Heya internet! Once again, it’s your pal todb, and I’ve just come back from a fun and productive time at VulnCon. I want to take a minute to share some thoughts with you about what all went down this past week, including the CVE program’s place in the world and my initial reactions to Mythos and AI in general.
Just to catch you up: VulnCon is an annual symposium organized jointly by FIRST (the Forum of Incident Responders and Security Teams) and the CVE program. We just wrapped up the third year of this event, and it’s already pretty well-established globally as THE place to be for several hundred government and industry practitioners from all over the world who share my penchant for vulnerability-gazing.
As with previous years, VulnCon featured lectures and workshops all about the twisty little passages where vulnerability discovery, dissemination, and defense intersect, all with an aim of helping each other and our many diverse cybersecurity and information security communities deal with the inevitability of shipping software bugs.
AI isn’t pronounced “Aiiiii!” #
While VulnCon is very, very niche compared to broader expos and conferences like RSAC, InfoSec Europe, and Black Hat, we could not escape the general tech industry’s infatuation with AI. Approximately 2^32-1 words have already been written on the predicted impact of Anthropic’s Claude Mythos and Glasswing, ranging from total panic to blaisé indifference. I’m here to report that the general attitude of attendees – who are, across the board, established experts in their security specialties – is, truly, cautiously optimistic in a very middle-path sort of way. I got the sense that we are agreed that AI tooling has graduated from speculative, to novel, to quite nearly normal in many vulnerability research pipelines, and network defenders who haven’t started implementing some kind of AI assistance in live incident response are likely going to have a bad time in the back half of 2026 and beyond.
The optimistic part of this take is that we can use the same kinds of AI tooling to rapidly catch up and keep pace with the relentless rate of vulnerability discovery. After all, AI doesn’t merely play offense or defense – it’s truly dual-use (if not pan-use, if that’s a word). General purpose large language models (LLMs) already are doing a much, much better job of uncovering and validating technical vulnerabilities, insecure defaults, and misconfigurations than they were even two years ago.
Even if nothing changes in the way the AI superpowers develop and grow AI capabilities, all of us squishy-brained, biochemical decision makers can use much of the same tooling to catch up and manage the ever-increasing march of individual vulnerabilities, up and down the defensive stack—from building the next generation of tools defenders need for assessment and visibility to integrated, orchestrated incident response when breaches do occur.
We’re all in this together #
The conference struck me as a very “we’re all on the same side here” kind of affair, permeating most conversations I was fortunate to be involved in. Notably, we heard from, and got to spend considerable quality time with, our friends and colleagues in government, both domestically and internationally.
Probably the most significant programming choice was that the kick-off address was a joint presentation from CISA and ENISA. These are two great agencies that agent great together, and when it comes to managing and improving the CVE program (the world isn’t ready to just give up on a quarter century of lessons learned). So, while it’s clear that the last year has been pretty rocky in CVE-land, we definitely don’t want a return to the bad old days of regional or industry specific grab bags of unconnected, disparate databases of technical vulnerability intelligence.
On the other end of the spectrum, the update from the National Vulnerability Database (better known as the NVD) was reported pretty bleakly, as the National Institute of Science and Technology (NIST) continues to struggle with annotating every new CVE. Instead, the NVD has committed to a new prioritization scheme. Of course, we all want to know what CVEs are actually worth knowing about, but the critical (and dare I say, cynical) read is that NVD just keeps losing ground here.
However, I don’t think this winnowing down of the CVE target space is as disastrous as it’s being reported as. After all, I’m pretty happy with how CISA’s Vulnrichment platform and program has been chugging along, bringing much-needed enrichment and transparency to vulnerabilities. In my opinion, Vulnrichment has already mostly supplanted NIST’s efforts, at least when it comes to first-pass risk-ratings when vendors and CNAs don’t step up. In fact, KEVology (to pick a totally random and not-at-all self-serving example) relies on and normalizes around Vulnrichment quite a bit, and I suspect most downstream consumers of broad CVE data are in the same boat.
In the end, getting CVE aligned with this brave new world of supercharged rates of vulnerability disclosure certainly won’t happen by accident, and there’s no one weird trick to fix what’s broken about CVE assignment and management. This will all require real work, beyond mere wishing and talking, but I’m confident that we can rise to the challenge. As a CVE board member, I can promise that I’ll do what I can to make sure that we don’t lose the plot here.
See for yourself #
Almost all of the presentations were live streamed and recorded, so I’m very much looking forward to catching some of the talks that were tough to choose between on VulnCon’s three-track agenda. I’ll update this space when those recordings are available, and I’ll bug the organizers to pull that trigger sooner rather than later. There was a ton of good content this year, so I’m excited to share it with runZero’s blog fans.
Next year, VulnCon will take place the immediate week before BSidesSF and RSAC, which hopefully will make international attendance even easier to justify; come for the real vuln talk in Arizona, stay for the ridiculously overproduced expo booth antics one state over in California.
