Published: April 15, 2025
Last modified: April 15, 2025
VulnCon is a unique conference focused on vulnerability management. I attended the inaugural edition in 2024 (virtually), and just participated in the second one, held from April 7 to 10, 2025 (also virtually).
This year, I presented two talks. The first one, titled “Distribution Builders Meet VEX”, shared my experiments with generating VEX (Vulnerability Exploitability eXchange) documents in the context of the Yocto Project. The session prompted several in-depth questions about how VEX formats could be improved. I’m looking forward to continuing those discussions.
The second talk was co-presented with Mikaël Barbero and entitled “Towards a Vulnerability Reporting Specification”. We introduced ongoing work on a vulnerability management specification that addresses both open source realities and upcoming Cyber Resilience Act (CRA) requirements. Everyone can submit their feedback as issues or pull requests at: Specification draft
About the Topics
The conference covered a wide range of subjects, from updates on the Common Vulnerabilities and Exposures (CVE) program to VEX, and vulnerabilities in artificial intelligence (AI).
Here are my key takeaways from the sessions I attended:
- The CVE program is evolving with some promising initiatives, but structural issues remain unresolved with no solution for next months. For instance, it’s still not possible to update a CVE record by someone else other than the CVE Numbering Authority (CNA), data quality varies.
- The National Vulnerability Database (NVD) keynote was somewhat concerning. While they show progress, the backlog remains significant (and not going down). Notably, all CVEs from before 2018 have now been marked as “Deferred”. This session should have been scheduled for a full hour instead of just thirty minutes.
- Vulnerability enrichment was mentioned in many talks. However, most organizations seem to handle it internally. There doesn’t appear to be momentum toward a shared or open source solution – at least not yet.
- A notable discussion focused on defining software end-of-life in a standardized way, with initiatives like OpenEoX.
- AI usage in vulnerability management is showing first results – but far from mainstream usage.
What I Liked
- A wide range of topics, including summaries of initiatives and work tracks I couldn’t attend.
- Lively discussions in the Discord channels.
- The opportunity to directly ask questions to domain experts. For example, I confirmed that the Package URL (purl) format currently lacks a robust solution for software outside of package managers or for patched software.
- Strong representation from the open source ecosystem, including the Open Source Security Foundation (OpenSSF), Apache Foundation, Eclipse Foundation, and others.
- I discovered the existence of CNA Slack and Discord communities – and other interesting links!
What I’d Like to See More Of
- Last year, session videos were available almost immediately after each talk. This time, they weren’t. I missed many sessions due to scheduling conflicts – at times, there were seven sessions in parallel.
- Most speakers came from security companies or large enterprises. I’d like to see more representation from actual users, especially in embedded systems.
- In line with the above, more “return of experience” talks would be very welcome – practical insights from real-world implementations.
Summary
Although quite specialized, VulnCon remains a worthwhile event. I don’t know of any other conference that covers these topics so thoroughly. I’m looking forward to watching many of the sessions I missed.
Leave a Reply