Image content

Michael Morris writes:

'This year’s VulnCon conference painted a clear picture: the global vulnerability ecosystem is undergoing s very significant transformation. Government agencies, major software vendors, open‑source advocates, and security teams all converged around a shared message — the volume of CVEs is exploding, AI is reshaping both attack and defence, and the future depends on quality, context, and automation.

Below is a short recap of the major themes and takeaways.

A Shift Toward Quality and Federation

CISA, ENISA, and NIST all emphasised the need to focus on evolving in a way that empashises data quality, context, and shared responsibility.

CISA highlighted that the CVE Program is stable, funded, and entering a “quality phase,” noting that “feedback during the turbulent year has been very valuable". ENISA reinforced its commitment to interoperability with CISA whilest fulfilling its mandate from the EU commission and EU members.

NIST, facing a growing backlog, announced stricter prioritisation — focusing on KEV, government‑used software, and critical systems — and confirmed that CVEs created before 1st March 2026 won’t be enriched. Their long‑term goal: encourage CNAs to produce higher‑quality CVEs so less enrichment is needed.

The trend is unmistakable: a federated model, where responsibility is distributed across CISA, ENISA, CNAs, and industry partners.

AI Takes Centre Stage

AI was a dominant theme across sessions. Organisations showcased tools that automate triage, prioritization, VEX generation, and patch backporting.

  • Nvidia presented automated VEX generation and embedding VEX directly into OCI containers.
  • Phoenix Secruity showcased Phoenix Blue for prioritization of vulnerabilities
  • root.io showed how AI can backport patches safely, avoiding the “just upgrade everything” approach they compared to “eating burgers off the street” (Summary.txt).

The message was clear: AI is no longer experimental — it’s essential for scale.

Backporting Is an Important Strategy

With supply‑chain attacks rising and dependency chains growing more fragile, backporting  vulnerability fixes is an important way to mitigate the risks. Many organisations can’t simply “take the latest version” due to breaking changes or unreleased fixes.

AI‑assisted backporting is emerging as a practical, scalable solution. A root.io demo showed how AI can isolate fixes, adapt them to previous code versions, and validate patches.

Prioritisation: Beyond CVSS

The community widely agreed that CVSS alone is no longer enough. New approaches are gaining traction:

  • EPSS for exploit prediction
  • Phoenix Blue for multi‑source risk aggregation
  • Contextual CVSS
  • Vendor‑supplied context via SADP and VEX

The goal is to help defenders focus on what truly matters, especially as exploitation windows shrink to minutes.

VEX: Useful but Still Maturing

VEX (Vulnerability Exploitability eXchange) is seen as a powerful way to reduce noise by clarifying whether a CVE actually affects a product. But adoption challenges remain:

  • inconsistent formats
  • limited scanner support
  • difficulty distributing VEX at scale

Nvidia’s approach — embedding VEX directly in containers — and the SADP pilot — adding vendor context into CVEs — show promising paths forward.

Key Takeaways for Organisations

The conference made it clear that defenders must evolve quickly:

  • Automate CVE triage and prioritization wherever possible
  • Explore AI‑assisted tooling, to meet the challenges of scale
  • Adopt richer prioritisation models that incorporate context, exploitability, and vendor data
  • Prepare for a surge in CVEs as AI accelerates vulnerability discovery

The organisations that thrive will be those that embrace automation, context, and collaboration.