VulnCon Day 3 Recap

Day Three for VulnCon was highlighted by two discussions on the state of the NVD and the state of the KEV - The full agenda included some enlightening panels on topics such as

• What it takes to lead America’s Vulnerability Management Team: Bob Lord (CISA), Chris Hughes (Aquia), Lindsey Cerkovnik (CISA), Patrick Garrity (VulnCheck), Sandy Radesky (CISA)
• CNA Challenges from a National CERT Perspective: Mohd Akram Khan (CERT IN), Seema Khanum (CERT IN)
• Minimizing Vulnerability Scoring Discrepancies: Michael Schuler (CISCO)
• The current state of the NVD (Tanya Brewer NIST) and the state of the KEV: Tod Beardsley (CISA), Elizabeth Cardona (CISA)

The after continued with talks on:

• The Risks of premature vulnerability disclosure: Kathleen Noble (Intel), Tanvi Chopra (Venable), Rob Spiger (Microsoft), Michael Woolslayer (HackerOne)
• Elevating Security Standards: Julia DeWeese (Intel) and Mike Wiles (Intel)
• NVD/CVE Panel Discussion: Christopher Robinson (Intel), Andrew Pollock (Google), Madison Oliver (GitHub), Tanya Brewer (NIST)
• Firmware Supply Chain: Jerry Bryant (Intel)
• Reducing Ratio of Reserved but Public CVEs: Shelby Cunningham (GitHub)

The stand-out session was the current state of the NVD where the audience was particularly frustrated with NISTs slowdown on publishing the minutiae of CVEs in the NVD. Tanya Brewer of NIST did a wonderful job of remaining calm, while reminding the audience that the NVD was created for government agencies, not commercial companies, and is available free of charge to everyone. There was definitely an undertone from the audience who were demanding faster response times from NIST for this free data.

The Reveald Team is looking forward to VulnCon 2025 April 7-10 back at the McKimmon Center in beautiful Raleigh, North Carolina USA