From “Certify before Patching” to “Risk and Lifecycle Management” (A30a)
How vulnerability handling shifted from awkward surprises to standardized processes? Over the last decade, vulnerability handling for certified ICT products evolved from a “do not patch before your patch is certified” mindset toward structured, lifecycle-based management embedded in standards and regulation. Drawing on first-hand involvement in SOGIS ISCI, EUCC scheme development, ENISA work on vulnerability handling in certified solutions, and CEN/CENELEC standardization, this talk traces how expectations, roles, and approaches shifted in the last decade. It highlights key inflection points and practical lessons shaping today’s practices, which are even Cyber Resilience Act-aligned.