Last week, I got the opportunity to hang out with a few hundred of my closest vulnerability-handling friends at VulnCon 2025, held in smoky, barbecue-infused Raleigh, North Carolina.
VulnCon is one of the most surprisingly worthwhile security conferences in the U.S., and itâs only in its second year. Organized by a joint effort of the CVE Program and FIRST, VulnCon attracts about 600 people from this weird little corner of cybersecurity: a niche of a niche of a sector of the industry. Itâs all people who care about identifying, describing, cataloging, archiving, and predicting software vulnerabilities. Occasionally, weâre interested in actually fixing or preventing them. But the fact is, weâre still in a period of human history where information systems are going to have security bugs â and kind of a lot of them â so keeping them straight seems pretty important.
Hyperfocused Content #
I love these goofy nerds. Weâve all somehow managed to find ourselves in this oftentimes uncomfortable space of figuring out how to communicate effectively about technical vulnerabilities to âstakeholders,â which range from IT ops professionals to government regulators. Which vulnerabilities are important enough to drop what youâre doing and address right now? And more importantly, how can you tell?
Of course, we deal with the kinds of activities and problem spaces seen at larger, more general conferences. Many who went to VulnCon last week will be at BSidesSF and RSAC next week. Even so, thereâs something magical that happens when you spend a few days with folks zeroed in on this very specific problem space.
There were nearly a hundred distinct talk tracks, hyperfocused on vulnerability identification and management. Titles ranged from the generally accessible (âHow to Think About Vulnerabilities and Artificial Intelligenceâ), to the hands-on technical (âUsing Jupyter Notebooks to Explore Public CVE Dataâ), to the almost comically esoteric (âEU CRA TL;DR for PSIRTs: What Product Security Needs To Do To Be Compliant with the CRAâ). Like I said, VulnCon caters to a very specific sub-sub-subset of cybersecurity weirdos.
As you might suspect, this kind of problem space gets many of us out of bed in the morning at runZero, where we know itâs not just the named, CVE-identified vulnerabilities that bedevil our customersâ networks. We tackle those even-harder-to-find-and-describe misconfigurations, exposures, and goof-em-ups that present opportunities for attacker hijinks.
These arenât the kinds of issues that show up neatly labeled in a vulnerability feed. Theyâre the edge cases: insecure-by-default services, forgotten development environments, shadow assets that never got inventoried. Exposure management means shining a light on all of it. And while thatâs what runZero is built for, events like VulnCon give us a peek into how other teams are tackling these murky problems. We bring those insights back with us and apply them to our customersâ environments â helping them stay ahead of the chaos.
The Return of Chat #
We had a fun innovation for this yearâs VulnCon: every one of those nearly hundred sessions had its own dedicated Discord chatroom, where people could not only drop their âmore of a comment than a questionâ thoughts, but have actual conversations before and after the session, sometimes lasting multiple days. This chat functionality served a couple of purposes. It allowed the audience to stay focused on the speaker while also giving an outlet to other experts in the room who probably do actually know a thing or two the speaker didnât cover.
The chat also made this in-person event much more accessible for those who couldnât make the travel to Raleigh work. So, if youâre involved in organizing technical conferences, take note: your community might benefit from a parallel text chat.
Hallway Con #
For me, the most valuable part of attending in-person technical conferences is all the stuff that happens in the in-between spaces. For example, I got to spend a couple of hours with Jay Jacobs, a co-chair of the EPSS SIG, which was insanely valuable to me. There are features and effects of the Exploit Prediction Scoring System that kind of mystified me, and what we discussed will absolutely inform my upcoming talk at NorthSec in MontrĂŠal on Vulnerability Haruspicy.
I also got a chance to staff the CVE Program booth (since Iâm on the CVE Board) and had a few really good interactions with people who had questions and concerns about the CVE Program. It was enlightening.
Finally, since itâs jointly organized by FIRST â and FIRST is all about the PSIRTs (Product Security Incident Response Teams) â I met a couple of people who ended up handling some vulnerability reports I was involved with over the last year. That aspect of conferences and symposia is often overlooked and wildly valuable. For those who habitually report vulnerabilities to vendors and producers of software, and those who receive and triage those reports, the relationship can be⌠adversarial. Creating personal connections goes a long way toward establishing trust and respect between researchers and actual doers.
Next Con! #
So while I got to see friends, consume Carolina barbecue (which, as a Texan, is an exotic departure from my usual fare), and hang out with super smart and fun people, VulnCon has turned out to be one of my most easily justified conferences of the year. Itâs small â but not too small â with about 450 in-person participants and another 150 or so online. For comparison, RSAC next week is expected to draw about 45,000 participants, which is just massive.
And while I fully expect to have a good time at BSidesSF and RSAC, Iâd be pleasantly surprised if I walked away with the kind of technical enrichment I get from, and can offer to, smaller venues like VulnCon. See you next year!
