Program Overview

Coordinated Vulnerability Disclosure (CVD) and Multi-Party CVD have been recognized as best practices in the security community. However, shifts in the network landscape and software deployments now demand attention to both vulnerability disclosure (for newly discovered vulnerabilities) and vulnerability notification (for known but still unremediated vulnerabilities). The scale and complexity of disclosure and notification efforts have grown substantially, introducing new challenges for security researchers, vendors, end-users, and other stakeholders in establishing trust and effective communication.

Existing CVD guidelines provide a foundation; however, they have not kept pace with these changes, particularly in terms of notifications to end-users. To meet these demands, we need updated strategies and methods that support notification at scale. We have gathered experience in vulnerability notification from academic researchers, industry, and security communities, and propose a best practice for addressing large-scale vulnerability notifications.

Additionally, we aim to make the remediation rate of vulnerable systems trackable in the long term, which raises a new question: If we can forecast vulnerabilities, can we predict how many systems will be affected and how long remediation will take?

Jeroen van der Ham-de Vos (he/him) is associate professor at the University of Twente. His research currently focuses on vulnerability prioritisation and management, incdent response, the many developments in coordinated vulnerability disclosure and ethics of cybersecurity and computer science.

Jeroen is member of the editorial board of the ACM journal Digital Threats: Research and Practice, is an active member of the FIRST community, and was the co-editor of the Code of Ethics for Incident and Security Teams, and serves on several programme committees.

The vulnerability management ecosystem has long had challenges effectively engaging with Open Source Software projects and maintainers. The advent of easy access to low/no-cost AI tools has exponentially increased the volume of defect reports to vendors and to upstream. Sadly, unlike a commercial enterprise or vendor, upstream open source maintainers are not equipped to deal with this new deluge of "helpful" reports, the overwhelming majority of which are low-quality reports that actually slow the developers down from addressing actual vulnerabilities that could have real-world impacts.

The session will dive into the deep end of things and showcase several recent interactions between upstream developers and the army of AI "researchers" and highlight how this new trend threatens to further erode the interest and ability of upstream maintainers from participating in vulnerability response. We will discuss potential solutions and best practices for managing this influx of data, ensuring that valuable contributions are not lost in the noise, and fostering a more sustainable engagement model between security researchers and open source communities. This includes exploring strategies for filtering, prioritizing, and automating the initial assessment of AI-generated reports, as well as promoting clearer communication guidelines for responsible disclosure.

Christopher Robinson (aka CRob) is the Chief Technology Officer & Chief Security Architect for the Open Source Security Foundation. With over 25 years of Enterprise-class engineering, architectural, operational and leadership experience, CRob has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect.

Necessary to any attempt to answer “how many vulnerabilities are there likely to be in the future?” is data about how many vulnerabilities existed in the past. This talk examines four alternative vulnerability databases: CNNVD, CNVD, OSV, and EUNVD. First we provide an overview of their governance and historical data. Then the data science will commence, revealing an exponential growth in vulnerabilities across most active databases over the past five years, with the notable exception of CNVD following a 2021 CCP policy change. Further investigation into data demonstrates that most databases primarily derive their information from published CVEs, often with redundant entries. Crucially, we will identify and characterizes a significant subset of non-CVE vulnerabilities, analyzing their growth and provide forecasts. We'll conclude the talk on a soap box, by strongly advocating against the fragmentation of the vulnerability cataloging ecosystem and the proliferation of new databases, emphasizing the need for a unified approach.

Dr. Benjamin Edwards is a principal research scientist working at Bitsight. An expert in ML and statistics, Ben synthesized security data into actionable insights. He has led research on a wide variety of security topics including vulnerability management, application security, human risk, Next-gen SIEM, nation state cybersecurity policy, and the security of ML models. He is an active member of the security community, contributing to open standards efforts including both EPSS and CVSSv4. His work has been published in leading industry and academic venues.

Organizations like Nestlé face significant challenges in vulnerability management due to the scale and complexity of their environments. These include managing a wide array of technologies, navigating intricate ownership structures, coordinating across multiple security teams and tools, and adapting to continuous change. To tackle these issues, my team and I have developed a unified platform that brings together the most effective practices tailored to each environment. Our goal is to drive automation, improve exposure awareness, and enable a broad range of use cases and reporting capabilities. Beyond aggregating results from traditional vulnerability scanners and penetration tests, we also account for vendor-disclosed vulnerabilities that may not be detected by automated tools. A key part of our approach is the automated classification of non-critical vulnerabilities, which are routed to the appropriate patching teams in line with their schedules. For critical issues, we’ve implemented a more urgent remediation workflow. This process is tightly integrated with scanner outputs, helping to resolve challenges around ownership, tracking, and SLA compliance. By connecting these elements, we’ve created a more streamlined, transparent, and effective vulnerability management program.

Angelo Punturiero is an Italian native who has recently moved to the enchanting city of Barcelona. He proudly serves as a Vulnerability Management Senior Specialist in the Nestle’ CSOC Vulnerability Management team. With a deep passion for cybersecurity and the art of fine cuisine, he has improved he's skills through years of experience at renowned IT consulting firms. This professional journey has led him to Nestle’, where he coordinates the process that determines the Corporate Rating of the daily published CVEs, ensuring that the appropriate stakeholders are promptly informed of any imminent risks. Additionally, he actively engages in matters related to Cloud Security and contributes to projects involving Generative AI in the realm of cybersecurity.

Jenifer Jiménez, native of Spain, is currently working as a Senior Vulnerability Management Specialist at Nestlé Global Services in Barcelona. She is vulnerability management orchestration platform lead architect. Prior to her current role, she was part of the team providing security services to global Hewlett-Packard customers, as well as managing the development of security platforms for the CSIRT at CaixaBank. With a deep passion for her work and a commitment to staying at the forefront of industry trends, she strive to make a positive impact in the field of cybersecurity. Her dedication to securing critical systems and her love for salsa dancing and family bring a unique blend of expertise and personal fulfillment to her life.

Martin Karel, a native of Slovakia, is currently leading the Nestlé global vulnerability management and offensive security team based in Spain. He has been a part of the Global CSOC since its establishment in 2016 and has played a crucial role in various key projects, including incident response, security monitoring, and the centralization and automation of vulnerability management processes. Prior to his current role, Martin led similar projects at HP Enterprise and SEAT, a car manufacturer within the VW group. In his leisure time, he is passionate about ballroom dancing and values spending quality time with his two daughters.

In early 2025, someone leaked more than 200,000 chat messages from the Black Basta ransomware group. I stumbled across the dump while following chatter on a Telegram channel and what I found was surprising. This talk takes a closer look at how the group operated between 2023 and 2024: which vulnerabilities they prioritized, how they picked targets, and how they used tools like ZoomInfo or even ChatGPT to plan attacks.

I’ll also walk through a few specific Proof-of-Concept exploits they referenced—some of which haven’t been analyzed publicly yet—and show how attackers adapted them for real-world use. Expect a mix of technical breakdown, live demos (safe ones!), and insights into the everyday workflow of a ransomware crew.

This research shows practically how not only Black Basta but also other ransomware groups function and how they carry out numerous attacks that led to the bankruptcy of a large number of companies as well as shaking up the world trade and geopolitical scene.

Mil Rajic: Head of Intelligence, in the UK based company DynaRisk. Actively engaged as a FIRST Liaison Member in several SIG groups. A former military security professional with 15 years of experience in intelligence, with the past eight years dedicated to the role of Head of Intelligence in the UK cyber security company with a focus on monitoring cyber threat actors and supporting the banking, insurance, and financial sectors in identifying risks that could impact business operations. Additionally, closely follows geopolitical developments and connects them with emerging cyber threats to provide actionable insights and strategic foresight.

Jen Ellis hopes to help reduce cyber risk for society. She works with security experts, technology providers and operators, civil society, and governments, to create greater understanding of cybersecurity challenges and increased focus on pragmatic solutions. Jen promotes better collaboration among these communities, more effective cybersecurity advocacy, and broader adoption of security best practices. She has worked in B2B technology for more than 20 years, 11 of which were with cybersecurity firm, Rapid7, where Jen built the company’s security research, advocacy, and community engagement functions. She founded NextJenSecurity in 2022. Jen serves on the UK Government Cyber Advisory Board, the boards of the CVE Program, the CVE Foundation, and the Center for Cybersecurity Policy and Law. She is an associate fellow of the Royal United Services Institute (RUSI), co-chair of the Ransomware Task Force, co-host of the Distilling Cyber Policy podcast, and sits on various advisory boards. She has testified before U.S. Congress and spoken at numerous security or business conferences.

We have a long history of vulnerabilities now, and as it grows we learn about vulnerability abundance. There's no reason we can't reverse that process and invent vulnerabilities that are consistent with those we have historically seen. Every one of these can be given a description, and used like a table top inject to a patch or vulnerability management programme.

We have even been given a GNA ID by GCVE to catalog and document what we find.

If you use this Monte Carlo engine to create vulnerabilities it's the combinations of them that flow in a single patch cycle that become interesting. This could help us explain why some months in vulnerability management are more stressful than others...some combos are just as brutal to our budgets, SLAs, and uptime requirements.

Éireann Leverett is the co-author of Solving Cyber Risk, and regularly writes about cyber risk perception, articulation, and quantification. He is a co-chair of the Ransomware SIG, and long time DFIR innovator and data scientist. When he's not working in cyber insurance and risk, he likes writing code, papers, and taking long walks in nature.

While his bio is serious; he hates writing bios in the third person, and once placed second in an Eireann Leverett impersonation contest.

This will be a data-driven exploration of systematically collected exploitation activity. The data covers evidence of over 7,000 unique vulnerabilities being targeted in any given week. This talk will focus on what that activity looks like and will undoubtedly challenge any preconceived notions you may have about what exploitation looks like.

Jay Jacobs is a Co-founder and Chief Data Scientist at Empirical Security and Chief Data Scientist Emeritus at Cyentia Institute. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of “Data-Driven Security”, a book covering data analysis and visualizations for information security professionals.

Éireann Leverett is the co-author of Solving Cyber Risk, and regularly writes about cyber risk perception, articulation, and quantification. He is a co-chair of the Ransomware SIG, and long time DFIR innovator and data scientist. When he's not working in cyber insurance and risk, he likes writing code, papers, and taking long walks in nature.

While his bio is serious; he hates writing bios in the third person, and once placed second in an Eireann Leverett impersonation contest.

Naming is one of the fundamental problems in computer science. Naming things is surprisingly hard if you require global uniqueness. We have extensive experience with the dns system, with urn’s and with some other systems. Most of these solutions are surprisingly challenging, but also very invisible if done right. This talk will shed some light on the design decisions of namespaces.

Jeroen van der Ham-de Vos (he/him) is associate professor at the University of Twente. His research currently focuses on vulnerability prioritisation and management, incdent response, the many developments in coordinated vulnerability disclosure and ethics of cybersecurity and computer science.

Jeroen is member of the editorial board of the ACM journal Digital Threats: Research and Practice, is an active member of the FIRST community, and was the co-editor of the Code of Ethics for Incident and Security Teams, and serves on several programme committees.

This paper presents VLAI, a transformer-based model that predicts software vulnerability severity levels directly from text descriptions. Built on RoBERTa, VLAI is fine-tuned on over 600,000 real-world vulnerabilities and achieves over 82% accuracy in predicting severity categories, enabling faster and more consistent triage ahead of manual CVSS scoring. The model and dataset are open-source and integrated into the Vulnerability-Lookup service.

Cédric Bonhomme is a seasoned computer scientist with a deep passion for computer security and privacy. From 2010 to 2017, he worked as an R&D Engineer at a research center, specializing in Multi-Agent Systems and Cybersecurity. Since 2017, he has been an integral part of CIRCL, actively contributing to CSIRT operations and the development of innovative open-source software projects. Currently, he serves as the lead developer of Vulnerability-Lookup, driving advancements in vulnerability research and management.

At VulnCon 2025 we presented our preliminary work on MVVE, Minimum Viable Vulnerability Enumeration (https://docs.google.com/presentation/d/1B66qJe7BeaplB5jYiYUJ64NHIsHZedePiJHyv5NA6nQ). One part of MVVE is a set of information elements that are characteristics or measurements of vulnerabilities. Many of these elements are common across different vulnerability data sources, sometimes using different names, and more concerningly, sometimes using different definitions. MVVE itself comes down to just two foundational information elements: A declaration or claim of vulnerability and an affected object. While perhaps academically interesting, MVVE is only a basic requirement for discovery and doesn’t practically help much otherwise with vulnerability and risk management. Our work more broadly provides a framework with which to assess the value and application of information elements for vulnerability and risk management. We explore and consider the phases of vulnerability management, roles, information elements, sources of information, costs to obtain information, and quality.

Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).

Jay Jacobs is a Co-founder and Chief Data Scientist at Empirical Security and Chief Data Scientist Emeritus at Cyentia Institute. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of “Data-Driven Security”, a book covering data analysis and visualizations for information security professionals.

Managing product vulnerabilities effectively has never been more critical, yet traditional approaches often lead to alert fatigue and inefficient remediation cycles. In this talk, we explore advanced strategies for comprehensive Vulnerability Lifecycle Management, with a focus on high-accuracy Vulnerability Mapping and Prioritization. You'll gain insights into implementing robust prioritization frameworks that leverage contextualized threat intelligence, Vulnerability Exploitability eXchange (VEX) information, and proactive Vulnerability Rescoring techniques. Additionally, we'll discuss effective methodologies for Vulnerability Sharing among stakeholders, ensuring streamlined communication and accelerated response times, eventually transforming vulnerability chaos into organizational clarity.

Dmitry Raidman is a visionary entrepreneur and cybersecurity innovator who has contributed to shaping the future of software supply chain security. Having held critical technology roles at leading companies like FLIR Systems and Sealights, as co-founder and CTO of Cybeats Technologies, he helped Fortune 500 companies to operationalize SBOM (Software Bill of Materials) management by inventing SBOM Studio in 2020. His groundbreaking work extends to AI security, where he co-leads SBOM implementation for AI systems and models and co-founded AISUF.org, the Open Framework for AI Security & Safe Use. A contributor to the NTIA's SBOM standards since 2018 and an active participant in critical security working groups, Dmitry brings over 25 years of expertise in application security, cloud architecture, and DevSecOps. His commitment to industry advancement extends beyond technology through co-founding the Security Architecture Podcast, where he shares insights on enterprise security solutions and architecture.

Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).