In this special bonus episode, we welcome back Tom Alrich, an expert in supply chain cybersecurity to discuss one of the most pressing issues in cybersecurity right now. Tom discusses the current issues with the National Vulnerability Database (NVD) and the challenges it presents for effective vulnerability management. We explore his proposed solutions and the future of software supply chain security, based on his extensive experience.

If you'd like to reach out to Tom, his email address is tom@tomalrich.com.

Additional links/resources mentioned during the episode or relevant to the discussion (if the links are not clickable please visit cybellum.com/podcasts to find them)

• The SBOM Forum's 2022 white paper on fixing the CPE problem in the NVD
• Tom's post from yesterday on the problem with vulnerability management
• The link to the SBOM Forum's website, where donations can be made (please email Tom before donating)
• An additional post he published on the day we recorded the episode which further highlights the NVD issue
• Tom's book "Introduction to SBOM and VEX" which is out now

Tom also mentioned that he misspoke when he said at the end that the OWASP Vulnerability Database Working Group is meeting twice weekly. In reality, they are only meeting twice monthly, as he can't afford to dedicate more time than that. They would love to meet at least weekly and also create documents, webinars, and more. Therefore, they are seeking some modest donations to support these efforts.