The Summit was a great success. Thank you to all speakers, all organisations that support this work and to all participants. The presentations are linked below!
| Time | What | Speaker |
|---|---|---|
| 8.30-9.00 | Registration | |
| 9.00-9.30 | Introduction and welcome | Olle E. Johansson |
| 9.30-9.45 | The Sovereign Tech Resilience Program | Tara Tarakiyee |
| 9.45-10.15 | Purl, Actually | Philippe Ombredanne |
| 10.15-10.45 | Break | |
| 10.45-11.20 | Beyond CVE: Reconciling Overlap, Gaps, and Granularity Across Vulnerability Sources | Andrey Lukashenkov |
| 11.20-12.00 | Death by a Thousand Prompts: Can Our Disclosure Standards Survive AI Slop? | Jarek Potiuk |
| 12.00-12.30 | Designing the Hierarchy of Trust: Governance Lessons from a CVE Root and CNA-LR | Yogesh Mittal |
| 12.30-13.30 | Lunch break (sandwiches) | |
| 13.30-14.00 | Vulnerability Lookup and GCVE: A Decentralized Approach to Vulnerability Publishing and Management | Alexandre Dulaunoy |
| 14.00-14.30 | The OpenSSF Open Source Vulnerability database project | Kris Borchers |
| 14.30-15.00 | Using AI For CVE Vulnrichment: The VEX Generation Use Case | Piotr P. Karwasz and Munawar Hafiz |
| 15.00-15.30 | Break with Tea & Coffee | |
| 15.30-16.00 | Panel discussion with all speakers | |
| 16.00-16.30 | Summary | Olle E. Johansson |
Olle is the project leader for the GVIP project. He is also engaged in OWASP CycloneDX, OpenSSF and ORCWG. Olle has a long term experience of Open Source (Asterisk, Kamailio) and works as a consultant in his own company Edvina. In addition, he is a co-founder of SBOM Europe.
Introduction and welcome
An introduction to the conference and to the ideas behind the Global Vulnerability Intelligence Platform (GVIP) project. Why was it created, which organisations are involved and what are the goals.
Tara Tarakiyee is a public-interest technologist working on designing support mechanisms and mobilizing resources to encourage, sustain, and maintain the FOSS ecosystem.
Photo: Maximilian König
The Sovereign Tech Resilience Project
The Sovereign Tech Resilience program takes a holistic approach to protecting critical digital infrastructure. Severe vulnerabilities in open software components have far-reaching consequences, affecting millions of people and impacting software products of all kinds that make use of them. To mitigate these risks and prevent untold damage, it is not enough just to find and fix bugs. We need to take proactive measures to improve the resilience of open digital infrastructure in the face of undiscovered vulnerabilities.
Philippe Ombredanne is a FOSS hacker passionate about enabling easier and safer reuse of open source code. He is the lead maintainer of the AboutCode stack of open source tools for Software Composition Analysis and license and security compliance, including the industry-leading ScanCode, DejaCode, PurlDB, Package-URL, and VulnerableCode. Philippe contributes to other open source projects, including the Linux kernel SPDX-ification, SPDX, ClearlyDefined, strace, ORT, and several Python tools.
PURL, Actually
The Package URL syntax became an ECMA standard during 2025 and it’s time to look into how this fits into the struggle to get SBOMS operational.
Philippe says:
“Well, PURL is all around and so the feeling grows
It’s written on the wind, it’s everywhere you go
So if you really PURL, come on and let it show
Join me for a second look at the problems with vulnerability databases, and how PURL can help some.“
[stolen and damaged from a song by The Troggs: Love is all Around from the movie Love, Actually]
Andrey handles all things revenue, product, and marketing at Vulners – a bootstrapped, profitable company committed to providing an all-in-one vulnerability intelligence platform to the cybersecurity community.
Being naturally curious and having a technical background, he leverages unlimited access to the Vulners database to research various topics related to vulnerability management, prioritization, exploitation, and scoring.
Beyond CVE: Reconciling Overlap, Gaps, and Granularity Across Vulnerability Sources
Vulnerability “databases” increasingly behave less like a single ground truth and more like a federation of partially overlapping views – each optimized for different goals: coordination, enrichment, ecosystem-specific advisories, exploit context, or operational prioritization. This talk maps where the major sources align, where they diverge, and why those discrepancies persist even when everyone is “talking about the same vulnerability.”
We’ll look at overlap and coverage through a practical lens: publication volume dynamics, which fields are consistently present (and which are not), and how enrichment pipelines, curation choices, and timing differences shape what defenders actually see. The core focus is not who is “right,” but how to interpret conflicts, missing data, and duplicate or split records without breaking downstream workflows.
Finally, we’ll dig into the granularity problem: when a single identifier is too coarse (or too fine) to represent real-world risk, how related-vulnerability identification and linkage failures emerge, and what that means for triage, SBOM matching, and remediation coordination. The session ends with a playbook-style view of how to build resilient vuln-intel workflows that survive multi-source reality—without assuming any one feed is complete or consistently timely.
Jarek Potiuk is an Independent Open-Source Contributor and Advisor, Committer and PMC member of Apache Airflow, Member of the Apache Software Foundation, Security Committee Member of the Apache Software Foundation. Organizer of community-focused events, speaker.
Jarek is an Engineer with a broad experience in many subjects – Open-Source, Cloud, Mobile, Robotics, AI, Backend, Developer Experience, Security, but he also had a lot of non-engineering experience – building a Software House from scratch, being CTO, organizing big, international community events, technical sales support, pr and marketing advisory but also looking at legal aspects of security, licensing, branding and building open-source communities are all under his belt.
With the experience in very small and very big companies and everything in-between, Jarek found his place in the Open Source world, where his internal individual-contributor drive can be used to the uttermost of the potential.
Death by a Thousand Prompts: Can Our Disclosure Standards Survive AI Slop?
The infrastructure of vulnerability disclosure is under pressure. What happens when the cost of generating a “plausible-looking” vulnerability report drops to near zero? For professionals used to high-signal environments, the current era of AI-augmented reporting presents a unique threat to the sustainability of the security ecosystem.
This session moves quickly through the history of triage to focus on the now:
- The Triage Burnout: Why traditional “human-in-the-loop” models are failing against synthetic volume.
- Cross-Organizational Trends: A look at how different sectors are “black-holing” AI noise.
- A Call for Consensus: Discussing a unified framework for identifying and dismissing automated slop.
Join us for an interactive discussion aimed at drafting a better way forward. We’ll ask the hard questions: Should AI-generated reports be rejected by default? How do we coordinate this across 3rd-party platforms and independent maintainers?
Yogesh Mittal is a PSIRT Manager at Red Hat, where he specializes in the organizational design of global vulnerability ecosystems. He oversaw Red Hat’s strategic elevation to both a CVE Program Root and CNA-of-Last-Resort (CNA-LR), effectively operationalizing a “safety net” for the open-source supply chain.
As a member of the CVE Program Roots Council, Yogesh plays a central role in defining the hierarchy of trust, ensuring that governance frameworks are robust enough for global enterprises while remaining viable for decentralized communities. He established a collaborative forum for Open Source CNAs to design resilient collaboration models that drive data quality without creating bureaucratic bottlenecks.
Designing the Hierarchy of Trust: Governance Lessons from a CVE Root and CNA-LR
As the EU CRA establishes a continent-wide vulnerability infrastructure, the primary challenge is organizational: how to balance speed with sovereignty across thousands of vendors and national CSIRTs. The risk of creating a centralized bureaucratic bottleneck, a known hurdle for entities like MITRE, is high.
I propose a “Governance Blueprint” for GVIP and the EU, derived from Red Hat’s evolution from a CNA to a Root and CNA-of-Last-Resort (CNA-LR) within the CVE Program. We will explore “what works” and “what doesn’t work” in a federated model.
Kris Borchers is a Technical Project Manager for the OpenSSF who helps drive key open source security initiatives that strengthen software supply chains, advance public-sector engagement, and empower global communities. His work spans vulnerability data, secure-by-design practices, policy collaboration, and academic accreditation, connecting industry, government, and academia.
The OpenSSF Open Source Vulnerability database project
Each year, reported vulnerabilities increase yet the number of upstream developers that participate in the system has not substantially grown. The systems that help support and serve that data have not kept pace with the rapid pace of upstream open source development. Numerous upstream contributors have joined forces to discuss this challenge and to think through how we as a community can enable simpler, better engagement and participation of upstream projects while working to get more high-quality security data shared with the ecosystem.This talk with share a possible path forward for us all to work together to jointly solve this problem. We’ll speak to the proposed project and a set of core capabilities that could be delivered in a neutral, community-focused manner. If you care about open source coordinated vulnerability disclosure and about empowering users of software to have timely, accurate, machine-and-human readable data, then this is the session for you!
Vulnerability Lookup and GCVE: A Decentralized Approach to Vulnerability Publishing and Management
Introducing the open-source Vulnerability Lookup project and the Global Common Vulnerabilities and Exposures (GCVE) initiative, two complementary efforts designed to modernize and decentralize the way vulnerabilities are published, shared, and consumed.
Piotr Karwasz is a Java developer, mathematician, and open source maintainer of Apache Log4j and other Apache Software Foundation projects. Following a major security revamp of his own software triggered by industry and government scrutiny, Piotr now focuses on translating hard-won lessons into scalable practices for the open source ecosystem. He is an active contributor to the ASF Security Committee and the ECMA TC54 committee, where he works to advance security standards and improve vulnerability handling across open source projects.
Munawar Hafiz is a leading expert in software supply chain security and the founder of OpenRefactory, Inc. Building on a career of pioneering academic research in automated bug fixing, Munawar now focuses on providing Actionable Risk Intelligence for the modern software ecosystem. His vision is to move the industry beyond mere detection by leveraging that foundational expertise in code repair to bridge the gap between identifying risks and deploying fixes.
Using AI For CVE Vulnrichment: The VEX Generation Use Case
Vulnerability records vary widely in quality, reflecting differences in reporter expertise and the tension between usefulness and over-disclosure. This makes systematic enrichment (“vulnriching”) necessary to support automated security workflows.
In this talk, we focus on using enriched vulnerability data to automatically assess the reachability of third-party vulnerabilities in real software and to produce structured Vulnerability Exploitation eXchange (VEX) statements. A major gap in both government-backed (e.g., NVD, EUVD) and industry-backed (e.g., GHSA, OSV) datasets is precise root-cause information, such as the affected method or function (programRoutines in the CVE schema).
We describe an AI-assisted pipeline that extracts this missing root-cause information from CVE references to automate quality checks and enrich records. On a set of 102 recent CVEs spanning multiple ecosystems, we successfully generated actionable root-cause data for 97 of them, demonstrating the feasibility and impact of automated vulnriching for vulnerability analysis and VEX production.