The global vulnerability disclosure ecosystem is in a state of flux. With the US-centric CVE program facing funding challenges and the NVD grappling with persistent backlogs, traditional intelligence sources are under immense strain. This talk will dissect these critical issues and their direct impact on AppSec professionals, who are increasingly challenged by the need for accurate prioritization and timely responses. We will then pivot to explore the rising influence of global players, such as ENISA, and other alternative vulnerability databases, analyzing their strengths, weaknesses, and the implications of this fragmented landscape. Attendees will leave with actionable strategies to diversify their intelligence sources, prioritize effectively beyond raw scores, and leverage new tools to build more resilient AppSec programs in this evolving environment.
Jerry Gamblin is a Principal Engineer in the Threat Detection & Response business group at Cisco Security, where he leads research and data science initiatives to enhance Cisco Security products. He is actively involved in the CVE community, participating in various working groups and serving as a member of the EPPS SIG. He regularly speaks on vulnerabilities and vulnerability management at international conferences and manages a CVE data collection site at CVE.ICU.