Vuln4Cast 2024 FIRST Technical Colloquium

Vulnerability Forecasting Technical Colloquium

Utrecht, Netherlands (NL), October 3-4, 2024

The Vulnerability Forecasting Technical Colloquium gathers people to talk about vulnerabilities; published or unpublished. Forecasting and prediction of anything to do with potential exploits, actual exploits, or hypothetical exploits is on topic. We welcome metrics, measurement, and moderation of vulnerabilities, coordinated or unilaterally published.

The overall field of vulnerability management has been scattered for decades. We try to measure: define, identify, count, and catalog vulnerabilities, assess characteristics, detect existence and exploitation, and prioritize responses. In recent years, we’ve worked on prediction of the occurrence of new vulnerabilities (vuln4cast) and the likelihood that they will be exploited (EPSS). We are also interested in the growth of software, such as measurement of CPE records. Further topics include CVSS, CWE, or SBOMs, or decision support such as SSVC.

This Technical Colloquia gathers interested parties to present, discuss, and improve vulnerability measurement and prediction models, methodologies, and techniques. Submissions are welcome on any of the topics:

Software vulnerabilities and their measurement or metrics
Exploits, exploitation
The cost of exploitation to the attacker or defender
Bug bounty programs statistics or metrics
Economics of bug hunting or bug hunters
The growth of software, its use, or changes in market share
CVE and CNA statistics or yearly reports
Vulnerability deduplication and differentiation across different databases

We do not expect speakers to have an academic paper published. We intend to have a discussion and exploratory atmosphere, and invite academics and practitioners alike.

The main point though is that we aim to move from measurement, to prediction or forecasting. We are not in love with the problem, and while zerodays make heroes, we’re more interested in making vulnerability management manageable, and exploitation easy to foresee.

In short form; Less reactionary and more confident. Overachieving and under budget. We foresee the harm and contain it before it is realized. The vulnerabilities of the future are no longer surprises or surprising.

Call for Papers

The call for papers is open, to submit a paper or presentation, visit the EasyChair CFP.

Program Overview

The first day will be composed of academic style presentations and discussions, and the second day will be focused on hackathons, workshops, and collaborative innovations.

Sponsorship

To discuss sponsorship opportunities please contact one of the Program Committee members at vulnforecastingtc@proton.me.