industry experience make her a leading figure in the ever-evolving landscape of technology and cyber defense, fostering trust and innovation.

Sarah Evans is a security innovation researcher at Dell Technologies on the global CTO research and development team. She leverages diverse experiences as an IT and security practitioner to improve security by design in emerging technologies. Prior to Dell, Sarah has had roles in the finance, defense, manufacturing and education industries. Sarah also contributes to efforts to help secure the open-source software supply chain. These include contribution in SCORED and OpenSSF as Governing Board observer and AIML Working Group. Sarah is based in Denver, Colorado.

As vulnerabilities proliferate in an evolving and complex ecosystem, software identity remains a fundamental challenge in vulnerability management. This panel, "Software Identity in the Vulnerability Management Ecosystem," convenes distinguished experts from industry and government to cover such efforts as CPE, pURL, OmniBOR, and others to dissect the current and future dynamics of software identity standards and practices. Acknowledging the reality of a multi-identifier ecosystem, the discussion will cover a variety of topics including the integration of software identification data elements into the Common Vulnerabilities and Exposures (CVE) Record, exploring both the challenges and opportunities this presents. Panelists will debate and offers diverse perspectives on what success looks like in managing software identity within the enterprise and across industry. Attendees will gain valuable insights into ongoing standards development and the strategic importance of software identification across the vulnerability management ecosystem.

Alec Summers is a principal cybersecurity engineer at the MITRE Corporation with diverse and extensive experience in software assurance and vulnerability management, as well as cyber operations, assessments, and supply chain risk management. He is MITRE’s CVE and CWE Project Leader, managing teams that support vulnerability and weakness research & analysis, content production, program coordination, infrastructure and services development, and community engagement across a global stakeholder community comprising industry, government, and academia. He also serves as the moderator for the CVE Board.

Steve Spingett educates teams on the strategy and specifics of developing secure software.

He practices security at every stage of the development lifecycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive programming techniques.

Steve's passionate about helping organizations identify and reduce risk from the software supply chain. He is an open source advocate and leads the OWASP Dependency-Track project, OWASP Software Component Verification Standard (SCVS), and Chairs the OWASP CycloneDX Core Working Group and Ecma International TC54.

Steve serves on the Board of Directors of the OWASP Foundation where he helps drive the continued growth of the foundation and the pursuit of its mission to make secure software a reality through open collaboration, education, and innovation.

As the CVE Program marks its 25th anniversary, the CVE Record has evolved dramatically. What once defined a complete CVE Record — a CVE ID, a description, and a public reference — is now the foundation on which a CNA can provide valuable additional information at the time of issuing an advisory. Today, completeness means more, with structured metadata including CVSS, CWE, CPE, and others that enhance vulnerability management efforts across PSIRTs, researchers, and other downstream CVE data consumers across the vulnerability management ecosystem. In April 2024, the CVE Program launched an initiative to encourage CNAs – those closest to the products themselves – to provide this additional information directly to the CVE Program, rather than wait for downstream partners to do so. Generally, CNAs have access to the most reliable source for accurate determinations for such data enrichment and are therefore best positioned to do it. And, getting more accurate and precise information in the hands of the defenders and downstream customers on a timelier basis helps the vulnerability management ecosystem and the entire cybersecurity community in addressing risks.

This session will cover what CVE Record completeness means today and reflect on the results of the first year of the CVE Program’s data enrichment initiative. We’ll examine how the increasing adoption of record enrichment by CNAs and ADPs has set the stage for the next frontier: a renewed focus on data quality and precision. This presentation will provide a forward-looking perspective on how the CVE Program can drive meaningful improvements in vulnerability management data quality as we enter its next 25 years.

Alec Summers is a principal cybersecurity engineer at the MITRE Corporation with diverse and extensive experience in software assurance and vulnerability management, as well as cyber operations, assessments, and supply chain risk management. He is MITRE’s CVE and CWE Project Leader, managing teams that support vulnerability and weakness research & analysis, content production, program coordination, infrastructure and services development, and community engagement across a global stakeholder community comprising industry, government, and academia. He also serves as the moderator for the CVE Board.

What do you need to know about the European Cybersecurity Resilience Act (CRA)? This discussion-heavy session will delve into some of the areas you should understand and where to find more information, particularly with regards to open source, vulnerability management and incident reporting.

Mike Bursell is Co-chair of the OpenSSF’s Global Cyber Policy working group and the Executive Director of the Confidential Computing Consortium, having been involved since its foundation in 2019. He is one of the co-founders of the open source Enarx project and was CEO and co-founder of the start-up Profian. He has previously served on the Governing Boards of the CCC and the Bytecode Alliance and currently holds advisory board roles with various start-ups. Previous companies include Red Hat, Intel and Citrix, with roles in security, virtualisation and networking. He regularly speaks at industry events in Europe, North America and APAC and has a YouTube channel dedicated to cybersecurity education.

Professional interests include: Confidential Computing, Cyber Policy, the EU Cybersecurity Resilience Act (CRA), Linux, trust, open source software and community, security, decentralised and distributed systems, Web3, blockchain.

Mike has an MA from the University of Cambridge and an MBA from the Open University, and is author of "Trust in Computer Systems and the Cloud", published by Wiley. He holds over 100 patents and previously served on the Red Hat patent review committee.

This presentation will discuss the current status of the NVD, as well as short- and long-term goals of the program. Recent developments, developments planned for later in 2025, and goals looking out 2 to 5 years, along with steps that will need to happen to reach these goals, will be discussed. This presentation will also include the current status of NIST’s Vulntology. There will be a Q&A time at the end.

Tanya Brewer is a Cybersecurity Program Manager at the US's National Institutes of Standards and Technology. She manages the National Vulnerability Database (NVD) Program, so folks around the world can know more about publicly disclosed vulnerabilities. She has worked on technical standards and program management in the areas of cybersecurity and privacy for smart grids, electric vehicles, identity management, biometrics, and industrial control systems; cybersecurity education, and workforce training. She has done so with experts from NIST, ITU-T, OECD, SAE, privacy watchdogs, power companies and co-ops, the Department of State, and the U.S. Senate. She blends her background in public policy and cybersecurity to scale complex, multi-stakeholder programs while keeping them approachable to people of all backgrounds. When not managing her team and thousands of vulnerabilities, she is crafting beautiful miniatures or using a stick to turn string into soft and warm beauty.

Open source software isn’t just allowed in most enterprises—it’s often the go-to choice. Yet while procurement policies have evolved to embrace open source, risk acceptance frameworks haven’t kept pace. We tend to treat security concerns like monsters under the bed, wanting them to vanish, but there's a key difference between how we view open source vs. proprietary software. In fact, open source’s very strengths are often weaponized against it, creating a double standard. Join me as we explore the paradox of risk tolerance, security equity, and the overlooked biases shaping the conversation around open source and proprietary software. Let’s level the playing field and rethink how we define and manage risk.

Vincent Danen is the Vice President of Red Hat Product Security, with interest and experience in computer security, vulnerability response, operating system design, security and development. Vincent has been working in the security field, specifically around Linux and operating system security, for over 20 years.

These days his focus is more on growing talented leaders and leadership skills and protecting customers and communities from existing and emerging digital security threats. He is a firm believer in risk-based approaches to security and advocates for sensible and effective ways to manage vulnerabilities. Vincent believes in open source principles, such as meritocracy, transparency, collaboration, and uses them daily to achieve these goals along with core personal principles such as integrity, honesty, and trust.

Vulnerability databases come in all shapes and sizes and contain a variety of information elements. Some elements overlap across databases, other elements do not and database records can vary in size depending for example on how many references are included or how much software status (“affected”) is provided. These databases and their elements are intended to support vulnerability management which we organize into four phases: discovery, prioritization, mitigation, and feedback. Which data elements contribute to these phases? More importantly, which are required to enable the first essential phase of discovery? A Minimum Viable Vulnerability Enumeration (MVVE) is the smallest possible number of information elements required to discover (identify and disambiguate) a vulnerability. Without an MVVE element, discovery, and therefore vulnerability management in its entirety, are not possible. This talk will define phases of vulnerability management and how information elements support those phases, with a strong focus on the MVVE necessary for the essential first discovery phase. We map the MVVE to a few well-known vulnerability databases, including CVE.

Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).

Jay Jacobs is a Co-founder and Chief Data Scientist at Empirical Security and Chief Data Scientist Emeritus at Cyentia Institute. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of “Data-Driven Security”, a book covering data analysis and visualizations for information security professionals.

The CRA (Cyber Resilience Act) requires a standard for vulnerability reporting processes. Under the Open Regulatory Compliance group, we are working on a minimal vulnerability reporting policy standard that could apply to all open source projects, available free of charge to anyone, and under an open source licence.

Marta Rybczynska has a network security background and 20 years of experience in Open Source. She has been working with embedded operating systems like Linux and various real-time ones, system libraries, and frameworks up to user interfaces. In the recent years she has worked in Open Source security, setting up best practices and processes. She is currently helping Eclipse Foundation as a Technical Program Manager for the Security Team, where she is managing the vulnerability reporting process.

Mikaël Barbero has been at the Eclipse Foundation for 10 years and currently serves as Head of Security. He leads the security team at the EU’s largest open source software foundation, developing best practices and programs to protect its members and the open source projects governed by the Foundation. He is a seasoned technologist passionate about open source, software engineering, and creating user-centered software and solutions. His diverse experience spans everything from software architecture to team management, and of course, cybersecurity.

During this talk, Nick will present the recent past, present, and near future business of the FIRST CVSS SIG. Topics include the updates from the CVSS SIG over the past year; results from the CVSS SIG survey; and the progress of CVSS v4.0 adoption.

Please bring your questions and requests for examples to discuss.

Nick Leali is a current CVSS SIG co-chair, currently working on improving the adoption of CVSS v4.0 to make transition to the new version of the standard easier for vendors and consumers.

Nick works for Cisco as a PSIRT incident manager.

Andrew will share tips and tricks on how to use Google Sheets, Apps Script and the various JSON APIs available from the CVE List, the NVD and OSV.dev to slice and dice vulnerability metadata, based on his experiences in Spreadsheet Engineering

Andrew Pollock has most recently been a Senior Software Engineer on Google’s Open Source Security Team (GOSST), working on OSV.dev. He is passionate about consistent high quality, machine readable vulnerability metadata for detecting and remediating vulnerabilities in open source software. He is based in Brisbane, Australia.

Vulnerability triage can feel like a poker game: you never know if a report is real or just AI-driven noise. “Vulnerability Poker” brings these tensions to life in a quick, hands-on format. Players act as the Reporter (seeking acceptance), the Maintainer (filtering out fakes), the Consumer (funding the fix or accepting the risk), and the Attacker (profiting if real issues go ignored). We will show the rules, share results from our test rounds, and discuss how each role’s decisions reflect real threat landscapes. Join us to discover fresh insights and avoid being caught off-guard by fake vulnerabilities.

Madison Oliver is a vulnerability transparency advocate and senior security manager at GitHub, leading the advisory database team. She is passionate about vulnerability reporting, response, and disclosure, and chairs the relevant Open Source Security Foundation (OpenSSF) working group and serves on the CVE Program Board. Her views are enriched by her prior experience as a product incident response analyst at GitHub and as a vulnerability coordinator at the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University (CMU). She’s also a former cybersecurity adjunct professor at Duquesne University and serves on the Pennsylvania State University (PSU) College of Information Sciences and Technology alumni board.

Tobias Heldt is an advocate of cybersecurity economics. He’s co-founder and CEO of CyberFame.io, an AI for large enterprises to analyze large open source software supply chains like a balance sheet, quantifying economic risks, benefits, and tradeoffs. Tobias’ mission is to reimagine cybersecurity, transforming it from a traditional cost-center to secure the open source ecosystem.

The open-source software ecosystem continues to steadily expand, with millions of packages across repositories. However, this growth is not matched by a corresponding increase in maintainers, leading to challenges in package sustainability and opening the door to potential issues in vulnerability management. To help address these issues, open-source distributions can act as a "Vulnerability Responder of Last Resort" for under-maintained packages, providing community guidance and helping to process reports. Also discussed is the particular impact of vulnerability reports on packages facing these challenges.

Diogo Sousa is an Engineering Manager at Canonical, working in support of the Ubuntu Security team’s mission of providing Canonical users with the most secure and reliable open source experience possible. His day-to-day focus is on Ubuntu Pro’s Expanded Security Maintenance offering, prioritizing workloads and coordinating fixes across main and universe packages for all Ubuntu LTS releases.

Outside professional endeavors, but still within arm's reach, he co-leads the OWASP Lisboa chapter, delivers talks at cybersecurity events, participates in alumni events with current students, mentors people undergoing career upskilling, and writes some content here and there.

In his (truly) free time, you can find him cooking (still can't do baking), expanding his movie collection, teaching math, and playing board games.

Root cause mapping is the identification of the underlying cause(s) of a vulnerability. This is best done by correlating CVE Records and/or bug or vulnerability tickets with CWE entries. Accurate root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This enables trend analysis where a valuable feedback loop into SDLC or architecture design planning can help remove of whole classes of vulnerabilities in organizations’ products. However, widespread adoption of root cause mapping has been elusive due to several challenges including CWE usability, completeness, the diversity of terminology interpretation, and organizational resource constraints, to name a few.

This presentation touches on the value of root cause mapping and recognizes recent adoption in the CNA community, before exploring what is being done to address existing challenges and develop practical solutions. Additionally, we evaluate the performance of a grounded large language model (LLM) tool against the CWE Top 25 Most Dangerous Software Weaknesses dataset. The comparative analysis sheds light on the viability of advancements in LLM capabilities in helping to scale decentralized root cause mapping throughout the vulnerability management ecosystem, offering actionable insights for practitioners and researchers alike.

Alec Summers is a principal cybersecurity engineer at the MITRE Corporation with diverse and extensive experience in software assurance and vulnerability management, as well as cyber operations, assessments, and supply chain risk management. He is MITRE’s CVE and CWE Project Leader, managing teams that support vulnerability and weakness research & analysis, content production, program coordination, infrastructure and services development, and community engagement across a global stakeholder community comprising industry, government, and academia. He also serves as the moderator for the CVE Board.

Chris Madden is a software engineer and system architect building secure trustworthy software at scale for embedded and cloud for 30+ years. He likes to understand things deeply - and uses data analysis and dumb questions to build that understanding. He’s not big on titles, hierarchy or status quo. He does his best work while asleep or on a mountain bike. He works at Yahoo Product Security team. Yahoo delivers value to customers through software; Chris exists to help developers deliver high quality software efficiently and securely. His primary focus is Risk-based prioritization at scale across the DevSecOps pipeline. He led an effort with some industry thought leaders to publish a Risk-based prioritization guide: https://riskbasedprioritization.github.io/. He is now applying LLMs to reduce toil and improve CVE enrichment and capturing his learnings in a guide: https://cybersecai.github.io/ https://www.linkedin.com/in/chrisamadden/

Vulnrichment is CISA's effort to fill in the gaps on vulnerability data—namely, gauging impact and risk of vulnerabilities as they are published by CVE. Our approach on tackling the daily dozens to hundreds of vulnerabilities on behalf of the federal government embraces radical transparency, and this talk by Lindsey and Art will go over the requirements for Vulnrichment, the realized and expected outcomes, and the federal government's use of an open forum like GitHub Issues to deal with errors, omissions, and discrepancies.

Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).

Lindsey Cerkovnik is the Chief of CISA’s Vulnerability Response & Coordination (VRC) Branch. Her team is responsible for CISA’s Coordinated Vulnerability Disclosure (CVD) process, the Known Exploited Vulnerabilities (KEV) catalog, and CISA’s Stakeholder Specific Vulnerability Categorization (SSVC) process. Lindsey and her team help to maintain, support, and advance the global vulnerability ecosystem by funding and overseeing the CVE and CVE Numbering Authority (CNA) programs, leading the production and dissemination of machine-readable vulnerability enrichment information, and engaging in valuable technical collaboration with the vulnerability research community.

VEX - the Vulnerability Exploitability eXchange - is a security metadata format that informs the impact of a vulnerability on a piece of software. In this talk we'll take a dive into the new Kubernetes VEX feed recently instrumented through the project's vulnerability disclosure process to understand the source of the data, how to use it, and we'll also do some demos with vulnerability scanners!

Adolfo García Veytia (@puerco) is a staff software engineer with Stacklok. He is one of the Kubernetes SIG Release Technical Leads. He specializes in improvements to the software that drives the automation behind the Kubernetes release process. He is also the creator of the OpenVEX and protobom projects currently incubating in the OpenSSF sandbox. Adolfo is passionate about writing software with friends, helping new contributors, and amplifying the Latinx presence in the Cloud Native community.

The Common Security Advisory Framework (CSAF) is now an OASIS-incubated ISO standard used for automating the creation and consumption of security vulnerability information, enhancing stakeholders' ability to respond promptly to emerging threats. Concurrently, the OpenEoX initiative seeks to standardize the exchange of End-of-Life (EOL) and End-of-Support (EOS) information across software and hardware, promoting transparency and efficiency in product lifecycle management.

In this presentation, Omar Santos, Distinguished Engineer at Cisco and co-chair of OpenEoX and the CSAF Technical Committees, alongside Justin Murphy from the Cybersecurity and Infrastructure Security Agency (CISA) and co-chair of OpenEoX and a major contributor of VEX and CSAF, will share the latest developments within CSAF and OpenEoX. Attendees will gain insights into how these frameworks are used to automate vulnerability management and streamline the dissemination of critical product lifecycle information. The session will also serve as an open discussion among cybersecurity professionals, vendors, and open-source maintainers, highlighting the steps of adopting standardized approaches in enhancing security posture and operational efficiency. We will provide an overview of new CSAF open source tools available for the community.

Justin Murphy is a Vulnerability Disclosure Analyst at the CISA. He specializes in coordinating vulnerability remediation and works on software supply chain security initiatives. He is the co-chair of OpenEoX.

Omar Santos is a Distinguished Engineer at Cisco, co-chair of OpenEoX, chair of CSAF TC, board member of OASIS Open, and the co-chair of the Coalition for Secure AI (CoSAI). Omar is the author of over 20 books, many video courses, and academic papers.

We worked with the communities managing three key open source projects in three different languages: Apache Airflow (Python), Jenkins (Java) and Kubernetes (Go). The goal was to deliver a better signal about supply chain risk by proactively looking for unknown security vulnerabilities in open source dependencies at scale. We analyzed the source code to detect the vulnerabilities, reported the vulnerabilities in a responsible manner to the open source maintainers and worked with them to get the bugs fixed. At the same time, we worked with the three communities to get a better grip on the risk coming from unknown bugs, known bugs and human factors. We describe how we can derive actionable advice to manage supply chain risks better.

Munawar Hafiz is the founder and head of innovations of OpenRefactory, Inc., an application security company that intends to improve the way developers write secure, reliable and compliant code. Munawar had a body of work on automated bug fixing in academia which lays the foundation for OpenRefactory. He is a champion of pushing SAST bug detection tools for better precision and introducing code rewriting capabilities to fix bugs automatically.

Vulnerability management often involves conflicting priorities among stakeholders: researchers focus on uncovering vulnerabilities, developers aim to meet delivery deadlines, operators work to reduce risk, and leaders oversee the entire process. This panel explores these differing perspectives, highlights the common challenges they face, and discusses how improved collaboration and communication can enhance the overall process. Attendees will gain practical insights into bridging these gaps and fostering synergy to achieve better security outcomes.

Yotam Perkal leads the threat research team at Avalor (acquired by Zscaler). Prior to Avalor, Yotam filled several roles at Rezilion and PayPal, dealing with security research, vulnerability management, threat intelligence, and Insider threat. Additionally, Yotam is also a member of the PyCon Israel organization committee, a member of the EPSS SIG, takes part in several OpenSSF working groups around open-source security as well as several CISA work streams around SBOM and VEX.

Kayla Underkoffler is a Senior Security Engineer at Zenity, and formerly a lead security technologist with HackerOne and the team lead for the Internet Bug Bounty program. Kayla spent four years as a United States Marine in the Quantico Marine Corps Band, before leaving active duty to pursue a career in Cybersecurity. She landed the magical opportunity to work on the security team for the Walt Disney company in the Disney Parks, Experiences and Products segment as a vulnerability management lead. Kayla is passionate about bridging the gap between business and technology making cybersecurity accessible for everyone.

Havaya Garti is a Security Analyst at Snyk, specializing in vulnerability risk assessment, triage, and detailed information retrieval to ensure accuracy. With an MBA in Information Systems and a background in aeronautical engineering, she played a key role in developing Snyk's risk score core capabilities, enhancing vulnerability prioritization through objective and contextual risk assessment. Her work focuses on improving security intelligence and refining workflows for better vulnerability management.

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias. He lives in Raleigh, NC with his wife and three children, and is pursuing a PhD in philosophy.

So often tools and standards are created and rarely used, or only used on the surface. Some of these specifications, like VEX (Vulnerability Exploitability eXchange) can be used in a lot of different ways. Yet, few will take the time to dig into them and use them. Is VEX useful only for vulnerability scanners? Absolutely not!

In this talk we'll dig into the possibilities of using VEX, how the vex-reader python module came about and demonstrate using VEX to create a CVE page that anyone could adopt to their own use, highlighting the versatility and power of VEX.

Vincent Danen is the Vice President of Red Hat Product Security, with interest and experience in computer security, vulnerability response, operating system design, security and development. Vincent has been working in the security field, specifically around Linux and operating system security, for over 20 years.

These days his focus is more on growing talented leaders and leadership skills and protecting customers and communities from existing and emerging digital security threats. He is a firm believer in risk-based approaches to security and advocates for sensible and effective ways to manage vulnerabilities. Vincent believes in open source principles, such as meritocracy, transparency, collaboration, and uses them daily to achieve these goals along with core personal principles such as integrity, honesty, and trust.