FIRST conference highlights AI & CVE disclosure push
FIRST has wrapped up CVE/FIRST VulnCon 2026 and the Annual CNA Summit in Scottsdale. The four-day event drew more than 500 attendees from across the vulnerability management and cybersecurity sectors.
Security professionals, researchers and policymakers gathered to discuss vulnerability disclosure, CVE quality, exploit prediction, coordinated disclosure and the security implications of artificial intelligence. Speakers represented organisations including CISA, ENISA, NIST, Google, Microsoft, NVIDIA, Dell and Cisco.
Discussion also focused on the Common Weakness Enumeration framework and its expanding role in vulnerability disclosure. Alec Summers, CVE/CWE Project Lead and Principal Cybersecurity Engineer at MITRE, said organisations increasingly want more detail on the underlying causes of software flaws, not just confirmation that a vulnerability exists.
"What's changed is that CWE is now becoming a more integral part of vulnerability disclosure itself, as the value of transparent root-cause mapping is more widely appreciated. Simply knowing that a vulnerability exists isn't enough; teams need to understand why it exists in order to prioritize, remediate, and prevent recurrence," Summers said.
Another issue raised at the conference was the direction of the CVE programme. FIRST said Lindsey Cerkovnik, chief of CISA's Vulnerability Response & Coordination Branch, described the programme as a priority for the agency and urged AI companies to play a larger role as artificial intelligence tools become more important in identifying vulnerabilities.
Product launches
Alongside discussions of policy and standards, several companies used the event to introduce new security products and data initiatives. Announcements included Volerion's Vulnerability Intelligence Platform, NetRise Provenance and Red Hat's overhaul of its security data with updated CSAF and VEX information.
Volerion presented its platform as a system for graph-based CVE analysis and workflow integrations. NetRise said Provenance maps open-source contributor risk across enterprise software and connected devices. Red Hat outlined changes intended to improve the structure and availability of software security advisory data.
The agenda also included updates from several CVE working groups and FIRST special interest groups, covering CVE quality, coordinated vulnerability disclosure, exploit prediction scoring and community inclusion.
Highlighted groups included the CVE Quality Working Group, Consumer Working Group and Researcher Working Group. FIRST also pointed to updates from the EPSS SIG, which focuses on exploit prediction scoring, and the Women of FIRST SIG, which promotes inclusion across the security community.
Broader context
The conference comes amid a broader push by industry groups and public agencies to improve the consistency, speed and usefulness of vulnerability information. That effort includes pressure on software suppliers, security vendors and public bodies to make vulnerability records easier to understand and act on.
The event is intended to give participants material they can take back to their organisations to improve vulnerability management practices. Attendees shared approaches to handling major cyber incidents, new attack methods and the changing relationship between offensive and defensive uses of artificial intelligence.
Chris Gibson, chief executive officer of FIRST, framed the meeting as part of that wider collaborative effort.
"Seeing global security practitioners, researchers, and leaders in one room sharing hard-won knowledge and building real solutions is exactly why FIRST exists. Collaboration is not just a value for this community, it is how the vulnerability management ecosystem actually functions and improves. We are deeply grateful to everyone who made CVE/FIRST VulnCon 2026 possible," Gibson said.
FIRST now includes more than 840 member teams, 205 liaisons and four associates across 115 countries, spanning corporations, government bodies, universities and other institutions.