ICSE 2025
Sat 26 April - Sun 4 May 2025 Ottawa, Ontario, Canada

Software vulnerabilities can cause tremendous operational and financial damage to individuals and organizations in the event of cyber attacks. For example, the Log4J vulnerability can make millions of systems worldwide open to cyber attacks and potentially cause billions of dollars of damage. Software Vulnerability Management (SVM) is a critical process during software development to ensure software security and prevent these dangerous cyber attacks. SVM typically contains various phases such as detection, assessment, prioritization, fixing/patching and reporting/disclosure. In the last 10 years, there has been an unprecedented rise in the size and complexity of software systems. For instance, the codebase of Google services contains more than two billion lines of code. This in turn requires new technologies, tools, and practices for SVM to ensure the security of such systems.

The Third International Workshop on Software Vulnerability Management (SVM 2025) is a venue that aims to bring together academics, industry and government practitioners to present and discuss the state-of-the-art and state-of-the-practice of SVM to support both current and emerging software technologies and infrastructures.

The official website of the SVM workshop is: https://www.svmconf.org/.

The Twitter site of the workshop: https://twitter.com/svmconf.

The Linkedin site of the workshop: https://www.linkedin.com/company/svm-workshop.

Highlights

Plenary

This program is tentative and subject to change.

You're viewing the program in a time zone which is different from your device's time zone change time zone

Sat 3 May

Displayed time zone: Eastern Time (US & Canada) change

07:00 - 17:00
09:00 - 10:30
Morning SessionSVM at 204
09:00
10m
Day opening
Opening Session
SVM

09:10
80m
Keynote
Security Vulnerabilities in Configuration Scripts: Lessons Learned and Opportunities Moving Forward
SVM
Akond Rahman Auburn University
10:30 - 11:00
10:30
30m
Break
Saturday Morning Break
Catering

11:00 - 12:30
Paper Session 1SVM at 204
11:00
20m
Talk
A Landscape Study of Open-Source Tools for Software Bill of Materials (SBOM) for Supply Chain Security
SVM
Derek Garcia University of Hawaii at Manoa, Mehdi Mirakhorli University of Hawaii at Manoa, Schuyler Dillon Rochester Institute of Technology, Kevin Laporte Rochester Institute of Technology, Matthew Morrison Rochester Institute of Technology, Henry Lu Rochester Institute of Technology, Viktoria Koscinski Rochester Institute of Technology, Christopher Enoch Rochester Institute of Technology, Mohamad Fazelnia University of Hawaii at Manoa, Roger Chen University of Hawaii at Manoa
11:20
20m
Talk
A Multi-Dimensional Visual Analytics Tool for the Security Posture of Open-Source Software
SVM
Tianyu Li DistriNet Group-T, KU Leuven, Chaomeng Lu DistriNet Group-T, KU Leuven, Bert Lagaisse DistriNet Group-T, KU Leuven
11:40
50m
Meeting
Round-table discussion on “SVM in the era of (Gen)AI”
SVM

12:30 - 14:00
13:15
45m
Lunch
Saturday Lunch
Catering

14:00 - 15:30
Paper Session 2SVM at 204
14:00
20m
Talk
An Exploratory Study of Security Vulnerabilities in Machine Learning Deployment Projects
SVM
Akond Rahman Auburn University, USA, Anthony Skjellum Tennessee Tech University, Yue Zhang Auburn University
14:20
20m
Talk
Edge-Based Detection of Label Flipping Attacks in Federated Learning Using Explainable AI
SVM
Nourah Alotaibi KFUPM, Muhamad Felemban KFUPM, Sajjad Mahmood King Fahd University of Petroleum & Minerals
14:40
20m
Talk
"Just Use Rust": A Best-Case Historical Study of Open Source Vulnerabilities in C
SVM
Andy Meneely Rochester Institute of Technology, Aiden Green Rochester Institute of Technology, Tyler Jaafari Rochester Institute of Technology, Matthew Fluet Rochester Institute of Technology, Brandon Keller Rochester Institute of Technology
15:00
20m
Talk
Understanding the Changing Landscape of Automotive Software Vulnerabilities: Insights from a Seven-Year Analysis
SVM
Srijita Basu Chalmers University of Technology and University of Gothenburg, Miroslaw Staron University of Gothenburg
15:20
10m
Day closing
Workshop Closing
SVM

15:30 - 16:00
15:30
30m
Break
Saturday Afternoon Break
Catering

Call for Papers

The International Workshop on Software Vulnerability Management (SVM) invites academia, industry, and governmental entities to submit original research papers and demos (hands-on or videos) concerning the advances and practices of software vulnerability management from both technical and socio-technical perspectives.

The suggested topics include but not limited to:

  • Requirements engineering for SVM
  • Techniques and practices of threat modeling (including mixed-methods)
  • Methodology and processes for SVM
  • Static/dynamic analysis tools for SVM
  • AI-driven techniques, including Large Language Models for SVM (AI4SVM / LLM4SVM)
  • SVM for AI/LLM-based systems (SVM4AI / SVM4LLM)
  • Socio-technical aspects of SVM
  • Human-AI collaboration for SVM
  • Empirical study of SVM tools and/or practices (including mixed-methods)
  • SVM in software development lifecycle
  • SVM in software supply chain security
  • Mining software repositories for SVM
  • Datasets for SVM
  • Data quality for SVM analytics
  • Software infrastructures for SVM
  • SVM for infrastructure-as-code and/or virtualised infrastructures
  • SVM for DevOps
  • SVM for emerging software systems (e.g., blockchain, virtual, augmented, mixed reality, and quantum systems)

Please note that the contributions can target any task/phase within an SVM process.

Submission Types

The SVM workshop welcomes two types of submissions:

  • Full Papers: up to eight pages, including references. These full papers are expected to describe original contributions to research and/or practice for SVM. We also welcome experience or industrial reports. Although these papers can include work-in-progress work, the authors must outline a clear plan moving forward. The accepted papers will be allocated 10 to 15 minutes for presentation.
  • Short Papers: up to four pages, including references. These short papers are expected to present emerging ideas papers or visions for the SVM field, or new datasets and tools for SVM that can be accompanied by either hands-on or recorded demos. The papers that are overly focused on the advertisement of a product or service, rather than discussing interesting findings and insights gained from the use of a product or operation of a service, are heavily discouraged. The accepted short papers will be allocated 4 to 7 minutes for presentation.

How to Submit

We adopt the guidelines of ICSE 2025 paper submission for the SVM workshop. Specifically, submissions must conform to the IEEE conference proceedings template, specified in the IEEE Conference Proceedings Formatting Guidelines.

When submitting to the workshop, authors acknowledge that they conform to the authorship policy of the ACM, and the authorship policy of the IEEE.

Authors are strongly encouraged to share the artifacts (e.g., data, code, and models) in the submissions, whenever possible, as per the Open Science Policy of ICSE 2025. The submissions need to be made to HotCRP at https://svm2025.hotcrp.com/.

Conflicts of Interest

We seriously consider Conflicts of Interest during the paper review. Both authors and program committee members are encouraged to cooperate to prevent submissions from being evaluated by reviewers having a conflict of interest with any of the authors. The authors and reviewers can refer to the ACM Conflict of Interest Policy for identifying a conflict of interest.

Ethics Policies

If the research involves human participants/subjects, the authors must adhere to the ACM Publications Policy on Research Involving Human Participants and Subjects. Upon submitting, authors will declare their compliance to such a policy.

If the submission describes, or otherwise takes advantage of, newly discovered software vulnerabilities or cyber attacks, the authors should disclose these vulnerabilities to the vendors/maintainers of affected systems prior to the submission deadline. When disclosure is necessary, authors are expected to include a statement within their submission and/or final paper about steps taken to fulfill the goal of responsible disclosure.