Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

S3C2 SICP Summit 2025-06: Vulnerability Response Summit

Anna Lena Rotthaler, Simon Oberthür, Juraj Somorovsky, Kirsten Thommes, Simon Trang, Yasemin Acar, Michel Cukier, William Enck, Alexandros Kapravelos, Christian Kästner, Dominik Wermke, Laurie Williams

TL;DR

The paper reports on a Vulnerability Response Summit that gathered industry practitioners to share experiences on software supply chain security and vulnerability response. It covers five panel topics—vulnerability reporting, tools, organization of reporting, CRA/NIS2, and bug bounties—and highlights challenges in context-aware vulnerability assessment, end-to-end remediation, tool usability, and regulatory expectations. The authors describe open questions and opportunities for collaboration between industry and researchers, including SBOMs/SCAs as enablers and the nuanced role of bug bounty programs during CRA readiness. The study provides a practical snapshot of current industry practices and regulatory pressures shaping vulnerability response in practice.

Abstract

Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing significant damage to businesses and organizations. The US and EU governments and industry are equally interested in enhancing software security, including supply chain and vulnerability response. On June 26, 2025, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) and the Software Innovation Campus Paderborn (SICP) conducted a Vulnerability Response Summit with a diverse set of 9 practitioners from 9 companies. The goal of the Summit is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security, including vulnerability response, and helping to form new collaborations. We conducted five panel discussions based on open-ended questions regarding experiences with vulnerability reports, tools used for vulnerability discovery and management, organizational structures to report vulnerability response and management, preparedness and implementations for Cyber Resilience Act1 (CRA) and NIS22, and bug bounties. The open discussions enabled mutual sharing and shed light on common challenges that industry practitioners with practical experience face when securing their software supply chain, including vulnerability response. In this paper, we provide a summary of the Summit. Full panel questions can be found in the appendix.

S3C2 SICP Summit 2025-06: Vulnerability Response Summit

TL;DR

The paper reports on a Vulnerability Response Summit that gathered industry practitioners to share experiences on software supply chain security and vulnerability response. It covers five panel topics—vulnerability reporting, tools, organization of reporting, CRA/NIS2, and bug bounties—and highlights challenges in context-aware vulnerability assessment, end-to-end remediation, tool usability, and regulatory expectations. The authors describe open questions and opportunities for collaboration between industry and researchers, including SBOMs/SCAs as enablers and the nuanced role of bug bounty programs during CRA readiness. The study provides a practical snapshot of current industry practices and regulatory pressures shaping vulnerability response in practice.

Abstract

Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing significant damage to businesses and organizations. The US and EU governments and industry are equally interested in enhancing software security, including supply chain and vulnerability response. On June 26, 2025, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) and the Software Innovation Campus Paderborn (SICP) conducted a Vulnerability Response Summit with a diverse set of 9 practitioners from 9 companies. The goal of the Summit is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security, including vulnerability response, and helping to form new collaborations. We conducted five panel discussions based on open-ended questions regarding experiences with vulnerability reports, tools used for vulnerability discovery and management, organizational structures to report vulnerability response and management, preparedness and implementations for Cyber Resilience Act1 (CRA) and NIS22, and bug bounties. The open discussions enabled mutual sharing and shed light on common challenges that industry practitioners with practical experience face when securing their software supply chain, including vulnerability response. In this paper, we provide a summary of the Summit. Full panel questions can be found in the appendix.

Paper Structure

This paper contains 20 sections.

Table of Contents

  1. Introduction
  2. Experiences with Vulnerability Reporting
  3. Assessing Vulnerabilities
  4. Fixing Vulnerabilities
  5. Open Questions
  6. Tools
  7. Choosing Tools
  8. Open Questions
  9. Organization of Vulnerability Reporting
  10. Reaction
  11. Open Questions
  12. Cyber Resilience Act (CRA)/NIS2
  13. NIS2
  14. CRA
  15. Open Questions
  16. ...and 5 more sections