Day 1 - September 25
Day 2 - September 26
Day 1 - September 25 | |
---|---|
09:00 – 09:15 | Opening Remarks |
09:15 – 10:15 | GB Jen Ellis (GB) |
10:15 – 10:45 | GB Quarterly Vulnerability Forecasts Éireann Leverett (Concinnity Risks, GB) |
10:45 – 11:15 | Break |
11:15 – 12:00 | US A Time-Series Approach to Predicting CVE Volume Jerry Gamblin (Cisco, US) |
12:00 – 12:45 | IT ES SK How Nestlé Manages Vulnerabilities at Scale Angelo Punuriero (Nestlé, IT); Jenifer Jimenez (Nestlé, ES); Martin Karel (Nestlé, SK) |
12:45 – 13:45 | Lunch |
13:45 – 14:30 | ES From Prompts to Agents: Building Agentic CVE Analysis Systems Andrey Lukashenkov (Vulners, ES) |
14:30 – 15:15 | US Observing Exploitation Activity Jay Jacobs (Empirical Security , US) |
15:15 – 15:45 | Break |
15:45 – 16:30 | NL A New Best Practice Proposal: Connecting Vulnerabilities and Stakeholders at Scale Jeroen van der Ham-de Vos, Ting-Han Chen (University of Twente, NL) |
16:30 – 17:00 | US Art Manion (ANALYGENCE Labs, US) |
Day 2 - September 26 | |
---|---|
09:00 – 09:15 | Opening Remarks |
09:15 – 10:00 | Inside a Ransomware Operation: Analyzing the Black Basta Chat Leak Mil Rajic (Independent Expert) |
10:00 – 10:45 | NL Understanding Naming and Related Issues Jeroen van der Ham-de Vos (University of Twente, NL) |
10:45 – 11:15 | Break |
11:15 – 12:00 | CA Vulnerability Mapping and Prioritization Dmitry Raidman (Cybeats, CA) |
12:00 – 12:45 | US How Many Vulnerabilities Are There? Benjamin Edwards (Bitsight, US) |
12:45 – 13:45 | Lunch |
13:45 – 14:15 | US Christopher Robinson (Open Source Security Foundation, US) |
14:15 – 14:45 | GB Learning by Making Vulnerabilities Up Éireann Leverett (Concinnity Risks, GB) |
14:45 – 15:15 | US Vulnerability Information Elements: What Matters and Why Art Manion (ANALYGENCE Labs, US); Jay Jacobs (Empirical Security , US) |
15:15 – 15:45 | Break |
15:45 – 16:30 | FR VLAI: A RoBERTa-Based Model for Automated Vulnerability Severity Classification Cédric Bonhomme (CIRCL, FR) |
16:30 – 17:00 | Closing Remarks |
18:00 – 19:00 |
Jeroen van der Ham-de VosJeroen van der Ham-de Vos (University of Twente, NL), Ting-Han Chen (University of Twente, NL)
Coordinated Vulnerability Disclosure (CVD) and Multi-Party CVD have been recognized as best practices in the security community. However, shifts in the network landscape and software deployments now demand attention to both vulnerability disclosure (for newly discovered vulnerabilities) and vulnerability notification (for known but still unremediated vulnerabilities). The scale and complexity of disclosure and notification efforts have grown substantially, introducing new challenges for security researchers, vendors, end-users, and other stakeholders in establishing trust and effective communication.
Existing CVD guidelines provide a foundation; however, they have not kept pace with these changes, particularly in terms of notifications to end-users. To meet these demands, we need updated strategies and methods that support notification at scale. We have gathered experience in vulnerability notification from academic researchers, industry, and security communities, and propose a best practice for addressing large-scale vulnerability notifications.
Additionally, we aim to make the remediation rate of vulnerable systems trackable in the long term, which raises a new question: If we can forecast vulnerabilities, can we predict how many systems will be affected and how long remediation will take?
Jeroen van der Ham-de Vos (he/him) is associate professor at the University of Twente. His research currently focuses on vulnerability prioritisation and management, incdent response, the many developments in coordinated vulnerability disclosure and ethics of cybersecurity and computer science.
Jeroen is member of the editorial board of the ACM journal Digital Threats: Research and Practice, is an active member of the FIRST community, and was the co-editor of the Code of Ethics for Incident and Security Teams, and serves on several programme committees.
September 25, 2025 15:45-16:30
Jerry Gamblin (Cisco, US)
This session is designed as an open workshop to dissect the project's core components and challenges. We will begin with a deep dive into the suite of time-series models currently implemented. My goal is to leverage the collective expertise in the room to debate key architectural and methodological questions I am facing as a developer. To help answer this, I have created CVE Forecast (cveforecast.org), an open-source tool that uses historical data to forecast the number of new CVEs for the remainder of the calendar year. This project moves beyond analyzing individual vulnerabilities and instead focuses on predicting the overall volume of disclosures. Specifically, I want to open the floor to discuss:
GPU Acceleration: Is pursuing GPU support for these types of models a worthwhile optimization, or are there more effective performance strategies for time-series forecasting?
Tuning and Validation: I will share my current method for automated model tuning. I'm seeking honest feedback on whether this approach is statistically sound or if it could be considered "cheating" by inadvertently overfitting to the historical dataset.
This is not a talk at all, but a collaborative problem-solving session. I'm here to share my code, my methods, and my open questions, and I am eager to learn from the groups experience.
Jerry Gamblin is a Principal Engineer in the Threat Detection & Response business group at Cisco Security, where he leads research and data science initiatives to enhance Cisco Security products. He is actively involved in the CVE community, participating in various working groups and serving as a member of the EPPS SIG. He regularly speaks on vulnerabilities and vulnerability management at international conferences and manages a CVE data collection site at CVE.ICU.
September 25, 2025 11:15-12:00
Christopher RobinsonChristopher Robinson (Open Source Security Foundation, US)
The vulnerability management ecosystem has long had challenges effectively engaging with Open Source Software projects and maintainers. The advent of easy access to low/no-cost AI tools has exponentially increased the volume of defect reports to vendors and to upstream. Sadly, unlike a commercial enterprise or vendor, upstream open source maintainers are not equipped to deal with this new deluge of "helpful" reports, the overwhelming majority of which are low-quality reports that actually slow the developers down from addressing actual vulnerabilities that could have real-world impacts.
The session will dive into the deep end of things and showcase several recent interactions between upstream developers and the army of AI "researchers" and highlight how this new trend threatens to further erode the interest and ability of upstream maintainers from participating in vulnerability response. We will discuss potential solutions and best practices for managing this influx of data, ensuring that valuable contributions are not lost in the noise, and fostering a more sustainable engagement model between security researchers and open source communities. This includes exploring strategies for filtering, prioritizing, and automating the initial assessment of AI-generated reports, as well as promoting clearer communication guidelines for responsible disclosure.
Christopher Robinson (aka CRob) is the Chief Technology Officer & Chief Security Architect for the Open Source Security Foundation. With over 25 years of Enterprise-class engineering, architectural, operational and leadership experience, CRob has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect.
September 26, 2025 13:45-14:15
Andrey Lukashenkov (Vulners, ES)
Traditional AI approaches to vulnerability analysis rely on single-model interactions that lack specialized domain expertise and structured intelligence integration. This talk demonstrates the evolution from simple ChatGPT prompts to sophisticated multi-agent systems capable of collaborative cybersecurity analysis.
We'll explore building an agentic CVE analysis system using CrewAI, showcasing how multiple specialized AI agents can work together to provide comprehensive vulnerability intelligence. The presentation covers practical implementation of agent roles, task orchestration, and tool integration with vulnerability databases like Vulners MCP.
Key focus areas include prompt engineering strategies for agent collaboration, handling context limitations through specialized tools, and designing flexible yet specific agent configurations. Attendees will see live demonstrations comparing traditional single-prompt analysis against multi-agent approaches, highlighting improved accuracy and actionable intelligence.
The session concludes with lessons learned from building production-ready agentic systems, emphasizing the critical balance between agent specificity and flexibility. This is not about CVE overload—it's about understanding scalable patterns for complex cybersecurity workflows that extend beyond vulnerability management.
Andrey Lukashenkov handles all things revenue, product, and marketing at Vulners - a bootstrapped, profitable company committed to providing an all-in-one vulnerability intelligence platform to the cybersecurity community.
Being naturally curious and having a technical background, he leverages unlimited access to the Vulners database to research various topics related to vulnerability management, prioritization, exploitation, and scoring.
September 25, 2025 13:45-14:30
Benjamin EdwardsBenjamin Edwards (Bitsight, US)
Necessary to any attempt to answer “how many vulnerabilities are there likely to be in the future?” is data about how many vulnerabilities existed in the past. This talk examines four alternative vulnerability databases: CNNVD, CNVD, OSV, and EUNVD. First we provide an overview of their governance and historical data. Then the data science will commence, revealing an exponential growth in vulnerabilities across most active databases over the past five years, with the notable exception of CNVD following a 2021 CCP policy change. Further investigation into data demonstrates that most databases primarily derive their information from published CVEs, often with redundant entries. Crucially, we will identify and characterizes a significant subset of non-CVE vulnerabilities, analyzing their growth and provide forecasts. We'll conclude the talk on a soap box, by strongly advocating against the fragmentation of the vulnerability cataloging ecosystem and the proliferation of new databases, emphasizing the need for a unified approach.
Dr. Benjamin Edwards is a principal research scientist working at Bitsight. An expert in ML and statistics, Ben synthesized security data into actionable insights. He has led research on a wide variety of security topics including vulnerability management, application security, human risk, Next-gen SIEM, nation state cybersecurity policy, and the security of ML models. He is an active member of the security community, contributing to open standards efforts including both EPSS and CVSSv4. His work has been published in leading industry and academic venues.
September 26, 2025 12:00-12:45
Angelo Punuriero
Jenifer Jimenez
Martin KarelAngelo Punuriero (Nestlé, IT), Jenifer Jimenez (Nestlé, ES), Martin Karel (Nestlé, SK)
Organizations like Nestlé face significant challenges in vulnerability management due to the scale and complexity of their environments. These include managing a wide array of technologies, navigating intricate ownership structures, coordinating across multiple security teams and tools, and adapting to continuous change. To tackle these issues, my team and I have developed a unified platform that brings together the most effective practices tailored to each environment. Our goal is to drive automation, improve exposure awareness, and enable a broad range of use cases and reporting capabilities. Beyond aggregating results from traditional vulnerability scanners and penetration tests, we also account for vendor-disclosed vulnerabilities that may not be detected by automated tools. A key part of our approach is the automated classification of non-critical vulnerabilities, which are routed to the appropriate patching teams in line with their schedules. For critical issues, we’ve implemented a more urgent remediation workflow. This process is tightly integrated with scanner outputs, helping to resolve challenges around ownership, tracking, and SLA compliance. By connecting these elements, we’ve created a more streamlined, transparent, and effective vulnerability management program.
Angelo Punturiero is an Italian native who has recently moved to the enchanting city of Barcelona. He proudly serves as a Vulnerability Management Senior Specialist in the Nestle’ CSOC Vulnerability Management team. With a deep passion for cybersecurity and the art of fine cuisine, he has improved he's skills through years of experience at renowned IT consulting firms. This professional journey has led him to Nestle’, where he coordinates the process that determines the Corporate Rating of the daily published CVEs, ensuring that the appropriate stakeholders are promptly informed of any imminent risks. Additionally, he actively engages in matters related to Cloud Security and contributes to projects involving Generative AI in the realm of cybersecurity.
Jenifer Jiménez, native of Spain, is currently working as a Senior Vulnerability Management Specialist at Nestlé Global Services in Barcelona. She is vulnerability management orchestration platform lead architect. Prior to her current role, she was part of the team providing security services to global Hewlett-Packard customers, as well as managing the development of security platforms for the CSIRT at CaixaBank. With a deep passion for her work and a commitment to staying at the forefront of industry trends, she strive to make a positive impact in the field of cybersecurity. Her dedication to securing critical systems and her love for salsa dancing and family bring a unique blend of expertise and personal fulfillment to her life.
Martin Karel, a native of Slovakia, is currently leading the Nestlé global vulnerability management and offensive security team based in Spain. He has been a part of the Global CSOC since its establishment in 2016 and has played a crucial role in various key projects, including incident response, security monitoring, and the centralization and automation of vulnerability management processes. Prior to his current role, Martin led similar projects at HP Enterprise and SEAT, a car manufacturer within the VW group. In his leisure time, he is passionate about ballroom dancing and values spending quality time with his two daughters.
September 25, 2025 12:00-12:45
Mil RajicMil Rajic (Independent Expert)
In early 2025, someone leaked more than 200,000 chat messages from the Black Basta ransomware group. I stumbled across the dump while following chatter on a Telegram channel and what I found was surprising. This talk takes a closer look at how the group operated between 2023 and 2024: which vulnerabilities they prioritized, how they picked targets, and how they used tools like ZoomInfo or even ChatGPT to plan attacks.
I’ll also walk through a few specific Proof-of-Concept exploits they referenced—some of which haven’t been analyzed publicly yet—and show how attackers adapted them for real-world use. Expect a mix of technical breakdown, live demos (safe ones!), and insights into the everyday workflow of a ransomware crew.
This research shows practically how not only Black Basta but also other ransomware groups function and how they carry out numerous attacks that led to the bankruptcy of a large number of companies as well as shaking up the world trade and geopolitical scene.
Mil Rajic: Head of Intelligence, in the UK based company DynaRisk. Actively engaged as a FIRST Liaison Member in several SIG groups. A former military security professional with 15 years of experience in intelligence, with the past eight years dedicated to the role of Head of Intelligence in the UK cyber security company with a focus on monitoring cyber threat actors and supporting the banking, insurance, and financial sectors in identifying risks that could impact business operations. Additionally, closely follows geopolitical developments and connects them with emerging cyber threats to provide actionable insights and strategic foresight.
September 26, 2025 09:15-10:00
Jen EllisJen Ellis (GB)
Jen Ellis hopes to help reduce cyber risk for society. She works with security experts, technology providers and operators, civil society, and governments, to create greater understanding of cybersecurity challenges and increased focus on pragmatic solutions. Jen promotes better collaboration among these communities, more effective cybersecurity advocacy, and broader adoption of security best practices. She has worked in B2B technology for more than 20 years, 11 of which were with cybersecurity firm, Rapid7, where Jen built the company’s security research, advocacy, and community engagement functions. She founded NextJenSecurity in 2022. Jen serves on the UK Government Cyber Advisory Board, the boards of the CVE Program, the CVE Foundation, and the Center for Cybersecurity Policy and Law. She is an associate fellow of the Royal United Services Institute (RUSI), co-chair of the Ransomware Task Force, co-host of the Distilling Cyber Policy podcast, and sits on various advisory boards. She has testified before U.S. Congress and spoken at numerous security or business conferences.
September 25, 2025 09:15-10:15
Éireann LeverettÉireann Leverett (Concinnity Risks, GB)
We have a long history of vulnerabilities now, and as it grows we learn about vulnerability abundance. There's no reason we can't reverse that process and invent vulnerabilities that are consistent with those we have historically seen. Every one of these can be given a description, and used like a table top inject to a patch or vulnerability management programme.
We have even been given a GNA ID by GCVE to catalog and document what we find.
If you use this Monte Carlo engine to create vulnerabilities it's the combinations of them that flow in a single patch cycle that become interesting. This could help us explain why some months in vulnerability management are more stressful than others...some combos are just as brutal to our budgets, SLAs, and uptime requirements.
Éireann Leverett is the co-author of Solving Cyber Risk, and regularly writes about cyber risk perception, articulation, and quantification. He is a co-chair of the Ransomware SIG, and long time DFIR innovator and data scientist. When he's not working in cyber insurance and risk, he likes writing code, papers, and taking long walks in nature.
While his bio is serious; he hates writing bios in the third person, and once placed second in an Eireann Leverett impersonation contest.
September 26, 2025 14:15-14:45
Jay JacobsJay Jacobs (Empirical Security , US)
This will be a data-driven exploration of systematically collected exploitation activity. The data covers evidence of over 7,000 unique vulnerabilities being targeted in any given week. This talk will focus on what that activity looks like and will undoubtedly challenge any preconceived notions you may have about what exploitation looks like.
Jay Jacobs is a Co-founder and Chief Data Scientist at Empirical Security and Chief Data Scientist Emeritus at Cyentia Institute. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of “Data-Driven Security”, a book covering data analysis and visualizations for information security professionals.
September 25, 2025 14:30-15:15
Éireann LeverettÉireann Leverett (Concinnity Risks, GB)
Éireann Leverett is the co-author of Solving Cyber Risk, and regularly writes about cyber risk perception, articulation, and quantification. He is a co-chair of the Ransomware SIG, and long time DFIR innovator and data scientist. When he's not working in cyber insurance and risk, he likes writing code, papers, and taking long walks in nature.
While his bio is serious; he hates writing bios in the third person, and once placed second in an Eireann Leverett impersonation contest.
September 25, 2025 10:15-10:45
Jeroen van der Ham-de VosJeroen van der Ham-de Vos (University of Twente, NL)
Naming is one of the fundamental problems in computer science. Naming things is surprisingly hard if you require global uniqueness. We have extensive experience with the dns system, with urn’s and with some other systems. Most of these solutions are surprisingly challenging, but also very invisible if done right. This talk will shed some light on the design decisions of namespaces.
Jeroen van der Ham-de Vos (he/him) is associate professor at the University of Twente. His research currently focuses on vulnerability prioritisation and management, incdent response, the many developments in coordinated vulnerability disclosure and ethics of cybersecurity and computer science.
Jeroen is member of the editorial board of the ACM journal Digital Threats: Research and Practice, is an active member of the FIRST community, and was the co-editor of the Code of Ethics for Incident and Security Teams, and serves on several programme committees.
September 26, 2025 10:00-10:45
Cédric BonhommeCédric Bonhomme (CIRCL, FR)
This paper presents VLAI, a transformer-based model that predicts software vulnerability severity levels directly from text descriptions. Built on RoBERTa, VLAI is fine-tuned on over 600,000 real-world vulnerabilities and achieves over 82% accuracy in predicting severity categories, enabling faster and more consistent triage ahead of manual CVSS scoring. The model and dataset are open-source and integrated into the Vulnerability-Lookup service.
Cédric Bonhomme is a seasoned computer scientist with a deep passion for computer security and privacy. From 2010 to 2017, he worked as an R&D Engineer at a research center, specializing in Multi-Agent Systems and Cybersecurity. Since 2017, he has been an integral part of CIRCL, actively contributing to CSIRT operations and the development of innovative open-source software projects. Currently, he serves as the lead developer of Vulnerability-Lookup, driving advancements in vulnerability research and management.
September 26, 2025 15:45-16:30
Art Manion
Jay JacobsArt Manion (ANALYGENCE Labs, US), Jay Jacobs (Empirical Security , US)
At VulnCon 2025 we presented our preliminary work on MVVE, Minimum Viable Vulnerability Enumeration (https://docs.google.com/presentation/d/1B66qJe7BeaplB5jYiYUJ64NHIsHZedePiJHyv5NA6nQ). One part of MVVE is a set of information elements that are characteristics or measurements of vulnerabilities. Many of these elements are common across different vulnerability data sources, sometimes using different names, and more concerningly, sometimes using different definitions. MVVE itself comes down to just two foundational information elements: A declaration or claim of vulnerability and an affected object. While perhaps academically interesting, MVVE is only a basic requirement for discovery and doesn’t practically help much otherwise with vulnerability and risk management. Our work more broadly provides a framework with which to assess the value and application of information elements for vulnerability and risk management. We explore and consider the phases of vulnerability management, roles, information elements, sources of information, costs to obtain information, and quality.
Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Jay Jacobs is a Co-founder and Chief Data Scientist at Empirical Security and Chief Data Scientist Emeritus at Cyentia Institute. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of “Data-Driven Security”, a book covering data analysis and visualizations for information security professionals.
September 26, 2025 14:45-15:15
Dmitry RaidmanDmitry Raidman (Cybeats, CA)
Managing product vulnerabilities effectively has never been more critical, yet traditional approaches often lead to alert fatigue and inefficient remediation cycles. In this talk, we explore advanced strategies for comprehensive Vulnerability Lifecycle Management, with a focus on high-accuracy Vulnerability Mapping and Prioritization. You'll gain insights into implementing robust prioritization frameworks that leverage contextualized threat intelligence, Vulnerability Exploitability eXchange (VEX) information, and proactive Vulnerability Rescoring techniques. Additionally, we'll discuss effective methodologies for Vulnerability Sharing among stakeholders, ensuring streamlined communication and accelerated response times, eventually transforming vulnerability chaos into organizational clarity.
Dmitry Raidman is a visionary entrepreneur and cybersecurity innovator who has contributed to shaping the future of software supply chain security. Having held critical technology roles at leading companies like FLIR Systems and Sealights, as co-founder and CTO of Cybeats Technologies, he helped Fortune 500 companies to operationalize SBOM (Software Bill of Materials) management by inventing SBOM Studio in 2020. His groundbreaking work extends to AI security, where he co-leads SBOM implementation for AI systems and models and co-founded AISUF.org, the Open Framework for AI Security & Safe Use. A contributor to the NTIA's SBOM standards since 2018 and an active participant in critical security working groups, Dmitry brings over 25 years of expertise in application security, cloud architecture, and DevSecOps. His commitment to industry advancement extends beyond technology through co-founding the Security Architecture Podcast, where he shares insights on enterprise security solutions and architecture.
September 26, 2025 11:15-12:00
Art ManionArt Manion (ANALYGENCE Labs, US)
Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
September 25, 2025 16:30-17:00