Software supply chain vulnerability response suffers from insufficient cross-organizational collaboration and fragmented regional expertise. Method: This study engaged practitioners from nine enterprises across China, the U.S., and Europe in five thematic workshops, integrating open-ended interviews, panel discussions, policy analysis, and industry case studies—marking the first deep academic-industry collaboration across these regions on this topic. Contribution/Results: We systematically identified common bottlenecks in vulnerability reporting mechanisms, toolchain integration, organizational coordination, and compliance readiness for Cyber Resilience Act (CRA) and NIS2 directives. From these findings, we distilled reusable best practices. The study provides empirical foundations and actionable pathways for building a globally trusted, capability-complementary software supply chain security ecosystem.

Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing significant damage to businesses and organizations. The US and EU governments and industry are equally interested in enhancing software security, including supply chain and vulnerability response. On June 26, 2025, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) and the Software Innovation Campus Paderborn (SICP) conducted a Vulnerability Response Summit with a diverse set of 9 practitioners from 9 companies. The goal of the Summit is to enable sharing between industry practitioners having practical experiences and challenges with software supply chain security, including vulnerability response, and helping to form new collaborations. We conducted five panel discussions based on open-ended questions regarding experiences with vulnerability reports, tools used for vulnerability discovery and management, organizational structures to report vulnerability response and management, preparedness and implementations for Cyber Resilience Act1 (CRA) and NIS22, and bug bounties. The open discussions enabled mutual sharing and shed light on common challenges that industry practitioners with practical experience face when securing their software supply chain, including vulnerability response. In this paper, we provide a summary of the Summit. Full panel questions can be found in the appendix.