FIRST Wraps CVE/VulnCon 2026 with 500+ Attendees, New Product Launches, and Key Vulnerability Management Milestones

SCOTTSDALE, AZ - APRIL 16, 2026 - Today, the Forum of Incident Response and Security Teams (FIRST) has successfully concluded CVE/FIRST VulnCon 2026 & Annual CNA Summit. The four-day event brought together more than 500 professionals from across the vulnerability management and cybersecurity landscape to collaborate, exchange ideas, and drive actionable outcomes.

The conference is designed to help participants develop insights and strategies they can take back to their individual programs to strengthen the broader vulnerability management ecosystem.

Sessions were led by security leaders from CISA, ENISA, NIST, Google, Microsoft, NVIDIA, Dell, Cisco, and dozens more speaking about how they're responding to major cyber incidents, new attack techniques, and the role of AI in both offensive and defensive security.

Alec Summers, CVE/CWE Project Lead and Principal Cybersecurity Engineer at MITRE, which co-hosts the event alongside FIRST, noted:

"What's changed is that CWE is now becoming a more integral part of vulnerability disclosure itself, as the value of transparent root-cause mapping is more widely appreciated. Simply knowing that a vulnerability exists isn't enough; teams need to understand why it exists in order to prioritize, remediate, and prevent recurrence."

Among the event's key themes was the future of the CVE program itself. Lindsey Cerkovnik, chief of CISA's Vulnerability Response & Coordination Branch, affirmed that the CVE program remains a top priority for the agency. She also called for AI companies to play a larger role in the program going forward, noting that with the arrival of new AI tools helping discover vulnerabilities, the industry is at a turning point.

"Seeing global security practitioners, researchers, and leaders in one room sharing hard-won knowledge and building real solutions is exactly why FIRST exists," said Chris Gibson, CEO, FIRST. “Collaboration is not just a value for this community, it is how the vulnerability management ecosystem actually functions and improves. We are deeply grateful to everyone who made CVE/FIRST VulnCon 2026 possible."

Several organizations unveiled new products and capabilities at the conference, including Volerion's Vulnerability Intelligence Platform, (graph-based CVE analysis and workflow integrations), NetRise Provenance (open source contributor risk mapping across enterprise software and connected devices), and a major Red Hat security data overhaul introducing improved CSAF/VEX data.

CVE working groups and FIRST special interest groups presented key updates, including the CVE Quality Working Group, Consumer Working Group, and Researcher Working Group on CVE quality and coordinated disclosure; the EPSS SIG on exploit prediction scoring; and the Women of FIRST SIG on community inclusion initiatives.

Sessions will be available on FIRST's YouTube Channel.

Platinum sponsors included ArmourCode, Astelia, Brinqa, Censys, Cogent, Devarmor, Dux, Empirical, Finite State, Hadrian, Hinoki, Intigriti, Lineaje, Manifest, Maze, NetRise, Nucleus, Oligo, Onit, Phoenix Security, Qualys, Securin, Seemplicity, Tenable, Tonic, VulnCheck, watchTowr, Zafran Security, Zest Security, and Zscaler.

Ends

Issued on behalf of FIRST. For further information please contact pr@first.org.

About FIRST

FIRST aspires to bring together incident response and security teams from every country across the world to ensure a safe internet for all. Founded in 1990, the Forum of Incident Response and Security Teams (FIRST) consists of internet emergency response teams from more than 840 member teams, 205 liaisons, and 4 associates spanning corporations, government bodies, universities and other institutions across 115 countries in the Americas, Asia, Europe, Africa, and Oceania. For more information and to see the full calendar of events, visit: FIRST.Org.

Connect with FIRST on social media via Bluesky, GitHub, LinkedIn, Mastodon, Meta, X and YouTube.