Ideas whose time has come: CVD, SBOM, and SOTA

Speakers – Katie and Art


From origins in general purpose computing, Coordinated Vulnerability Disclosure (CVD), Software Bill Of Materials (SBOM), and Secure Over-The-Air (SOTA) updates have been implemented or considered in safety sectors including industrial control systems, medical devices, and ground transportation. These common software security practices are becoming widespread global norms, turning up in public policy, international standards, and national law (often in sector-specific safety regulation).

About the Speakers

Art Manion is the Vulnerability Analysis Technical Manager at the CERT Coordination Center (CERT/CC), part of the Software Engineering Institute at Carnegie Mellon University. He coordinates vulnerability disclosures and says things like “Don’t Use IE,” “Replace CPU hardware,” and “CVSS is inadequate.”