FIRST.orgApr 23

The CVE funding disruption exposed a single point of failure in the infrastructure that underpins global vulnerability management. In this Help Net Security interview, ENISA's Nuno Rodrigues Carvalho, #VulnCon26 speaker, breaks down what needs to change.

πŸ“– Read more: https://go.first.org/bSrxK

#CyberDefense #cybersecurity #CVE

Coordinated vulnerability disclosure is now an EU obligation, but cultural change takes time - Help Net Security

ENISA's Nuno Carvalho on CVE program risks, EU regulatory enforcement, and building a distributed vulnerability disclosure ecosystem.

Help Net Security
FIRST.orgApr 22

New on the FIRST blog: Jenn Gile, Co-Founder of OpenSourceMalware and #VulnCon26 speaker, on why malicious open source packages don't fit the traditional vulnerability intelligence model.

The response motion looks familiar. A malicious package appears in a public registry, a record lands in OSV, tools fire an alert, and someone opens a ticket. But the data and the playbook don't actually match the threat.

πŸ” Vulnerabilities are passive. They wait to be exploited.
⚑ Malicious packages are active. They execute on install.
πŸ”§ Vulnerabilities have a fixed version.
🚫 Malicious packages ARE the latest version.

That mismatch leaves three investigative gaps vulnerability databases weren't built to fill:

πŸ“¦ Payload: what the malware did and which files were affected.
πŸ‘€ Threat actor: C2 infrastructure and accounts reused across campaigns.
πŸ”— Campaign: how one package connects to broader activity.

Case in point: the axios account takeover on March 30, 2026. OSV surfaces three IOCs. The campaign has at least nine, two of them shared with other malicious assets.

Jenn's argument: malicious packages need their own intelligence track, built around a different set of questions.

πŸ“– Read more: https://go.first.org/BwFfv

#cybersecurity #infosec #VulnerabilityManagement

Malicious Packages Don't Fit the Vulnerability Intelligence Model

Malicious open source packages and software vulnerabilities may look alike on the surface, but they demand entirely different response playbooks. Treating a malicious npm or PyPI package like a CVE leaves critical questions unanswered: what did it execute, where did it phone home, and what campaign is it part of? Purpose-built malicious package intelligence infrastructure is needed to answer those questions.

FIRST β€” Forum of Incident Response and Security Teams
CVE ProgramApr 20

RE: https://infosec.exchange/@firstdotorg/116416280520631164

Thank you to everyone who attended #VulnCon26!

We’re already looking forward to next year!

FIRST.orgApr 17

πŸ“° Maria Korolov, CSO Online covered NIST's major shift in CVE handling announced at #VulnCon26, as the National Vulnerability Database buckles under a 30,000+ backlog and submissions grow 263% since 2020.

FIRST CEO Chris Gibson weighs in on the vulnerability velocity crisis, with FIRST projecting 59,427 CVEs in 2026 and realistic scenarios cracking 100,000 amid the rise of AI-powered discovery tools like Anthropic's Mythos.

Harold Booth, Supervisory Computer Scientist, NIST outlined the agency's pivot to prioritize KEV-listed and critical software CVEs while turning to LLMs, AI agents, and RPA to tackle the backlog.

Jay Jacobs, Co-Founder & Data Scientist, Empirical Security, FIRST EPSS-SIG Co-Chair, CVE Consumer WG Chair shares optimism that AI-driven automation can help NIST keep pace, noting that even if it isn't Mythos, "something is going to come out next week."

Read more: https://go.first.org/9k8UO

#cybersecurity #infosec #VulnerabilityManagement

NIST cuts down CVE analysis amid vulnerability overload

The agency will only add enrichment details to CVEs in limited cases going forward, prioritizing known exploited flaws and vaguely defined β€˜critical software.’

CSO Online
FIRST.orgApr 17

πŸ“° Kevin Poireault, Infosecurity Magazine, sat down with FIRST CEO Chris Gibson at #VulnCon26 in Scottsdale, AZ, unpacking the AI-driven vulnerability tsunami reshaping #VulnerabilityManagement, with mean time to exploit now measured in hours, not weeks.

Gibson makes the case for global collaboration over fragmentation, welcomes ENISA joining CISA and MITRE as a Top-Level Root CNA, and predicts Anthropic and OpenAI will become CVE Numbering Authorities by year-end.

Read more: https://go.first.org/lM4sa

#CVE #CyberDefense #cybersecurity #infosec

FIRST CEO Calls for CVE Collaboration amid AI Vulnerability Tsunami

FIRST CEO Chris Gibson urged global CVE collaboration and integrating AI companies to combat automated cyber threats

Infosecurity Magazine
FIRST.orgApr 16

πŸŽ‰ The CVE/FIRST #VulnCon26 & Annual CNA Summit has wrapped, and what a week it was.

500+ security professionals from around the world gathered in Scottsdale, AZ to advance the #VulnerabilityManagement ecosystem, with sessions led by leaders from CISA, ENISA, NIST, Google, Microsoft, NVIDIA, Cisco, Dell, and dozens more.

Highlights:
βœ… CISA reaffirmed the CVE program as a top agency priority and called on AI companies to play a larger role going forward
βœ… CWE is becoming a more integral part of vulnerability disclosure, with root-cause mapping gaining wider adoption
βœ… New product launches on the show floor, including Volerion's Vulnerability Intelligence Platform, NetRise Provenance, and a major Red Hat security data overhaul
βœ… Key updates from CVE Working Groups, the EPSS SIG, and Women of FIRST

Speaker sessions will be available on-demand for virtual attendees in the FIRST Events app, as well as FIRST's YouTube channel in the coming weeks.

A huge thank you to everyone who attended, presented, sponsored, and supported this event.

This community is what makes the vulnerability management ecosystem stronger!

Read more: https://go.first.org/WabqC

#CyberDefense #cybersecurity #infosec

FIRST.orgApr 16
Our last day in Scottsdale and the momentum is still going strong β€” this community doesn’t slow down. #VulnCon26🦎✨#CVEProgram #CVSS πŸ”—https://go.first.org/WWSDp
CVE Program & FIRST VulnCon 2026

Save the Date: CVE/FIRST VulnCon 2026 & Annual CNA Summit - Scottsdale (US), April 13–16, 2026

FIRST β€” Forum of Incident Response and Security Teams
CVE ProgramApr 16
Day 4 of β€œCVE/FIRST VulnCon 2026” is here!

Today’s agenda for all 3 tracks: https://first.org/conference/vulncon26/program#d20260416

#vulnerabilitymanagement #vulnerability #cve #first #vulncon26
CWE ProgramApr 16

Day 4 of β€œCVE/FIRST VulnCon 2026” is here!

Today’s agenda for all 4 tracks: https://first.org/conference/vul
ncon26/program#d20260416

#vulnerabilitymanagement #vulnerability #cve #first #cwe #vulncon26

FIRST.orgApr 15
Afternoon sessions are heating up (and not just because we’re in the desert). #VulnCon26πŸ”₯🦎 #CVEProgram #CVSS πŸ”—https://go.first.org/WWSDp
CVE Program & FIRST VulnCon 2026

Save the Date: CVE/FIRST VulnCon 2026 & Annual CNA Summit - Scottsdale (US), April 13–16, 2026

FIRST β€” Forum of Incident Response and Security Teams