HeroDevs at VulnCon 2026

VulnCon is an annual conference that brings together cybersecurity specialists from around the world. HeroDevs attended this year’s conference with a focus on how vulnerabilities affect the Open Source community.

VulnCon 2026 made a few things hard to miss. The CVE program is expanding, but federal enrichment is becoming more selective. International participation is growing, and AI will only increase the volume of disclosures and the pressure on the systems that process them.

‍

International Support for the CVE Program

The keynote featured Lindsey Cerkovnik from CISA and Nuno Rodrigues Carvalho from ENISA. CISA is America’s Cyber Defense agency, the primary sponsor of the CVE Program, and a Top-Level CVE Number Authority (CNA). ENISA is the EU’s Cybersecurity Agency. On November 20th, 2025, ENISA became a Root-Level CNA. 

Their message was straightforward: the CVE program has to become more interoperable if it is going to continue to scale. As reported by Infosecurity Magazine, ENISA is being onboarded by CISA to become a Top-Level Root CNA to help fulfill that mission. Today, the only other Top-Level Root CNAs are MITRE (creator of the CVE Program) and CISA.

‍

NVD Enrichment Backlog Bankruptcy

High-quality CVE records contain more than a description and a list of references. They also include machine-readable product identifiers that help consumers match vulnerabilities to their products, along with severity data (CVSS) and weakness data (CWE). Historically, NIST's National Vulnerability Database (NVD) added that enrichment. The work is not fully automated, and the backlog has grown into the tens of thousands.

On April 15th, NVD announced it will move all backlogged CVEs into the 'Not Scheduled' enrichment category. There are now more than 100,000 CVEs in that category.

‍

U.S. Federal CVE Enrichment Moving Forward

Going forward, NVD will prioritize only three categories of CVEs for enrichment:

1. CVEs on the Known Exploited Vulnerabilities (KEV) Catalog,
2. CVEs for software used within the federal government, or
3. CVEs for critical software as defined by Executive Order 14028.

At VulnCon, NIST's project manager for NVD re-affirmed that the program is committed to this prioritization.

NVD is not the only U.S. government agency providing CVE enrichment. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) operates the Vulnrichment program, enriching high-risk CVEs with CVSS and CWE data. CISA also explored CPE enrichment, but that effort ended in December 2024.

‍

The Quality Era of CVE

The phrase "Quality Era" came up repeatedly at VulnCon. It means better CVE records, but it also means better governance. Accurate CWE mappings, usable product identifiers, and reliable CVSS scoring are part of it. So is broader participation across the CVE ecosystem.

That broader participation matters. Lindsey Cerkovnik announced that Open Source is one of three key partnership areas for 2026. She also explained that the next phase of federation for the CVE program runs through Root CNAs. For HeroDevs, that is an important shift. It creates a clearer path for Open Source, including End-Of-Life software that modern applications still depend on, to be represented more consistently in how vulnerabilities are cataloged, scored, and surfaced to defenders.

‍

The AI Cybersecurity Tidalwave

AI showed up in talk after talk, and in plenty of hallway conversations. Some speakers used the topic to reinforce a basic point: AI systems are still software systems, and they should be held to the same security expectations. Jonathan Spring's AI Systems Are Software Systems made that case directly. Other sessions focused on the operational upside, including using AI to scale vulnerability triage at Salesforce and using AI agents to assemble context for more accurate reporting at Kraken.

The bigger takeaway was hard to miss. AI is going to increase both the volume of security work and the tools available to process it. That will help, but it will also put more pressure on the quality of the underlying vulnerability data.

‍

Supply Chains and Malware Campaigns

HeroDevs’ Chief Architect, David Welch, presented on Supply Chains and Malware Campaigns. This discussion dove into recent Open Source supply chain attacks like the ones affecting XZ Utils, Trivy, and LiteLLM. The panel highlighted ambiguity in CNA Operational Rules 4.1.9, which resulted in some packages affected by these attacks being issued CVEs (LiteLLM), while others were not.

‍

What This Means for the Software You Depend On

If you rely on Open Source Software, especially software that has outlived upstream support, the shifts to federal vuln enrichment matter. Well-maintained projects are more likely to stay visible in advisory and tooling pipelines because large CNAs such as GitHub are publishing CVEs at real scale. Once maintainers move on, that process often breaks down. Advisories may never get filed, affected-version ranges stop getting updated as branches reach EOL, and defenders lose the context they need to act quickly.

At HeroDevs, this is the gap we spend our time on. When maintainers move on, the exposure does not disappear. Someone still has to track vulnerabilities, backport fixes, and keep enrichment and triage work moving. That is work HeroDevs is already doing as a CNA by providing drop-in replacements for EOL Open Source Software. If you're running software that has outlived its upstream, or you're trying to understand how these changes affect your vulnerability program, we're here to help.