S3C2 SICP Summit 2025-06: Vulnerability Response Summit

TL;DR

This paper summarizes a summit where industry practitioners shared experiences and challenges in software supply chain security and vulnerability response, aiming to foster collaboration and improve practices.

Contribution

It provides a detailed account of industry challenges and collaborative discussions on vulnerability management in software supply chains, based on a multi-company summit.

Findings

Shared practical challenges in vulnerability response

Identified tools and organizational structures used in industry

Highlighted need for improved collaboration and standards

Abstract

Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing significant damage to businesses and organizations. The US and EU governments and industry are equally interested in enhancing software security, including supply chain and vulnerability response. On June 26, 2025, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) and the Software Innovation Campus Paderborn (SICP) conducted a Vulnerability Response Summit with a diverse set of 9 practitioners from 9 companies. The goal of the Summit is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security, including vulnerability response, and helping to form new collaborations. We conducted five panel discussions based on open-ended questions regarding experiences with vulnerability reports, tools used for vulnerability discovery and management, organizational structures to report vulnerability response and management, preparedness and implementations for Cyber Resilience Act1 (CRA) and NIS22, and bug bounties. The open discussions enabled mutual sharing and shed light on common challenges that industry practitioners with practical experience face when securing their software supply chain, including vulnerability response. In this paper, we provide a summary of the Summit. Full panel questions can be found in the appendix.