FIRST.org

📰 Maria Korolov, CSO Online covered NIST's major shift in CVE handling announced at #VulnCon26, as the National Vulnerability Database buckles under a 30,000+ backlog and submissions grow 263% since 2020.

FIRST CEO Chris Gibson weighs in on the vulnerability velocity crisis, with FIRST projecting 59,427 CVEs in 2026 and realistic scenarios cracking 100,000 amid the rise of AI-powered discovery tools like Anthropic's Mythos.

Harold Booth, Supervisory Computer Scientist, NIST outlined the agency's pivot to prioritize KEV-listed and critical software CVEs while turning to LLMs, AI agents, and RPA to tackle the backlog.

Jay Jacobs, Co-Founder & Data Scientist, Empirical Security, FIRST EPSS-SIG Co-Chair, CVE Consumer WG Chair shares optimism that AI-driven automation can help NIST keep pace, noting that even if it isn't Mythos, "something is going to come out next week."

Read more: https://go.first.org/9k8UO

#cybersecurity #infosec #VulnerabilityManagement

🎤 Call for Speakers — Now Open! ❄️
Cold Incident Response 2026 is officially accepting talk proposals.

Got blue‑team brilliance to share? Whether it’s incidents, monitoring, detection, engineering, tooling, or hard‑won stories from the trenches, we want to hear it. If the community can learn from it, it belongs on our stage.

Never presented before? No worries. You’ll be speaking to the friendliest crowd in the world—real operational security folks who write their own hunting queries and love practical tips they can use the very next workday.

📅 Submission deadline: July 7 📬 Feedback by: August 15

Ready to bring the heat to cold response? 👉 Submit your proposal: 🔗https://go.first.org/ASews

#technicalcolloquium #incidentresponse

📰 Kevin Poireault, Infosecurity Magazine, sat down with FIRST CEO Chris Gibson at #VulnCon26 in Scottsdale, AZ, unpacking the AI-driven vulnerability tsunami reshaping #VulnerabilityManagement, with mean time to exploit now measured in hours, not weeks.

Gibson makes the case for global collaboration over fragmentation, welcomes ENISA joining CISA and MITRE as a Top-Level Root CNA, and predicts Anthropic and OpenAI will become CVE Numbering Authorities by year-end.

Read more: https://go.first.org/lM4sa

#CVE #CyberDefense #cybersecurity #infosec

We’re heading back to where it all began — Munich. FIRST’s Cyber Threat Intelligence Conference returns next week April 21-23, bringing together experts shaping the future of CTI. 🛡️✨ #FIRSTCTI26 #cyberthreatintelligence #threatintel 🔗https://go.first.org/1OpsO

🎉 The CVE/FIRST #VulnCon26 & Annual CNA Summit has wrapped, and what a week it was.

500+ security professionals from around the world gathered in Scottsdale, AZ to advance the #VulnerabilityManagement ecosystem, with sessions led by leaders from CISA, ENISA, NIST, Google, Microsoft, NVIDIA, Cisco, Dell, and dozens more.

Highlights:
✅ CISA reaffirmed the CVE program as a top agency priority and called on AI companies to play a larger role going forward
✅ CWE is becoming a more integral part of vulnerability disclosure, with root-cause mapping gaining wider adoption
✅ New product launches on the show floor, including Volerion's Vulnerability Intelligence Platform, NetRise Provenance, and a major Red Hat security data overhaul
✅ Key updates from CVE Working Groups, the EPSS SIG, and Women of FIRST

Speaker sessions will be available on-demand for virtual attendees in the FIRST Events app, as well as FIRST's YouTube channel in the coming weeks.

A huge thank you to everyone who attended, presented, sponsored, and supported this event.

This community is what makes the vulnerability management ecosystem stronger!

Read more: https://go.first.org/WabqC

#CyberDefense #cybersecurity #infosec

Our last day in Scottsdale and the momentum is still going strong — this community doesn’t slow down. #VulnCon26🦎✨#CVEProgram #CVSS 🔗https://go.first.org/WWSDp

Afternoon sessions are heating up (and not just because we’re in the desert). #VulnCon26🔥🦎 #CVEProgram #CVSS 🔗https://go.first.org/WWSDp

Coffee in hand, ideas flowing, community buzzing — that’s the #VulnCon26 morning vibe. 🌵✨ #CVEProgram #CVSS 🔗https://go.first.org/WWSDp

Breakouts are buzzing at #VulnCon26 — real talk, real challenges, real solutions. Exactly what this ecosystem needs. 🌵💬#vulnerabilitymanagement #IncidentResponse 🔗https://go.first.org/WWSDp

Help Net Security interviewed Art Manion, Tharros, FIRST Liaison Member, FIRST VRDX-SIG Chair, CVE Board Member, CVE SPWG Chair, on why vulnerability databases keep failing us, and what the community needs to do about it.

Highlights:

- Stop treating this as a data problem, it's first an architecture problem
- There is no minimum set of assertions that can confirm two systems describe the same vulnerability
- CVSS scores are pulling attention away from the harder work of real risk assessment
- 50%+ of vendor names in NVD's CPE data have naming inconsistencies, if you can't identify the product, nothing else matters
- Before writing new specs or building new tools, the community needs shared terms and principles

This research is part of ongoing collaborative work with Jay Jacobs, Co-Founder & Data Scientist, Empirical Security, FIRST EPSS-SIG Co-Chair, CVE Consumer WG Chair.

Catch Art and Jay live at #VulnCon26: 'A Paradigm Shift in Vulnerability Identity: Why Vulnerability Databases Struggle' — April 14, 1:30–2:30 PM MST.

📖 Read the full interview: https://go.first.org/jnofT

#cybersecurity #CVE
#infosec #VulnerabilityManagement

There’s something special about seeing the VM ecosystem come together in one place. #VulnCon26 is where collaboration happens. 🤠🌅 #vulnerabilitymanagement 🔗https://go.first.org/WWSDp

Nothing like Scottsdale views + cybersecurity brainpower. #VulnCon26 is off to a strong start. 🌅✨#vulnerabilitymanagement 🔗https://go.first.org/WWSDp

Kicking off #VulnCon26 in Scottsdale — the VM community is officially in the house! Let’s spark ideas and build something stronger together. 🌵✨ #CVEProgram #CVSS 🔗https://go.first.org/WWSDp

Are you wanting to get involved at #FIRSTCON26? Support our mission and sponsor this unique #cybersecurity community gathering with attendees from all around the world! 💻🌐🔗https://go.first.org/MDaOF #annualconference #incidentresponse #secconf

❄️ Save the Date! ❄️
Cold Incident Response 2026 • Tue Oct 13 – Thu Oct 15 • Oslo, Norway

Hosted by our Norwegian FIRST Teams 🌍

Bundle up, block your calendars, and get ready for three days of cool minds, cold cases studies with warm Nordic hospitality.

🔗https://go.first.org/ASews

#technicalcolloquium #incidentresponse

What if the key to better vulnerability management isn't just patching faster, but understanding why vulnerabilities keep coming back? 🔍

Help Net Security connected with #VulnCon26 speaker Alec Summers, MITRE CVE/CWE Project Lead, Principal Cybersecurity Engineer, and FIRST Member, to explore how CWE mapping is becoming a strategic layer of the vulnerability management stack.

🎤 Catch Alec's upcoming presentations at VulnCon26 next week and read the full Q&A here: https://go.first.org/BZzAf

#CVE #cybersecurity
#infosec #VulnerabilityManagement

Bring your cowboy boots and buckle up, but FIRST register for #FIRSTCON26 🌄🤠🔗https://go.first.org/nQctu

As you may know, Africa is big. The continent comprises 54 countries with extensive linguistic, cultural, and political variation. This can make it difficult to create communities of practise and enable the type of information sharing that are seen in other parts of the world.

In the past two years, the FIRST Africa Regional Liaison (ARL) initiative has directly supported 1,210 cybersecurity professionals, delivered more than 50 targeted initiatives across 33 countries, and maintained sustained engagement with at least 70 Computer Security Incident Response Teams (CSIRTs).

Lawrence Mulchiwa and Eric Akumiah are FIRST's Africa Liaisons and they have told their story in a blog. And it's a big story for a big place.

https://go.first.org/yGL7s

Today (March 25th) is the very last day to book within the #VulnCon26 hotel room block. Future you will be glad you clicked “reserve.” 🌵🏨

🔗https://go.first.org/WWSDp

#LastCall #Scottsdale

You asked, and we delivered (again)! 🎉 The hotel room block for #VulnCon26 has been extended once more—you now have until March 25th to lock in your stay. 🌵🏨 Don’t miss your chance to stay close to all the action! 🔗https://go.first.org/WWSDp

#Scottsdale #RoomBlockExtended

If the POTRAZ/FIRST 2026 Technical Colloquium is on your radar, it’s time to make it official. Secure your spot, pack your curiosity, and get ready for an unforgettable experience. 🌍

Your seat is waiting—go ahead and claim it. 🔗https://go.first.org/aLVgD #ZimbabweTC #FIRSTZimbabweTC

Heading to Munich for #FIRSTCTI26 ❓
Don’t miss the discounted room block—available through March 24th. Click the link to book your stay now ➡️🔗 https://go.first.org/1OpsO

Bring your cowboy boots and buckle up, but FIRST register for #FIRSTCON26 🌄🤠🔗https://go.first.org/nQctu

If you’ve got insights worth sharing (and a passport ready for adventure), consider this your tap on the shoulder. We’re officially opening our call for speakers for the POTRAZ/FIRST 2026 Technical Colloquium. 🌍 #CFS #ZimbabweTC #FIRSTZimbabweTC

Bring your ideas, your expertise, and maybe a little safari spirit. 🔗https://go.first.org/aLVgD

📆Call for Speakers deadline: April 10th

Good news, desert travelers — the room block just got extended! You now have until March 20th to reserve your stay. 🌵🌞🏨🔗https://go.first.org/WWSDp
#VulnCon26 #Scottsdale #RoomBlockExtended

Heading to Munich for #FIRSTCTI26 ❓
Don’t miss the discounted room block—available through March 24th. Click the link to book your stay now ➡️🔗 https://go.first.org/1OpsO

Let's be vulnerable together 🤓 Join us at #VulnCon26 🔗https://go.first.org/syt8W #vulnerabilitymanagement #CVEProgram #CVSS

🌵🤠 Wrangle up! #VulnCon26's early‑bird rate and hotel room block both ride off into the sunset on March 14th. Saddle up and get everything locked in before it’s gone. 🔗https://go.first.org/WWSDp