The agenda is growing day by day. We’re going to have an amazing day. Register today!
Please come back to check for updates or follow us on LinkedIn!
We reserve the right to change the agenda at any point.
| Time | What | Speaker |
|---|---|---|
| 8.30-9.00 | Registration | |
| 9.00-9.30 | Introduction and welcome | Olle E. Johansson |
| 9.30-9.45 | The Sovereign Tech Resilience Program | Tara Tarakiyee |
| 9.45-10.15 | Purl, Actually | Philippe Ombredanne |
| 10.15-10.45 | Break | |
| 10.45-11.20 | Beyond CVE: Reconciling Overlap, Gaps, and Granularity Across Vulnerability Sources | Andrey Lukashenkov |
| 11.20-12.00 | Death by a Thousand Prompts: Can Our Disclosure Standards Survive AI Slop? | Jarek Potiuk |
| 12.00-12.30 | Designing the Hierarchy of Trust: Governance Lessons from a CVE Root and CNA-LR | Yogesh Mittal |
| 12.30-13.30 | Lunch break (sandwiches) | |
| 13.30-14.00 | Vulnerability Lookup and GCVE: A Decentralized Approach to Vulnerability Publishing and Management | Alexandre Dulaunoy |
| 14.00-14.30 | The OpenSSF Open Source Vulnerability database project | Kris Borchers |
| 14.30-15.00 | Vulnrichment in the Apache project – the common VEX generation toolset | Piotr P. Karwasz and Munawar Hafiz |
| 15.00-15.30 | Break with Tea & Coffee | |
| 15.30-16.00 | TBD | |
| 16.00-16.30 | Summary | Olle E. Johansson |
Olle is the project leader for the GVIP project. He is also engaged in OWASP CycloneDX, OpenSSF and ORCWG. Olle has a long term experience of Open Source (Asterisk, Kamailio) and works as a consultant in his own company Edvina. In addition, he is a co-founder of SBOM Europe.
Introduction and welcome
An introduction to the conference and to the ideas behind the Global Vulnerability Intelligence Platform (GVIP) project. Why was it created, which organisations are involved and what are the goals.
Tara Tarakiyee is a public-interest technologist working on designing support mechanisms and mobilizing resources to encourage, sustain, and maintain the FOSS ecosystem.
Photo: Maximilian König
The Sovereign Tech Resilience Project
The Sovereign Tech Resilience program takes a holistic approach to protecting critical digital infrastructure. Severe vulnerabilities in open software components have far-reaching consequences, affecting millions of people and impacting software products of all kinds that make use of them. To mitigate these risks and prevent untold damage, it is not enough just to find and fix bugs. We need to take proactive measures to improve the resilience of open digital infrastructure in the face of undiscovered vulnerabilities.
Philippe Ombredanne is a FOSS hacker passionate about enabling easier and safer reuse of open source code. He is the lead maintainer of the AboutCode stack of open source tools for Software Composition Analysis and license and security compliance, including the industry-leading ScanCode, DejaCode, PurlDB, Package-URL, and VulnerableCode. Philippe contributes to other open source projects, including the Linux kernel SPDX-ification, SPDX, ClearlyDefined, strace, ORT, and several Python tools.
PURL, Actually
The Package URL syntax became an ECMA standard during 2025 and it’s time to look into how this fits into the struggle to get SBOMS operational.
Philippe says:
“Well, PURL is all around and so the feeling grows
It’s written on the wind, it’s everywhere you go
So if you really PURL, come on and let it show
Join me for a second look at the problems with vulnerability databases, and how PURL can help some.“
[stolen and damaged from a song by The Troggs: Love is all Around from the movie Love, Actually]
Andrey handles all things revenue, product, and marketing at Vulners – a bootstrapped, profitable company committed to providing an all-in-one vulnerability intelligence platform to the cybersecurity community.
Being naturally curious and having a technical background, he leverages unlimited access to the Vulners database to research various topics related to vulnerability management, prioritization, exploitation, and scoring.
Beyond CVE: Reconciling Overlap, Gaps, and Granularity Across Vulnerability Sources
Vulnerability “databases” increasingly behave less like a single ground truth and more like a federation of partially overlapping views – each optimized for different goals: coordination, enrichment, ecosystem-specific advisories, exploit context, or operational prioritization. This talk maps where the major sources align, where they diverge, and why those discrepancies persist even when everyone is “talking about the same vulnerability.”
We’ll look at overlap and coverage through a practical lens: publication volume dynamics, which fields are consistently present (and which are not), and how enrichment pipelines, curation choices, and timing differences shape what defenders actually see. The core focus is not who is “right,” but how to interpret conflicts, missing data, and duplicate or split records without breaking downstream workflows.
Finally, we’ll dig into the granularity problem: when a single identifier is too coarse (or too fine) to represent real-world risk, how related-vulnerability identification and linkage failures emerge, and what that means for triage, SBOM matching, and remediation coordination. The session ends with a playbook-style view of how to build resilient vuln-intel workflows that survive multi-source reality—without assuming any one feed is complete or consistently timely.
Jarek Potiuk is an Independent Open-Source Contributor and Advisor, Committer and PMC member of Apache Airflow, Member of the Apache Software Foundation, Security Committee Member of the Apache Software Foundation. Organizer of community-focused events, speaker.
Jarek is an Engineer with a broad experience in many subjects – Open-Source, Cloud, Mobile, Robotics, AI, Backend, Developer Experience, Security, but he also had a lot of non-engineering experience – building a Software House from scratch, being CTO, organizing big, international community events, technical sales support, pr and marketing advisory but also looking at legal aspects of security, licensing, branding and building open-source communities are all under his belt.
With the experience in very small and very big companies and everything in-between, Jarek found his place in the Open Source world, where his internal individual-contributor drive can be used to the uttermost of the potential.
Death by a Thousand Prompts: Can Our Disclosure Standards Survive AI Slop?
The infrastructure of vulnerability disclosure is under pressure. What happens when the cost of generating a “plausible-looking” vulnerability report drops to near zero? For professionals used to high-signal environments, the current era of AI-augmented reporting presents a unique threat to the sustainability of the security ecosystem.
This session moves quickly through the history of triage to focus on the now:
- The Triage Burnout: Why traditional “human-in-the-loop” models are failing against synthetic volume.
- Cross-Organizational Trends: A look at how different sectors are “black-holing” AI noise.
- A Call for Consensus: Discussing a unified framework for identifying and dismissing automated slop.
Join us for an interactive discussion aimed at drafting a better way forward. We’ll ask the hard questions: Should AI-generated reports be rejected by default? How do we coordinate this across 3rd-party platforms and independent maintainers?
Yogesh Mittal is a PSIRT Manager at Red Hat, where he specializes in the organizational design of global vulnerability ecosystems. He oversaw Red Hat’s strategic elevation to both a CVE Program Root and CNA-of-Last-Resort (CNA-LR), effectively operationalizing a “safety net” for the open-source supply chain.
As a member of the CVE Program Roots Council, Yogesh plays a central role in defining the hierarchy of trust, ensuring that governance frameworks are robust enough for global enterprises while remaining viable for decentralized communities. He established a collaborative forum for Open Source CNAs to design resilient collaboration models that drive data quality without creating bureaucratic bottlenecks.
Designing the Hierarchy of Trust: Governance Lessons from a CVE Root and CNA-LR
As the EU CRA establishes a continent-wide vulnerability infrastructure, the primary challenge is organizational: how to balance speed with sovereignty across thousands of vendors and national CSIRTs. The risk of creating a centralized bureaucratic bottleneck, a known hurdle for entities like MITRE, is high.
I propose a “Governance Blueprint” for GVIP and the EU, derived from Red Hat’s evolution from a CNA to a Root and CNA-of-Last-Resort (CNA-LR) within the CVE Program. We will explore “what works” and “what doesn’t work” in a federated model.
Vulnerability Lookup and GCVE: A Decentralized Approach to Vulnerability Publishing and Management
Introducing the open-source Vulnerability Lookup project and the Global Common Vulnerabilities and Exposures (GCVE) initiative, two complementary efforts designed to modernize and decentralize the way vulnerabilities are published, shared, and consumed.