With an ever-accelerating trend of cybercrimes due to software vulnerabilities and exposures in Smart City industrial environment, effective and proactive vulnerability risk management becomes imperative. Statistical models learning rich historical vulnerability disclosure data undoubtedly provide critical risk insights. In this article, based on extreme value theory coupled with generalized additive models, we propose a novel framework to model extreme vulnerability disclosure events under both stationary and nonstationary scenarios. By utilizing this rigorous framework, we initiated an important study on quantifying extreme cyber risks. Through extensive empirical studies using real-life datasets, our proposed framework proves to effectively capture the dynamics of extreme events. Furthermore, it enables us to address quantitatively some of the key cyber risk management questions.