By Christopher “CRob” Robinson, OpenSSF TAC Chair & Director of Security Communications, Intel
The 2024 VulnCon conference, the first of its name, happened in Raleigh, NC March 25-27. It brought together experts from across industry, government, security researchers, and community members. Almost 600 vulnerability and product security-obsessed folks from around the globe participated both physically and virtually throughout the 3 days and nearly 40 sessions. It was brought together by the FIRST PSIRT SIG and the CVE Board. The OpenSSF was pleased to be one of the sponsors that helped contribute to this inaugural event.
The biggest theme of the show was the global cooperation that is needed to help make the ecosystem and downstream consumers more secure. Each day led off with perspectives from across international governmental agencies including the US Office of the National Cyber Director, KISA from Korea, ENISA, JP-CERT from Japan, CISA, NIST, and CERT-In from India. The speaker lineup also represented a very diverse set of organizations, perspectives, and experiences from around the world.
On the first day, there were sessions about how downstream OSS consumers can engage with their upstreams, a talk attempting to align the assorted vulnerability prioritization standards, and incredibly lively “Ask Me Anything” about the CNA CVE operations rules….and all of these were just the 1st time slot after the keynotes. Attendees both in-person and on-line described how they had to make hard choices during each slot about what to attend with so much interesting and applicable content being offered simultaneously. While this is an “great” problem to have, thankfully all of the conference sessions were live-streamed and recorded. Attendees had access to the videos the next morning. Virtually all of the sessions will later be available publicly via the FIRST and CVE Board YouTube channels sometime late April.
Typically each day one of the rooms would be organized around a particular topic. Open Source Software security, SBOM & VEX, CVE Program & CNA challenges, CWE, EPSS, KEV, and CVSS v4 were just some of the categories. It was amazing to learn the nuances of each and work to understand how they integrate into the larger vulnerability ecosystem picture. Probably one of the most exciting opportunities about the show was that the assorted vulnerability standards and tools were represented by their creators or the group that supports those efforts. Having everyone gathered in place also allowed for an amazing amount of conversation and collaboration of future efforts.
Vulnerability research, management, and disclosure is a fast-paced and potentially emotional process to be involved with, and what was so pleasing to see the courtesy, professionalism everyone carried themselves with all the while asking “the hard questions” directly and with tact. Everyone seemed to be focused on learning and legitimately working together on this VERY large and VERY hard problem set.
“LobbyCon” or “the Hallway Track” was in full-effect too. With so many enthusiasts collected in one spot, follow-up conversations and future-plan coordination occurred in every nook and cranny of the McKimmon Center where we gathered and throughout the conference’s Discord channels. For those of you that were able to join in, THANK YOU SO VERY MUCH for your time and expertise in helping make the world a better place. For those of you that missed it or were unable to attend, VulnCon 2025 will be expanded to 4 full days next year and is scheduled April 7-10 back at the McKimmon Center in beautiful Raleigh, North Carolina USA. We hope to “see” everyone there!!
VulnCon 2024 TL;DR
Everyone that spoke here should be applauded. Here are a few highlights of just a few sessions and we encourage you to watch all the videos as they become available to see all the excellent conversations we had at VulnCon:
Day One
- The Office of the US National Cybersecurity Director spoke about the US.gov’s perspective on Supply Chain Security
- KISA provided a model for organizations to reuse based on how they analyze global regulation to help guide their stakeholders
- Andrew Pollock spoke to the challenges of data quality across our ecosystem
- Yotam Perkal provides suggestions on how the assorted vulnerability prioritization schemes could be bridged
- The inestimable Art Manion hosted a lively CNA CVE Operational Rules “Ask Art Anything”
- the CVSS SIG spoke about the new v4 spec
- Jay Jacobs did a review of security data using the lens of exploitability
Day Two
- Johannes Clos from ENISA explained his agency and the programs they offer the EU
- Tomo Ito from JP-CERT talked about their efforts to help build capabilities across APAC
- Adolfo Garcia Veytia spoke about democratizing vulnerability data through OpenVEX
- Daniel and Iain ran an amazing “Adventures in Coordinated Disclosure” game that educated the audience while they entertained!
- A panel of VEXperts explained the new VEX concept
- the EPSS SIG spoke to the challenges they’ve seen and about where they’d like to take their methodology in the future
- The CWE program gave a readout on past and future activities
Day Three
- We were given a peek into how the US government and CISA lead America’s cybersecurity management team
- We were given a perspective from CERT-In about how they are managing vulnerabilities in India.
- NIST’s NVD program leaders introduced a new forthcoming effort called the NVD Symposium that should lead to more collaboration and contribution to the vulnerability data space. This was followed-up later with a more in-depth panel that discussed the challenges of managing globally-used vulnerability databases
- The KEV team talked about the known exploited catalog and its importance
- There was a panel that dove into the risks of when governments require premature vulnerability disclosure
- A new working group within FIRST was explored that would address the challenges around the Firmware Supply chain with the goal to help with better coordination and faster delivery to downstream
- Again, we had almost 40 hours of content, and the recap just touches on the very tip of what was explored at the event. The full line-up of what you may have missed can be found on the VulnCon program page.
The OpenSSF was proud to have been able to support and help sponsor this impactful event. Thank you all, we hope to “see” you next year at VC25!!!
Furthermore, if you’re interested in securing open source software, we hope you’ll join us at SOSS Community Day North America on April 15th where the OpenSSF is hosting a Tabletop Exercise (TTX) which simulates a security incident. This inaugural event had overwhelmingly positive response from the vulnerability management ecosystem, with 611 people attending from over 300 different global organizations.
About the Author
Christopher “CRob” Robinson is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob was part of the 2024 VulnCon program committee that put on this event.