Program Agenda

An applied research summary introducing advanced confusion-matrix metrics that outperform accuracy in predicting CVE exploitability impact. CVE impact prediction is often evaluated using accuracy, despite operating in a domain characterized by extreme class imbalance, asymmetric risk, and incomplete ground truth. This paper argues that accuracy is a poor proxy for security effectiveness and can actively obscure dangerous failure modes, particularly false negatives involving rare but high-impact vulnerabilities. Grounded in statistical fundamentals, we reframe CVE evaluation through confusion-matrix–derived metrics- such as false-negative rate, likelihood ratios, and correlation-based measures, that apply to any predictive black box, not just machine learning models. Using real-world CVE workflows and illustrative failure cases, we show how these metrics provide earlier and more reliable signals of degraded trust in vulnerability assessments. The result is a practical, risk-aware evaluation framework that aligns statistical measurement with operational security outcomes, enabling teams to detect hidden blind spots before they translate into exploitable incidents.

Andrey Lukashenkov handles all things revenue, product, and marketing at Vulners - a bootstrapped, profitable company committed to providing an all-in-one vulnerability intelligence platform to the cybersecurity community.

Being naturally curious and having a technical background, he leverages unlimited access to the Vulners database to research various topics related to vulnerability management, prioritization, exploitation, and scoring.

AI is increasingly used in vulnerability workflows, but many implementations still depend on ad hoc prompt-driven summaries that are difficult to evaluate, hard to reproduce, and risky to operationalize. This session focuses on practical design choices that help agentic AI systems contribute responsibly to CVE triage, risk scoring, and coordinated response - without treating multi-agent approaches as magic or assuming a single framework is the answer. I’ll share a set of lightweight, framework-agnostic patterns and illustrate them with a compact demonstrator that combines specialized agents, tool-grounded vulnerability intelligence, and structured outputs. We’ll look at how to separate stable security knowledge from live retrieval, how to structure agent handoffs to reduce ambiguity, and how to move from narrative answers to verifiable artifacts that can support review and audit conversations. I’ll also show simple evaluation and cost-control techniques that replace “vibe checks” with measurable confidence signals and keep agent depth proportional to risk. Attendees will leave with pragmatic patterns they can apply whether they’re using CrewAI, LangGraph, PydanticAI, or an internal orchestration approach - plus a clear sense of when agentic systems truly add value over single-prompt analysis.

Jyoti Wadhwa is a global cybersecurity and risk executive with over two decades of experience driving secure digital transformation across cloud, AI, and enterprise technology environments. Most recently, as Global Head of Product and Cloud Security at NetApp, she led end-to-end security for more than 160 products generating nearly $7 billion in licensed and SaaS revenue.

Jyoti brings deep expertise in AI-driven security strategies, uniting governance, threat modeling, and attack surface management to build resilience against emerging adversarial techniques. She has developed cross-enterprise frameworks integrating AI assurance, secure development lifecycle (SDLC) principles, and continuous risk reduction across financial, healthcare, energy, and technology sectors.

A CISSP-certified leader and board advisor, Jyoti specializes in aligning AI and security innovation with measurable business outcomes—bridging executive risk programs, NIST and ISO 27001 compliance, and next-generation AI workload security.

Beyond the technical domain, Jyoti is passionate about inclusive talent development and mentorship, guiding professionals on practical pathways into cybersecurity and AI governance. Her leadership philosophy emphasizes continuous learning, collaboration, and purpose-driven innovation at the intersection of AI for Security and Security for AI.

Khushali Dalal, a Product Security Engineer at Juniper Networks with deep expertise in vulnerability assessment, CVSS scoring, and secure product development. With certifications including CCNA, CompTIA Security+, and Juniper’s own credentials, she brings a strong technical foundation in networking and cybersecurity. Khushali is passionate about advancing product security at scale and bridging the gap between engineering and risk management. As a chair of Women of First SIG, she is very much passionate about spreading awareness and supporting women in cybersecurity.

Khushali began her journey at Juniper in the infrastructure Verizon team as an Associate Systems Engineer(SE), where she supported and implemented Juniper lab in Verizon PoC, with a focus on LAN and WLAN design. Then she moved into the Verizon channel team as a Partner SE for Verizon’s Managed WLAN solutions. And in her last role she established an early-in-career program to support and build relationships between the Juniper SE and Verizon SA community.

Educational background, Khushali was born and raised in a small town of India- Ahmedabad, Gujarat. She has a bachelor’s in electrical and Telecommunication Engineering from India and a master’s in cyber security from University of Maryland College Park.

The rise of large language models has fundamentally changed how vulnerability reports are written. As AI dramatically increases both the volume and perceived credibility of vulnerability submissions. PSIRT and vulnerability management teams are seeing a surge of submissions that are partially or entirely AI-generated—often polished, technically plausible, and sometimes completely wrong. In this interactive session, attendees will explore how AI-generated vulnerability reports are reshaping vulnerability intake, triage, and validation. Participants will be presented with a series of real-world–inspired vulnerability reports and asked to determine whether each report was written by a human researcher, generated by AI, or produced through a mix of both. As the session progresses, new context will be revealed: missing proof-of-concept details, contradictory technical claims, hallucinated CVEs, reused templates, and subtle signals that affect credibility and prioritization. The audience will vote and debate in real time, followed by facilitated analysis explaining how PSIRT teams evaluate signal versus noise when AI is in the loop. The challenge is no longer identifying AI use, but preserving signal, accuracy, and response quality as AI becomes embedded in researcher workflows. Rather than framing AI as purely a problem or a solution, this talk focuses on practical detection, validation strategies, and process adaptations that security teams can use today. Unlike talks focused on AI detection tooling or automation alone, this session examines real PSIRT decision-making failures and corrections observed in live vulnerability response programs.

Dr. Jonathan Spring is a cybersecurity specialist in the Cybersecurity and Infrastructure Security Agency. Working within the Cybersecurity Division’s Vulnerability Management Office, his area of focus includes researching and producing reliable evidence to support effective cybersecurity policies at various levels of vulnerability management, machine learning, and threat intelligence.

Several processes around AI systems are new or at least updated. We spend a lot of time talking about what's new, but not a lot of talking about what stays the same. In this talk, Dr. Spring provides a thorough review of all the various vulnerability management norms and processes that actually work pretty well for AI-related cybersecurity vulnerabilities. These items span asset management (such as SBOM), secure software development (such as the SSDF), coordinated vulnerability disclosure (for example CVE-2024-3660), and vulnerability triage systems. There are some practices that are not new to vulnerability management but have new names in AI systems. For example, "download arbitrary code from the internet and execute it" has always been an unpatchable security vulnerability. AI systems just happen to make it extraordinarily easy to configure a system that will download and run arbitrary code from the internet. We will just need to help our AI engineer colleagues manage that risk. The best way we can help our AI colleagues is to be clear about what cybersecurity norms and processes still work and that we expect the AI folks should integrate into, rather than make a parallel process that duplicates existing cybersecurity processes.

Zachary Echouafni is the technical lead for Atlassian's marketplace security team and CNA program, helping protect customers and marketplace app developers from emerging third party threats.

Running a CNA program inside a fast‑moving product security organization is hard enough; doing it while coordinating globally distributed engineering teams, multiple scanners, and manual JSON submissions to MITRE is a recipe for burnout and blind spots. At Atlassian, our CVE reporting started as an ad‑hoc, highly manual process: engineers hand‑crafted CVE JSON in MITRE’s GitHub repo, vulnerability data lived in scattered tools, and every disclosure felt like a bespoke project. Coverage was inconsistent, timelines were unpredictable, and the friction made it difficult to scale beyond a handful of teams. In this talk, I’ll walk through how I evolved that process into a fully automated CNA pipeline integrated with the MITRE CVE Services API and the Atlassian Cloud stack. I’ll show how we built an application on top of Jira and Confluence that lets engineers report CVEs through standard Jira tickets, auto‑drafts vulnerability reports using CVSSv4 vectors, and drives a monthly bulletin process that aggregates CVEs from dozens of engineering teams into a single, ready‑to‑review draft. I’ll dig into the hard parts: sanitizing vulnerability data coming from many scanners and sources, deciding what exploitation detail to include or omit, and building guardrails so we don’t leak sensitive information while still being transparent. Beyond the tooling, I’ll focus on the operational side. I’ll describe how we aligned product release cycles to a monthly patch timeline that supports coordinated disclosure, and how I built buy‑in with product engineering organizations across multiple geos. That includes establishing monthly on‑call rotations and clear ownership for security bulletins so that CVE reporting is a shared responsibility, not a security‑only burden. Attendees will leave with practical patterns for using the MITRE CVE Services API from within Jira, turning CVSSv4 data into structured reports, and building the relationships and processes needed to run a sustainable, high‑coverage CNA program.

Johnny Shaieb is currently working on his PhD at the University of Tulsa, where his dissertation focuses on vulnerability database history and scoring. He is the Chief Architect of IBM’s Cyber Threat Exposure Management practice, an elite unit specializing in penetration testing, adversary simulation, and vulnerability management. His cybersecurity journey began in 1998 at WorldCom after earning a bachelor’s in management information systems from Oklahoma State University. He later pursued a master’s in Telecommunications at OSU and a second master’s in Computer Science at the University of Tulsa, focusing on NSA CyberCorps security.

With over 25 years of experience, Johnny has honed his offensive security skills through academic and professional endeavors. Since 2011, he has taught ethical hacking at institutions like Houston Community College and created the "Hac-King-Do" framework for free ethical hacker training. At IBM, he patented a methodology to automate hacker research and co-founded the X-Force Red Hacker internship with "Space Rogue" to recruit top cybersecurity talent.

This paper is a cause-and-effect narrative that examines the historical events, key individuals, challenges, and vulnerability analyses that contributed to the development of vulnerability repositories—both lists and databases—forming the foundation for the “Common Vulnerabilities and Exposures (CVE)” and later the “National Vulnerability Database (NVD)”. This narrative follows a cause-and-effect progression, beginning with the very first message sent over ARPANET, which caused a buffer overflow and served as a catalyst for the development of modern vulnerability tracking. As the nascent ARPANET developed, operating system pioneers began documenting vulnerabilities with meticulous care, restricting awareness to legitimate users only. However, cultural moments such as the film WarGames (1983) and cyber incidents like the Morris Worm (1988), The Cuckoo’s Egg (1989), and Solar Sunrise (1998) began to erode this cautious approach, highlighting the need for full public disclosure of vulnerabilities stored in a centralized database. To provide an authoritative account of seldom-told stories and historical events, a combination of virtual interviews, phone calls, emails, messaging, questionnaires, and white paper discussions were conducted with the following thought leaders: Scott Moore, Jay Jacobs, Brian Martin, Steve Christey, Peter Mell, Dr. David Mann, Andre Frech, Dr. Eugene Spafford, Dr. Matt Bishop, Elias Levy, Art Manion, Dr. Cliff Stoll, Dr. Leonard Kleinrock, and Dr. John Hale.

Prof. David Starobinski is a Professor of Electrical and Computer Engineering and of Systems Engineering at Boston University, with an affiliated appointment in the Department of Computer Science. His research interests are in cybersecurity, wireless networking, blockchain and cryptocurrency, and network economics.

Sevval Simsek is a Computer Engineering PhD candidate at Boston University. She is a part of Networking and Information Systems Lab, and has been focusing on ML for Cybersecurity, and improving cybersecurity operations with graphs and algorithms.

Varsha Athreya is an undergraduate student studying Computer Engineering with a Concentration in Machine Learning. She is working on using knowledge graphs to fix mappings in the National Vulnerability Database as well as using the New England Research Cloud for model training and deployment.

Accurate mapping between Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) entries is critical for effective vulnerability management and risk assessment. However, public databases, such as the National Vulnerability Database (NVD), suffer from inconsistent and incomplete CVE–CWE mappings, complicating automated analysis and remediation. We introduce FixV2W, a lightweight approach that leverages knowledge graph embeddings and longitudinal trends to improve mapping accuracy of the NVD. FixV2W systematically analyzes historical remapping patterns and leverages hierarchical relationships within NVD and CWE data to predict more precise CWE mappings for vulnerabilities linked to Prohibited or Discouraged categories. We run extensive experimental evaluation of FixV2W, based on test data set collected between August 2021 and December 2024. Considering the Top-10 ranked predictions, the results show that FixV2W predicts the correct CWE mappings for 69% of exploited vulnerabilities that had invalid CWEs before they were exploited. We also show that FixV2W significantly improves the performance of ML models relying on NVD data. For instance, for a model geared at uncovering unknown CVE-CWE mappings, FixV2W improves the Mean Reciprocal Rank (MRR) from 0.174 to 0.608. These results show that FixV2W is a promising approach to identify and thwart emerging threats.

Jerry Gamblin is a prominent voice in the vulnerability management community and the creator of RogoLabs.net, an innovation lab for security data science. He serves on the EPSS SIG and contributes to various CVE Program working groups. An international speaker and researcher, Jerry’s work focuses on the practical application of data science to solve complex vulnerability challenges.

Jay is a Co-founder and Data Scientist at Empirical Security and Data Scientist Emeritus at Cyentia Institute. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and co-chair of the EPSS special interest group at FIRST. He also serves as the chair of the Consumer Working Group within the CVE program. Prior to his current roles, he was the Chief Data Scientist at Cyentia for several years and produced dozens of data-driven industry reports. He also served as the lead data scientist at Verizon working on the Data Breach Investigations report from 2010-2015 and he also served on the board of directors for the Society of Information Risks Analysts (SIRA) where he co-founded the non-profit dedicated to advancing risk management practices.

Anyone who has tried to ingest vulnerability data knows that it’s often incomplete, inconsistent, and rather difficult to operationalize. With the CVE program entering its “data quality” era, we need to begin efforts to define and measure data quality. In this talk I will introduce a Data Quality Assessment Framework (DQAF - pronounced “decaf”) for CVE and vulnerability data that draws on established information-quality research, but is tailored to the realities of CNAs, NVD, vendors, and downstream consumers. The framework separates the quality of the record design (what the schema can express) from the quality of record instances (how well CNAs actually populate those fields), and scores multiple dimensions such as completeness, accuracy, consistency and machine-usability.

Connor Mullaly is a Cyber Security Engineer at MITRE and a member of the CWE team. Connor is the task lead for the CWE Top 25, heavily involved in CWE content development, and a SME on vulnerability root cause mapping where he leads the Root Cause Mapping Working Group with community members. Outside of CWE work Connor also leads the MITRE Secure Code Review program, combining static and manual code analysis to eliminate as many software weaknesses as possible in MITRE internally developed codebases.

Steve Christey Coley is a Principal INFOSEC Engineer at The MITRE Corporation. He was the co-founder and technical lead of CVE, and chair of its Editorial Board from 1999 to 2015. He co-authored the "Responsible Vulnerability Disclosure Process" IETF draft and contributed to CVSS v2. He is the co-founder and technical lead for the Common Weakness Enumeration (CWE) circa 2005. Since 2014, he has supported FDA in various aspects of medical device security, including vulnerability handling, risk assessment, threat modeling, SBOM handling, adoption of emerging technologies, and a rubric for applying CVSS to medical devices.

Root cause mapping is the identification of the underlying cause(s) of a vulnerability. This is best done by correlating CVE Records and/or bug or vulnerability tickets with CWE entries. Today, this is not done accurately at scale by the vulnerability management ecosystem.
Accurate root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers.
Additionally, it enables:
- Driving the removal of classes of vulnerabilities: Root cause mapping encourages a valuable feedback loop into a vendor’s SDLC or architecture design planning
- Saving money: the more weaknesses avoided in your product development, the less vulnerabilities to manage after deployment
- Trend analysis (e.g., how big of a problem is memory safety compared to other problems like injection)
- Further insight to potential “exploitability” based on root cause (e.g., command injection vulnerabilities tend to see increased adversary attention, be targeted by certain actors)
- Organizations demonstrating transparency to customers how they are targeting and tackling problems in their products

Many people in the CVE community – especially CNAs, product security managers, and vulnerability researchers – have begun to map CVEs to CWE identifiers in order to identify root-cause patterns across all known vulnerabilities of interest.
While there has been significant progress in easily-measurable CWE usage in recent years – such as the near-complete avoidance of CWE categories, and an increase in the percentage of CNAs who provide CWE mappings – there are still concerns about the accuracy and precision of CWE mappings.
This workshop is intended to help CNAs, vulnerability researchers, and other interested parties to improve the accuracy and precision of their CWE mappings.

The vulnerability management industry operates on a set of golden rules: patch within 30 days, prioritize CISA KEV entries, and track Mean Time to Remediate (MTTR). However, our analysis suggests that for Edge and Network infrastructure, these rules are not just ineffective—they are often obscuring the true state of systemic risk. In a joint study conducted by the Qualys Threat Research Unit and the Qualys Data Science Team, we analyzed 20 million vulnerability detection events across edge devices from 2021 to 2025. We specifically focused on weaponized vulnerabilities that are actively exploited in the wild and listed in the CISA KEV catalog. The results contradict the standard linear model of risk management. We discovered a distinct split in remediation behaviors where the “middle class” of patching has largely collapsed: devices are either remediated almost immediately (often via automation) or effectively abandoned for extended periods, creating a significant gap in defense. This session will highlight the visibility gaps affecting modern security programs. We will present evidence suggesting that the race between attacker and defender is often skewed; for legacy vendors, attackers frequently enjoy a statistical head start of 180 days to 2 years before the average enterprise detects and fixes the flaw. Furthermore, we will analyze the timing of the CISA KEV list relative to edge weaponization. The data indicates that relying solely on regulatory lists for this asset class is often a reactive strategy—akin to reading a history book rather than receiving an early warning—as the alerts frequently arrive long after exploitation has begun. Attendees will leave with new, data-backed metrics on prioritization—and a clear takeaway: compliance isn’t security. We will move beyond high-level theory to propose detailed, product-specific recommendations for the most frequently weaponized product lines found in our research, including Cisco, F5, Juniper, Citrix, QNAP, Sophos, Palo Alto Networks, Ivanti, Check Point, ConnectWise, and Fortinet. The session will conclude with strategies to pivot from reactive remediation to architectural resilience.

Sophia Sanles-Luksetich: Senior Security Analyst with 6+ years of experience, focused on building data visualizations and producing analytics for vulnerability management, with prior experience in bug bounty triage. Her work has been critical in navigating and leveraging vulnerability management’s massive and continuously growing database of security findings.

Zach Goldman: Security Engineer with 5+ years of experience, currently specializing in developing the Exceptions feature to better track and manage deviations from standard remediation processes. His work directly supports leadership at both the organizational and team levels, requiring a high degree of polish and cross‑departmental collaboration.

Modern vulnerability management is drowning in noise: massive alert volumes, inconsistent vendor scores, and fragmented data sources make it difficult to understand what truly matters. This session shows how GitHub flipped its inverted risk funnel by building a unified, extensible risk‑scoring model that normalizes findings across 20+ heterogeneous sources and hundreds of thousands of daily alerts. We’ll demonstrate how combining CVSS with threat‑driven metrics like EPSS and KEV, asset‑specific context, and the newly updated FedRAMP SLA requirements turns raw findings into actionable prioritization. We’ll also cover the engineering systems that make this scale possible, including routing strategies and enrichment pipelines. You’ll learn how to evolve industry standards rather than replace them, tune formulas and weights using calibration sets, and future‑proof your scoring model as new metadata and detection strategies emerge. If your critical alerts outnumber all other severities, this talk will show you how to restore clarity, reduce alert fatigue, and drive remediation where it has the greatest impact.

Thomas is the co-founder and CEO of NetRise, a cybersecurity company focused on providing visibility into the software supply chain to identify vulnerabilities and risk via binary analysis. Prior to NetRise, Thomas served as the Global Vice President of Enterprise Solutions at Cylance where his responsibilities ranged from conducting incident response investigations, product marketing, public speaking and analyst relations. Thomas was also responsible for ICS security at the DOE for 3 years and served in the United States Marine Corps serving in both Iraq and Afghanistan. Thomas has spoken at Black Hat, DEFCON, RSA, and was interviewed on 60 Minutes and Last Week Tonight with John Oliver for his efforts related to ransomware.

Analysis of millions of binaries across firmware, containers, applications, and cloud workloads shows systemic risk: 88% contained vulnerabilities, more than half had hardcoded credentials, and nearly a third exposed private keys. This session presents aggregated findings on the fragility of the global software supply chain.

Maggie Morganti is a seasoned leader in cyber-physical and industrial cybersecurity, currently serving as Senior Director of Product Security at Worldpay. With a career grounded in securing complex systems across energy, automation, and critical infrastructure, Maggie has shaped strategies that enhance resilience, visibility, and threat response in operational environments. Notably, she has directly led and assisted in leading multiple responses for APT custom malware against industrial control systems, including PIPEDREAM. Before joining Worldpay, she served as Product Security Research Manager at Rockwell Automation and held pivotal roles in product security at Schneider Electric. Her early career included safeguarding critical energy systems at Oak Ridge National Laboratory and analyzing real-world threats with Mandiant’s Cyber‑Physical Threat Intelligence team. Maggie is featured on RSAC’s expert roster, co-chairs the Device Security & Accessibility Program Committee, and continues to drive critical conversations on diversity, ICS policy, and proactive cyber risk governance. Her work unites technical rigor with leadership, forging secure-by-design paths for the future of industrial cybersecurity.

John Bergland is based in Boston, Massachusetts and works as a Program Manager for Supply Chain Security at IBM Office of the CISO. He currently specializes in working with SBOMs, helping to define and scale IBM’s process for both analyzing and producing SBOMs. During his career at IBM, he has worked as a business analyst and requirements engineer. He has an MBA and Masters in Information Systems from Boston University.

Zadia Alden is based in Winchester, England. She has over 25 years' experience in Software Development, performing various different roles over those years. In her current role, she manages the Open-Source Program Office within the CISO organisation. Over the last couple of years, she has been working in the SBOM space, building her expertise to become an SME in SBOM generation and analysis. She is a Certified Project Management Professional, within the Project Management Institute.

SBOMs are critical for software supply chain security, but their complexity often limits their value beyond engineering teams. Business leaders frequently ask: “Why isn’t this human-readable?” or “Is this all open source?”—revealing a gap between technical detail and business understanding. This session demonstrates how to bridge that gap using lightweight, web-based tools enhanced with AI. Built without advanced programming skills, these tools transform raw SBOM data into clear, actionable insights for both technical and non-technical audiences. By demystifying SBOMs, this approach empowers organizations to improve compliance, risk management, and collaboration across technical and business teams—without requiring deep technical expertise. Attendees will see six practical tools in action, each designed to answer critical questions about SBOM quality and security posture: - SBOM Validator: Confirms compliance with CycloneDX/SPDX standards. - Completeness Checker: Verifies NTIA minimum elements. - Component Analyzer: Distinguishes open source vs. proprietary components. - CVE Mapper: Detects known vulnerabilities across supplier SBOMs. - Version Drift Analyzer: Highlights outdated components and upgrade priorities. - Scan Readiness Checker: Flags issues that could impact downstream vulnerability scanning. These tools accelerate SBOM interpretation, reduce manual effort, and provide actionable insights that can integrate into CI/CD pipelines and supplier risk assessments. Attendees will leave with practical strategies and examples of how automation and AI can make SBOMs more transparent and useful across the organization. Session Takeaways: - Understand why SBOM complexity creates barriers for both technical and business teams. - Learn practical strategies to make SBOMs accessible without sacrificing technical rigor. - Explore six lightweight tools that validate, analyze, and enrich SBOM data. - Gain actionable ideas for integrating SBOM insights into CI/CD and supplier risk assessments. - Discover how automation and AI accelerate SBOM adoption and compliance.

Patrick Garrity is a security researcher at VulnCheck where he focuses on vulnerabilities, vulnerability exploitation and threat actors.

Many high-impact vulnerabilities first emerge through real-world exploitation rather than coordinated disclosure, leaving defenders without reliable identifiers at the moment risk is greatest. In 2025, the VulnCheck research team launched a project to identify vulnerabilities that are actively exploited or likely to be exploited but lack CVE identifiers. This talk presents the methodology and lessons learned from correlating exploitation evidence, public exploit code, security advisories, in-house detection capabilities, and third-party intelligence sources such as ShadowServer. We walk through our end-to-end workflow for auditing sources, mapping findings to existing CVEs, and navigating the CVE assignment or coordination process when gaps are identified. Attendees will gain insight into blind spots in current vulnerability tracking, how exploitation often precedes formal disclosure, and practical steps for surfacing and tracking the vulnerabilities that matter most to defenders.

Dr. Aravind Machiry is an Assistant Professor and a founding member of Purdue Systems and Software Security

(PurS3) Lab at Purdue University in the Electrical and Computer Engineering Department. He is a recipient of the NSF CAREER award and the Amazon Research award. Dr. Machiry is interested in designing principled yet practical solutions to system security problems. He currently works on Security threats from AI Accelerators, Rust for Embedded Systems, vulnerability detection, prevention, and mechanisms for developing secure systems. His solutions have a flavor of static/dynamic program analysis, fuzzing, type systems, language-based techniques, machine learning, or a combination of the above. Dr. Machiry has received funding from NSF, DARPA, Amazon, Rolls-Royce, and Qualcomm to enable his team to do high-quality research and create long-lasting impact. He has extensive experience in firmware and embedded system security, for example, through the DARPA HARDEN program and his NSF CAREER award.

Dr. Armin Moin is a Tenure-Track Assistant Professor and Director of the Quantum-Classical AI and Software Engineering (QAS) Lab at the Computer Science (CS) Department of the University of Colorado Colorado Springs

(UCCS). Before starting his faculty position, he worked as a Postdoctoral Scholar-Employee at the CS Department of the University of California, Santa Barbara (UCSB) and prior to that as a Postdoctoral Scholar at the University of Antwerp in Belgium. Dr. Moin obtained his Ph.D. in CS from the Technical University of Munich (TUM), Germany, one of the world’s top universities, in 2022. He also has a Master’s in CS and an Executive MBA. His research focuses on the intersection of Artificial Intelligence and Software Engineering with an emphasis on hybrid quantum-classical computing. Grants from various sources, including NSF and Colorado OEDIT, have supported his QAS Lab. Besides research and teaching, he reviews top academic journals and conferences.

Dr. Terrance Boult is a Distinguished Professor Emeritus at the University of Colorado Colorado Springs (UCCS). He worked as the El Pomar Endowed Professor of Innovation and Security and Co-director of the Bachelor of Innovation family of degrees for nearly two decades. Dr. Boult has published over 150 Papers and holds 6 patents with 9 pending. Before joining UCCS in 2003, he was an endowed professor and founding chairman of Lehigh University's CSE Department. He received his BS in Applied Math (1983), MS in CS (1984), and Ph.D. in Computer CS (1986) from Columbia University and then spent 8 years on the Columbia CS Department Faculty. He has won 2 teaching awards, multiple research/innovation awards, and IEEE service awards, and is a member of the IEEE Golden Core. His VAST Lab has been supported by over $2M in funding from multiple sources, e.g., ONR, Army, SOCOM, Air Force, and DARPA.

https://tianoshield.github.io/home/events

A firmware program is embedded in non-volatile storage on a computer's motherboard. It controls how computing devices, ranging from cloud servers to resource-constrained Internet of Things (IoT) platforms, start up their boot processes and interact with their operating systems after they are powered on. The Unified Extensible Firmware Interface (UEFI) is an open standard for computing system firmware architecture specification. The TianoCore community maintains reference implementations of various components of the UEFI specification, for example, EDK II. This has resulted in a vibrant and mature Open-Source Ecosystem (OSE) with a significant impact on global security, safety, and privacy. Given the widespread use of the TianoCore repositories, security vulnerabilities may be leveraged by malicious actors and cyber-criminals to develop exploits that could cause potentially massive-scale harm to individuals, businesses, and the public sectors, including critical infrastructure. A recent $1.2M project (2025-2027) sponsored by the U.S. National Science Foundation (NSF), named TianoShield, aims to enhance the state of security of the TianoCore OSE and improve its overall open-source development process and practices. The proposed one-day workshop for VulnCon26 in Scottsdale, AZ, USA, called International Workshop on Firmware Security Vulnerabilities (FirmVuln26), will focus on improvements, new results, and open problems in protecting the TianoCore OSE by using the TianoShield project as the anchor, while welcoming talks from other participants and stakeholders in the firmware world.

Jenn Gile is a community builder and tech educator in the Security and DevOps fields. She's Co-Founder of OpenSourceMalware.com, on staff with BSides Seattle, and is an advisor at Endor Labs. Jenn previously worked at NGINX, F5, and the U.S. Department of State. Outside of work, she's deeply involved in the cycling community as a board member for 2nd Cycle.

Malware is all about scale and time: How can I hit the most people in the shortest time? But not all ecosystems are equally vulnerable. The JavaScript ecosystem, particularly its package manager npm, is arguably the most vulnerable to supply chain malware attacks. And with JavaScript being the language of the web, this is a problem that impacts an estimated 27.4 million developers. So what are we to do?

Lexi Selldorff is a Senior Engineering Manager at Manifest, leading work on SBOM vulnerability scanning. Previously, she was an Engineering Manager at Rula and a Forward Deployed Engineer at Palantir. She has built and operated software in highly regulated environments, including healthcare and government, and is passionate about delivering mission-critical systems quickly and securely. Lexi enjoys getting deep into data, and her work at Manifest focuses on the real-world challenges of vulnerability matching, package identification, and reducing noise in vulnerability management.

Matching vulnerabilities to software components sounds straightforward: take a list of packages, take a list of CVEs, and connect the two. In reality, vulnerability matching is one of the most complex and error-prone parts of modern vulnerability management. The identifiers we rely on, such as CPEs and Package URLs (PURLs), are imperfect abstractions of real-world software, while vulnerability data sources often contain gaps, inconsistencies, and conflicting interpretations. This talk explores why vulnerability matching is such a nuanced problem. We’ll examine how CPEs struggle to model modern package ecosystems, how PURLs vary across languages and distributions, and how incomplete or mismatched metadata leads to false positives and missed vulnerabilities. We’ll also compare discrepancies across major data sources including NVD, CVE.org, OSV, and vendor advisories. Attendees will leave with practical techniques for investigating suspicious findings, verifying vulnerability matches, and reducing noise in scanner outputs. The session concludes with guidance on selecting and combining scanners, and proven workflows for managing false positives while maintaining trust in SBOMs and vulnerability reporting.

This session presents practical lessons from CERT.PL CNA’s role as a national CVD hub mediating between mostly Polish security researchers and product vendors, including both successful collaborations and difficult, low‑engagement cases. Using anonymised coordination examples, the talk explores researcher and vendor motivations and the operational constraints faced by a national CSIRT, such as limited influence over remediation decisions and communication bottlenecks. The session will also describe improvements introduced into CERT.PL’s CVD process: diversified contact channels to reach vendors, the adoption of a 90‑day default disclosure window, and the systematic involvement of sectoral CSIRTs where appropriate to share context and reduce fragmented communication. Attendees will leave with actionable patterns and anti‑patterns for enhancing their own CVD workflows, especially when acting as intermediaries between independent researchers and domestic vendors with varying maturity levels.

Lexi Selldorff is a Senior Engineering Manager at Manifest, leading work on SBOM vulnerability scanning. Previously, she was an Engineering Manager at Rula and a Forward Deployed Engineer at Palantir. She has built and operated software in highly regulated environments, including healthcare and government, and is passionate about delivering mission-critical systems quickly and securely. Lexi enjoys getting deep into data, and her work at Manifest focuses on the real-world challenges of vulnerability matching, package identification, and reducing noise in vulnerability management.

Ertugrul Yaprak is the Director of the Data Department at Picus Security and leads the data engineering pipeline and AI workflows. He holds a bachelor's degree in computer science and has been involved in data projects for over 20 years.

Mehmet KILIC is the Director of Cyber Security Practices at Picus Security. In this role, he leads the company’s cybersecurity product strategy, identifies real-world customer challenges, and explores innovative security solutions. He focuses on bridging business needs with technical development to deliver effective and practical cybersecurity capabilities.

Most vulnerability management programs still rely on base CVSS scores and scanner output, even though real‑world risk is heavily shaped by an organization’s own security controls and asset context. The result is familiar: long lists of “critical” findings that are already mitigated, and overlooked “medium” issues that are fully exposed. In this session, we will present a practical approach to validate vulnerability management by combining CVE data, adversary techniques, attack modules, security control effectiveness, and asset criticality into a unified, exposure-driven prioritization workflow. We will begin by examining the relationship between CVEs and security controls, focusing on how standard controls actually impact exploitability in practice. Building on this, we will refine the existing CVSS score to “Contextual CVSS”, which utilizes temporal metrics with exploitability and environmental metrics derived from an organization's context and security control effectiveness. Using real-world, data-driven insights from our ongoing research and development, we will demonstrate how contextualization alters score distributions and risk rankings across groups of CVEs, and how a score of vulnerability or exposure can be layered on top to drive re-prioritization at scale. We will introduce the “Exposure Score”, a unified risk measure that combines control effectiveness, exploitability, and asset importance, as well as contextual CVSS. Finally, we will demonstrate how these exposure metrics can be aggregated at the asset level to support risk-based decision-making for both technical teams and business stakeholders, in a tool- and vendor-agnostic manner that attendees can adapt to their own environments.

Arun Pratap Singh is a Security Research Engineer at Qualys, working on the company’s flagship Vulnerability Management, Detection and Response (VMDR) platform. Over the past eight years at Qualys, he has worked across the vulnerability lifecycle: first as a Security Operations Engineer responsible for securing three Qualys cloud platforms through internal vulnerability management, where he also served on the core FedRAMP audit team for two consecutive years; then as a Threat Research Engineer for the Qualys XDR and EDR products; and now as a signature author creating and maintaining Qualys QIDs used by customers worldwide. His day-to-day work includes designing detections for real-world vulnerabilities, tuning them to reduce noise at scale, and collaborating with operations and product teams. I am particularly interested in how vulnerability management must evolve to handle cryptographic and post-quantum risks.

Quantum computing is still emerging but its impact on today’s cryptography is already a security problem. RSA and ECC will not fail overnight, yet many organizations are storing data that must remain confidential for 10-20+ years while still relying on quantum-vulnerable algorithms and hard-to-change infrastructure. Today’s vulnerability management programs are excellent at tracking CVEs and patching software, but they rarely treat cryptography itself as an inventory item or risk object. In this talk, I reframe “quantum-era vulnerabilities” from the perspective of vulnerability management and large-scale detection engineering. We will look at: - How to define quantum-era risk in practical terms: harvest-now-decrypt-later, long-lived data, and fragile PKI. - Lessons from building detections for deprecated ciphers and protocols (TLS, SSH, IPsec) and how those patterns extend to post-quantum migration. - What “crypto-agility” really means for blue teams: crypto inventories, quantum-risk scoring, and policy-driven deprecation instead of one-off cipher clean-ups. - How vulnerability scanners, PSIRTs, and asset owners can collaborate to surface quantum-era issues as first-class findings-alongside traditional CVEs. Attendees will leave with a concrete, vendor-neutral playbook to start integrating post-quantum readiness into their existing vulnerability management processes today, without needing to be quantum-cryptography experts.

Francesco Cipollone is a seasoned entrepreneur, CISO, and Founder of Phoenix Security, the code-to-runtime contextual, actionable ASPM platform. He’s a published author, host of the multi-award Cyber Security & Cloud Podcast, and a frequent international speaker known for pragmatic, forward-looking views on modern vulnerability management and product security. He previously presented this reachability-and-remediation concept at OWASP LASCON

(including a keynote) and at other major events over the past year.

Francesco sits on the board of the UK&I Cloud Security Alliance Chapter and is a faculty member at IANS, focusing on application and cloud security. His work has been featured in outlets such as Forbes, Help Net Security, and Hacker Noon, and he has appeared on well-known industry podcasts including Application Security Weekly, Down the Rabbit Hole, Cloud Security Podcast, and AppSec Weekly. He has spoken at conferences across the US and Europe, including AppSec Cali, Open Security Summit, and Cyber Security & Cloud Expo.

Previously, Francesco led application and cloud security at HSBC and worked as a Senior Security Consultant at AWS. Outside of work, he runs marathons, snowboards in the Italian Alps, and enjoys a good single malt in London.

Podcast: https://phoenix.security/resources/podcasts/ Books: https://phoenix.security/whitepapers-resources/modern-application-security-ebook/ Research: https://phoenix.security/vulnerability-weekly/ Whitepapers: https://phoenix.security/whitepapers-resources/ Talks: https://www.youtube.com/watch?v=bDtJA551vpI&list=PLVlvQpDxsvqESE7DcPTe2BbZgGvFtWla4 More talks: https://www.youtube.com/results?search_query=francesco+cipollone+security Blog: https://phoenix.security/author/fcphoenix-security/ Press: https://www.nsc42.co.uk/press

Vulnerability management is still judged by “how many findings” and “how fast we closed tickets.” That breaks down the moment you introduce containers, ephemeral workloads, shared base images, and sprawling dependency graphs. In Product Security, the hard part isn’t detecting vulnerabilities—it’s patching the right thing, in the right place, by the right team, fast enough to matter. This talk reframes reachability analysis as a remediation engine, not just a prioritization trick. We’ll show how code-to-cloud tracing and reachability (code, library, container, static, runtime) changes the patching playbook—especially for container vulnerabilities where “just upgrade the package” often doesn’t exist, isn’t safe, or doesn’t land in production. We’ll also connect Cyber Threat Intelligence (CTI) to remediation decisions: which vulnerabilities are actively dangerous, which are theoretical, and which demand compensating controls when patching is slow. Finally, we’ll demonstrate how AI-assisted CTI (Google Gemini-based enrichment) can rewrite and normalize vulnerability data at scale—turning noisy scanner output into actionable, fix-oriented guidance—and how agentic remediation for library upgrades becomes dramatically more effective when constrained by reachability. The outcome: a practical CTEM approach built on three pillars—ownership attribution, vulnerability attribution, and remedy attribution—so teams stop drowning in alerts and start shipping fixes that measurably reduce exposure. Key topics 1. Patching vs remediation: patch, upgrade, rebuild, mitigate 2. Containers: why “just patch it” is often wrong 3. Reachability + tracing: from CVE to deployed exploit path 4. CTI-driven prioritization: what’s burning now 5. AI-CTI at scale (Gemini): rewriting vulnerabilities into fix-ready guidance 6. Agentic remediation for libraries: PRs gated by reachability 7. CTEM 3 pillars: right team, right vuln, right remedy, right context Takeaways for Attendees • A clear model for why container patching is not traditional patching—and how to fix it without chaos. • A practical method to combine reachability + code-to-cloud tracing to route remediation to the right owners with minimal noise. • How CTI (and AI-CTI at scale) changes remediation priority from theoretical severity to real-world danger. • How to use agentic remediation for library upgrades safely by constraining it with reachability and production relevance. • A CTEM blueprint (3 pillars) that turns vulnerability management into measurable exposure reduction.

Daniel Bardenstein is the CEO and co-founder of Manifest, focused on making software and AI supply chains more transparent and secure. He is a co-chair of both the CISA AI Bill of Materials (AIBOM) Working Group and the OWASP AIBOM Working Group, helping shape how AI systems are identified, described, and secured in practice. Previously, Daniel served as Chief of Technology Strategy at CISA, where he led technology modernization efforts, OT/ICS strategy, and the development of the Cybersecurity Performance Goals. At the Defense Digital Service, he ran cybersecurity initiatives across the Department of Defense, including securing COVID-19 vaccine distribution and leading Hack the Pentagon. Before government service, Daniel built cybersecurity and data platforms at Exabeam and Palantir.

Vulnerability management has spent the last decade arguing about identifiers (as we’ve seen from each previous VulnCon) – mostly between CPEs in NVD and for commercial products, and Package URLs (PURLs)for open-source software (leaving aside the technical argument about purls being locators and not identifiers). CPEs promised standardization and delivered ambiguity. PURLs emerged as a practical alternative,imperfect, but grounded in how software is actually built, packaged, and consumed. Along the way, the community learned hard lessons about versioning, namespaces, ecosystems, vulnerability scanning, and the cost of getting identifiers wrong.

Now we’re repeating the same mistakes with AI.

Security teams are being asked to reason about vulnerabilities, licenses, and provenance for models and datasets that have no consistent identifiers, unclear version semantics, and weak ties to their underlying components. Without stable, resolvable IDs, everything from SBOMs to VEX to policy enforcement breaks down.

This talk draws on lessons learned from years of wrestling with CPEs and PURLs in traditional software supply chains and applies them to AI systems. We’ll explore why models and datasets need first-class identifiers, what properties those identifiers must have to be security-relevant, and why the PURL design turns out to be a surprisingly good fit. We’ll walk through concrete examples of model and dataset PURLs, discuss edge cases like fine-tuning and composite models, and highlight where existing tooling can already be reused—or where it needs to evolve.

If we want to save ourselves the headache around identifiers for AI vulnerability management, we need to get identifiers right this time. This talk is about how to do that, before the ecosystem calcifies around another bad abstraction. 

 
Nikita Borovkov is an Application Security Engineer at SOFTSWISS, specializing in penetration testing, vulnerability research, and application security as a whole. With over three years of experience in cybersecurity, Nikita has transitioned from penetration testing to a defense-focused application security role. He holds a Bachelor's degree in Computer Science with a specialization in Cybersecurity from Kyiv Polytechnic Institute and maintains certifications including eJPT, CWEE, and OAWSP. 

 
Nikita Borovkov is an Application Security Engineer at SOFTSWISS, specializing in penetration testing, vulnerability research, and application security as a whole. With over three years of experience in cybersecurity, Nikita has transitioned from penetration testing to a defense-focused application security role. He holds a Bachelor's degree in Computer Science with a specialization in Cybersecurity from Kyiv Polytechnic Institute and maintains certifications including eJPT, CWEE, and OAWSP. Beyond profesisonal achievements, Nikita enjoys participating in weekend CTFs, going surfing, and eating nice food.

Yotam Perkal leads security research at Pluto Security, a next-generation AI security and governance platform designed to protect the rapidly emerging ecosystem of AI builders, low-code/no-code tools, and agentic applications. His work focuses on securing AI-native development environments and building scalable methods for detecting, validating, and mitigating risks in AI-driven software workflows.

Previously, Yotam led the Threat Research team at Zscaler, headed the Vulnerability Research team at Rezilion, and held multiple roles within PayPal’s security organization across vulnerability management, threat intelligence, and insider threat.

Yotam is an active participant in several cross-industry working groups dealing with AI security, vulnerability management, and supply chain security.

AI is rapidly reshaping vulnerability management, and the upcoming years will determine whether defenders or attackers are gaining the upper hand. On the defensive side, AI promises meaningful progress: improved prioritization in the face of exponential vulnerability growth, better signal extraction from increasingly noisy data, faster identification of vulnerable components, and earlier insight into real-world exposure. As the rate of vulnerability disclosure continues to outpace remediation capacity, these capabilities are becoming essential to keeping VM programs viable. At the same time, AI is actively increasing pressure across the vulnerability ecosystem. Automated, low-effort vulnerability submissions (“AI slop”) are placing growing burdens on triagers, CNAs, and open-source maintainers. The technical barrier for effective exploitation is rapidly dropping, shortening the time from vulnerability discovery to weaponization and enabling more adaptive, personalized attacks at scale. Recent research and real-world incidents demonstrate that AI-powered attacks have moved from theory to practice, spanning nearly the entire MITRE ATT&CK lifecycle. This talk examines the AI arms race through a vulnerability management lens, highlighting both its defensive potential and its destabilizing effects. We explore where current workflows begin to fail when confronted with AI-driven discovery and exploitation, and what must change as a result. Rather than incremental optimization, defenders need to revisit foundational choices, from prioritization and disclosure to automation boundaries and system design, to remain effective in an environment shaped by autonomous, adaptive adversaries.

Anthony Feddersen is the SVP of Engineering at NetRise, where he leads the development of advanced binary analysis solutions to secure the software supply chain. His career has focused on building and securing foundational cloud services at scale, previously serving as head of engineering at Chainguard and in senior leadership roles at Electronic Arts, VMware, and Google.

Craig Heffner is a Senior Staff Engineer at NetRise and the creator of the popular open source tool, Binwalk. He has over 20 years experience analyzing wireless and embedded systems, and has presented at prominent security conferences including Black Hat and DEFCON. His former employers include the NSA, Microsoft, various government contractors, and multiple successful cyber security start-ups.

Your application security scanners are lying to you. Manifest files show what developers intended to ship, but compiled binaries reveal a harsher truth: hidden, vulnerable dependencies that never show up in SBOMs. This session uses real-world case studies to expose the gap and show how Binary Composition Analysis uncovers the vulnerabilities your tools miss.

Lisa Olson is a Principal Security Release Program Manager at Microsoft, where she has led the Patch Tuesday release process since 2013. A member of the CVE Board since 2018, Lisa is a passionate advocate for improving vulnerability communication through automation and machine-readable formats. Her work focuses on transforming how security information is shared to help organizations respond faster and more effectively.

The CRA is calling for disclosing many more classes of vulnerabilities and clearly articulating the exploit status of all known vulnerabilities in the entire supply chain. To execute successfully, the industry is going to have to work together to come up with the tooling necessary to make this possible. This talk will explore the challenges and opportunities for this industry collaboration.

The prevailing myth in cybersecurity circles—that the escalating number of vulnerabilities indicates a fundamental decline in software security—deserves scrutiny, as it often oversimplifies complex dynamics. While Common Vulnerabilities and Exposures (CVEs) did increase 20% from 40,000 in 2024 and over 50,000 by the end of 2025, this uptick is frequently misconstrued by speculation in blogs, media outlets and annual cyber security trend and insight reports. This trend is amplified by a rising volume of CVEs in non-enterprise and academic initiatives even as major vendors' vulnerability counts hold relatively steady. Flawed incentives in reporting mechanisms promote the logging of minor or spurious issues for prestige, artificially inflating figures without correlating to actual threats fuels undue panic, misallocates remediation efforts, and eclipses genuine strides in secure coding practices. Debunking it calls for a shift toward risk-centric vulnerability management, emphasizing exploit potential over raw quantity to cultivate a more informed perspective on evolving cyber risks.

Bob is a cybersecurity executive and public-interest technologist with deep experience building and defending high profile digital systems. He has led major secure by design initiatives at the Institute for Security and Technology (IST) and at the Cybersecurity and Infrastructure Security Agency (CISA), where he served as a Senior Technical Advisor focused on shifting more responsibility for customer safety to software manufacturers. He was the first Chief Security Officer

(CSO) at the Democratic National Committee (DNC), boosting the security of the Committee along with state parties and campaigns. Earlier in his career he was the CISO at Yahoo and the first security hire at Twitter, where he built and led the information security program from the ground up.

The CVE Program is one of the most important public-interest technology infrastructures, but it was built for a very different era. Today’s defenders face adversaries who move faster, exploit automation, and operate at global scale. Meanwhile, the CVE ecosystem still relies on fragmented governance, inconsistent data quality, and processes that treat vulnerability reporting as a clerical task rather than a safety-critical function. This talk asks a simple but disruptive question: What would the CVE program look like if we designed it from scratch today? Drawing from lessons in aviation safety, transportation safety, and public health, we will explore a vision for a modern software defect registry that treats software as critical infrastructure, focuses on classes of defects rather than individual bugs, and enforces quality-by-design at the moment records are created. Attendees will see concrete examples of how this vision can work in practice, including walkthroughs of a CNA Dashboard and a User Dashboard that surface CVE record quality, recurring defect patterns, and manufacturer accountability in ways that are not possible today. These prototypes demonstrate what becomes immediately achievable when the system creates CVE records that are complete, accurate, timely, and structured for automation—giving defenders faster answers while enabling systemic analysis of how software fails over time. The goal of the session is not incremental change. It is a call to reimagine CVE as the backbone of software safety: an authoritative defect registry, an accountability mechanism for manufacturers, and an engine for eliminating entire classes of vulnerability. The talk will close with a pragmatic discussion of initial steps the community could take in 2026 to begin implementing this vision, focusing on quality-by-design requirements, opinionated tooling, and governance changes that enable meaningful progress without requiring a wholesale reset of the ecosystem.

Yogesh Mittal is a PSIRT Manager at Red Hat, where he orchestrates strategic initiatives at the intersection of enterprise security and open source supply chain health. He oversaw Red Hat’s elevation to both CVE Program Root and CNA of Last Resort (CNA-LR) status. As a member of the CVE Program Roots Council, Yogesh plays a central role in evolving CNA Policy and operational standards, ensuring that governance frameworks are robust enough for global enterprises while remaining viable for decentralized communities.

Beyond policy, Yogesh bridges the gap between corporate governance and operational reality to align industry standards with the needs of the modern supply chain. He established a collaborative forum for Open Source CNAs and is dedicated to operationalizing "Federated Responsibility"—designing policy-backed frameworks that improve data quality without overburdening the volunteer workforce.

The global vulnerability management ecosystem operates on a hidden "Vendor Bias"—the assumption that software producers have full visibility into downstream deployments and funded security teams. While this model works for commercial vendors, it breaks catastrophically when applied to Open Source Software (OSS). This paper exposes how this structural bias creates five critical failures in the OSS supply chain: the "Context Failure" (systemic risk inflation), the "Consensus Failure" (conflicting data from centralized authorities), the "Automation Failure" (AI-driven triage debt), the "Capacity Failure" (administrative exhaustion), and the "Resolution Failure" (the "Disputed" tag deadlock). We conclude that the technical ecosystem must mirror emerging policy innovations. We propose a "Federated Responsibility" framework that decouples risk assessment from upstream code maintenance, using the EU Cyber Resilience Act’s "Stewardship" model as a blueprint. By retiring the ambiguous "Disputed" tag in favor of a "Conditional" status, we can ensure enterprise-grade data quality while protecting the volunteer capacity that powers modern infrastructure.

Daniel Larson is the Coordinated Vulnerability Disclosure (CVD) Team Lead at the Cybersecurity and Infrastructure Security Agency where he and his team oversee the day-to-day CVD operations conducted by CISA and its partners. His roles also include overseeing the daily operations for the CISA Top-Level Root, CISA ICS Root CNA-LR, and CISA-Civilian Government CNA. Daniel has supported CISA’s Disclosure mission for six years, working closely with software suppliers and researchers to enhance Coordinated Vulnerability Disclosure (CVD) capabilities and maturity through automation and policy improvements.

Eoin Wilson-Manion is a vulnerability analyst at ANALYGENCE Labs, where he performs Coordinated Vulnerability Disclosure (CVD) and contributes to related research and development efforts with his buddy Tyler! 

Tyler Zellers is a vulnerability analyst at ANALYGENCE Labs, where he performs Coordinated Vulnerability Disclosure (CVD) and contributes to related research and development efforts.

 
Vulnerability management, perhaps unsurprisingly, relies on information about vulnerabilities. The results of most coordinated vulnerability disclosure (CVD) efforts are, also unsurprisingly, disclosures, ideally public disclosures. What information does vulnerability management need? What information does CVD provide? How, in what formats? How do we assess quality and support automation? CISA Vulnerability Response and Coordination (VRC) publishes vulnerability information in CVE, CSAF, VEX, and a collection of related formats including SSVC, CVSS, CWE, and vers. This talk will detail our experience from collecting and analyzing vulnerability information to producing and publishing CSAF Advisories and CVE Records.

Prof. David Starobinski is a Professor of Electrical and Computer Engineering and of Systems Engineering at Boston University, with an affiliated appointment in the Department of Computer Science. His research interests are in cybersecurity, wireless networking, blockchain and cryptocurrency, and network economics.

Sevval Simsek is a Computer Engineering PhD candidate at Boston University. She is a part of Networking and Information Systems Lab, and has been focusing on ML for Cybersecurity, and improving cybersecurity operations with graphs and algorithms.

Modern software supply chains are complex, driving the need for tools to manage dependencies and detect vulnerabilities. However, integrating these tools for unified vulnerability-dependency views is an open challenge. We introduce VDGraph, a knowledge graph methodology that merges project dependency data and vulnerability scan outputs into a holistic graph that represents the complex dependency chains leading to vulnerabilities, and is queryable. We formally analyze VDGraph’s properties and resolve dependency and vulnerability data conflicts. A proof-of-concept using CycloneDX Maven plugin and Google’s OSV-Scanner demonstrates automation and scalability across over 100 Maven-based Java projects. Queries on VDGraph uncover concentrated risk points and show that most vulnerabilities are deeply nested inside projects (i.e, depth of three or greater). We further demonstrate VDGraph’s capability of efficiently visualizing and patching vulnerable projects

John Amaral is the Co-founder and CTO of Root.io. John has more than 25 years of experience as a technologist and product development leader in information security and networking. Before Root, John was Head of Product at Cisco Cloud Security. John previously held product and engineering leadership roles at CloudLock (acquired by Cisco), Trustwave (acquired by Singtel), and Vericept, among others. In 2007, John was selected as a top 40 under 40 business leader by American Venture Magazine.

When a new CVE drops, a new cycle begins where teams have to scramble and prioritize fixing since it isn't as simple as pulling the latest upstream commit. Legacy dependencies, shifting APIs, and operational stability requirements turn backporting into a surgical exercise in code archaeology. In this hands-on lab, attendees will go deep on how to generate a backported patch for a real-world vulnerability, which will start with the CVE-2024-37370 in MIT Kerberos example, used across major Linux distributions and many CNCF projects. We’ll start by walking through what makes a vulnerability CVE-worthy, examining the affected code, and studying how upstream fixed it. From there, attendees will work step-by-step to adapt that fix for an older codebase, tracing impact across API changes, dependencies, test suites, and documentation. Along the way, we’ll explore other techniques to evaluate patch safety, prevent regressions, and identify unintended side effects before they hit production. Participants will get hands-on with live systems, debugging failed patches, exploring incomplete fixes, and learning techniques to trace risk across multiple legacy branches. We’ll cover both the defender’s and attacker’s perspectives understanding how incomplete backports leave exploitable gaps, and how to close them. By the end of the session, attendees will have produced and validated their own safe backport patch, gaining practical skills they can apply immediately in production environments. This lab is designed for engineers, SREs, and security practitioners who want to move beyond “apply and pray” and learn the craft of backporting in high-stakes, real-world conditions.

Josh Skorich is Founder and CTO at Spektion, working on runtime-based security for production environments. He spent over a decade in red teaming and adversary simulation, leading offensive security programs across financial systems, critical infrastructure, and cloud environments. His focus is bringing operational security reality into scalable, repeatable vulnerability governance.

Vulnerability management programs are optimized for what can be named and matched: a product, a version, a CVE. But real environments contain significant software that exists outside practical CVE coverage: legacy tools from defunct vendors (no one to coordinate disclosure with), obscure utilities embedded in base images (no fingerprint for scanners to match), regional software without CNA relationships (unlikely to receive research attention), and abandoned projects that still run in production (no vendor maintaining a vulnerability feed). This software is operationally important yet structurally invisible to CVE-centric workflows. The failure mode is identity: if you cannot fingerprint the component, your VM pipeline produces no finding, no ticket, no owner.

This talk presents a runtime-centric approach to governing that blind spot, born from a career in red teaming where the most interesting findings were rarely in software with CVE coverage. I show how multi-layer runtime telemetry (Kubernetes metadata, gateway/mesh logs, network flows, and host events) can bootstrap stable component identity using a three-layer model that survives rebuilds and reduces churn. I introduce an evidence framework (Observed/Derived/Assumed with confidence scoring) so every claim has a clear basis, and I'm explicit about what runtime telemetry can and cannot prove.

I then introduce Behavioral Vulnerability Records (BVRs): evidence-backed exploit paths tied to runtime-identified components, with fields for identity, preconditions, exploit path, impact, controls, and supporting evidence. I walk through one deep case study (telemetry to remediation) plus two concrete examples demonstrating breadth. Finally, I show how BVRs integrate into existing VM workflows and map to existing standards (CWE classification, CSAF/OSV-style records, VEX-like status) so they complement CVEs rather than compete with them.

Attendees leave with a concrete schema, an evidence model they can defend, and a 30-day pilot plan using common enterprise telemetry.

Human vulnerability researchers do not evaluate findings using severity scores or exploit headlines. They reason about prerequisites, privilege boundaries, reachable assets, and realistic attack chains. Yet most modern vulnerability programs still rely on static signals, scoring systems like CVSS, EPSS and KEV that cannot replicate this reasoning process. This talk presents original research on using AI workers (different LLMs) to investigate vulnerabilities the same way experienced human researchers do. Instead of prioritizing based on likelihood or popularity, we tasked our LLMs to analyze exploit chains, environmental conditions, identity relationships, and asset exposure to determine whether a vulnerability is actually feasible in a specific environment. The session explores how reasoning models can be constrained to perform deterministic investigation, which LLMs was better and which ones fell short, and why this shift enables vulnerability analysis that is both more accurate and more actionable than traditional approaches we used today for probabilistic guessing.