VulnCon 2025 is over. I didn’t go. A bunch of people have asked me why, and rather than keep my answer to a small group, I thought it would make sense to write something public about it all.
The TL;DR is I went to a different conference that I thought was a better use of my time.
The conference I went to was Cyphercon and BSides Milwaukee. They are regional conferences in Wisconsin. Good people, great shows, a lot of fun and learning. Yeah, it was technically the week before VulnCon, but I lack the fortitude to do two conferences back to back. Some people can, I tip my hat to those folks. I’m not one of them. I should be clear though, this isn’t the only reason. I also don’t think VulnCon should exist (more on that at the end).
Why do we go to conferences?
It would be easy to construct a gigantic list of why we go to conferences. But I think the two biggest are to meet people (the human connection is extremely valuable and important), and the second is to learn about the future of your industry.
Hanging out with the people you know and meeting new people is part of VulnCon I 100% support, we don’t have to do this only at a vulnerability conference obviously, but the human aspect of all this matters and I’m glad that happens. If anything we should have more vulnerability meetups during the year, a lot more.
I’m less certain about the VulnCon views for the future. When I look at this agenda, I don’t see a lot of new and novel topics. Yes there are some, but it should be the majority. It’s not totally their fault, what has really moved the needle in the world of vulnerabilities over the last few years? The only two things that really come to mind are EPSS and GitHub’s Advisory Database. Maybe NVD collapsing (it’ll be fixed in two weeks, they say), but I haven’t seen much positive change from the NVD debacle. We should be encouraging new and interesting ideas at VulnCon, not just rehashing old ideas.
The Conference itself
I want to start with some things I noticed about the actual conference that don’t spark joy. A large number of the program committee had multiple speaking slots. I’m sure some of this was because people kept asking them to co-present. But the reality is if this happens at your conference it’s not a conference, it’s a club. The program committee should be hyper aware of how many of the slots they are consuming. The point is for new and interesting ideas. Not having the same people say the same things. There is power in diversity.
Speaking of diversity, the program committee is 15 men and 2 women. I’m not going to add any additional comments, it’s 2025.
Unsurprisingly, VulnCon is dominated by vulnerability insiders. Most of the program committee and speakers are people who have been in this industry for a very long time. There’s nothing technically wrong with industry veterans participating in an event, but they shouldn’t dominate it.
And now for the unpopular opinion: I don’t think VulnCon should exist. I think it might even be hurting the vulnerability ecosystem because of how much of an echo chamber it is. The world of vulnerabilities is already an echo chamber and creating an event to further the already bad practices is something I worry about. VulnCon the idea is great, VulnCon the conference, not so much.
Now I’m not saying we shouldn’t collaborate, we should, if anything we need more collaboration. But I also think we should be doing that collaboration in the open as much as possible and including non vulnerability people. We need to make sure our collaboration happens in a way closer to open source and less a private golf club.
If you want to better understand vulnerabilities, go talk to people with boots on the ground doing the work. The researchers, the analysts, the people not at VulnCon. But those people are at other security conferences. I really like the BSides shows. The folks in the trenches also go to BSides.
Rather than having an event like VulnCon, we should be working with existing conferences to both help spread vulnerability knowledge to outsiders, and help the outsiders influence the vulnerability community. They know things we don’t, we know things they don’t. If we all get together and have a chat, everyone learns new and interesting things. What I really mean is VulnCon the event shouldn’t exist, VulnCon the idea should, and it should be everywhere.
What can we do?
If you’re a vulnerability nerd, the first, and most important, thing is to talk to people not in the vulnerability universe. You’re going to get an earful. Listen to them, don’t make up excuses. You are going to learn a lot and your ego is probably going to take a hit. That’s OK, it’s how we grow.
Vulnerability folks should figure out what a few good conferences to meet up at. Make sure they’re at different times and different locations, goodness knows international travel just got a lot more complicated. Lots of conferences have a day or two before the main event for micro conferences. The Open Source Summit does a really good job of this. That gives you some time with your smaller group, while making that smaller group more accessible to others. And the best part is you get to spend time with a wider audience during the larger conference.
If you run a conference, your program committee shouldn’t dominate the agenda. Make sure you are hearing from diverse groups of people with different opinions. Focus on new ideas, even if some seem silly, sometimes silly is good. Don’t rehash the past.
And lastly, if you’re mildly interested in this space, there are projects that are always looking for help. You can contribute to the GitHub Advisory Database. There are open source vulnerability scanners like Trivy and Grype. EPSS and CVSS have working groups, The OpenSSF has countless projects and groups as does OWASP. I even have a Discord server called EVC to chat about vulnerabilities, feel free to come lurk (it’s not super active, but there’s some good stuff when it is). There are a ton of places to get involved and there is interesting work going on that’s going to be the future of the space.
If you want to give me feedback on this, good or bad, Mastodon is the place to do it. I’m @[email protected]