VEX (Vulnerability Exploitability eXchange)
Was ist VEX (Vulnerability Exploitability eXchange)?
VEX (Vulnerability Exploitability eXchange)A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
VEX (Vulnerability Exploitability eXchange) is a class of attestation document, formalized by CISA and the U.S. NTIA in 2022–2023, designed to suppress SBOM noise. When a customer scans a vendor's product, they typically discover every CVE listed against every transitive dependency — most of which are not actually exploitable because the affected code path is unused, mitigated, or compiled out. A VEX statement, signed by the vendor or downstream maintainer, declares one of four statuses for each (product, CVE) pair: not_affected, affected, fixed, or under_investigation, plus a justification (e.g. 'vulnerable_code_not_in_execute_path'). VEX is format-agnostic and is currently produced as OpenVEX (a minimal JSON profile), CSAF VEX (an OASIS-standardized profile), or embedded in CycloneDX vulnerability extensions. It is becoming a contractual deliverable alongside SBOMs in regulated sectors.
● Beispiele
- 01
A library upgrade adds a transitive dep flagged with five CVEs; the vendor ships an OpenVEX document marking four as 'not_affected: vulnerable_code_not_in_execute_path'.
- 02
An automated scanner consumes the customer's SBOM plus the vendor's VEX statements and reduces 200 raw CVE findings to 7 actionable ones.
● Häufige Fragen
Was ist VEX (Vulnerability Exploitability eXchange)?
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'. Es gehört zur Kategorie Anwendungssicherheit der Cybersicherheit.
Was bedeutet VEX (Vulnerability Exploitability eXchange)?
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
Wie funktioniert VEX (Vulnerability Exploitability eXchange)?
VEX (Vulnerability Exploitability eXchange) is a class of attestation document, formalized by CISA and the U.S. NTIA in 2022–2023, designed to suppress SBOM noise. When a customer scans a vendor's product, they typically discover every CVE listed against every transitive dependency — most of which are not actually exploitable because the affected code path is unused, mitigated, or compiled out. A VEX statement, signed by the vendor or downstream maintainer, declares one of four statuses for each (product, CVE) pair: not_affected, affected, fixed, or under_investigation, plus a justification (e.g. 'vulnerable_code_not_in_execute_path'). VEX is format-agnostic and is currently produced as OpenVEX (a minimal JSON profile), CSAF VEX (an OASIS-standardized profile), or embedded in CycloneDX vulnerability extensions. It is becoming a contractual deliverable alongside SBOMs in regulated sectors.
Wie schützt man sich gegen VEX (Vulnerability Exploitability eXchange)?
Schutzmaßnahmen gegen VEX (Vulnerability Exploitability eXchange) kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für VEX (Vulnerability Exploitability eXchange)?
Übliche alternative Bezeichnungen: Vulnerability Exploitability eXchange, OpenVEX, CSAF VEX.
● Verwandte Begriffe
- appsec№ 1185
Software Bill of Materials (SBOM)
Formales, maschinenlesbares Verzeichnis der Komponenten, Bibliotheken und Abhängigkeiten einer Software einschließlich ihrer Versionen und Beziehungen.
- appsec№ 297
CycloneDX
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
- appsec№ 1190
SPDX (Software Package Data Exchange)
A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.
- vulnerabilities№ 285
CVE (Common Vulnerabilities and Exposures)
Öffentlicher Katalog, der jeder offengelegten Software- oder Hardware-Schwachstelle einen eindeutigen Bezeichner zuweist, um sie branchenweit eindeutig zu referenzieren.
- vulnerabilities№ 428
EPSS (Exploit Prediction Scoring System)
Datengestütztes Modell des FIRST, das die Wahrscheinlichkeit schätzt, dass eine CVE in den nächsten 30 Tagen in freier Wildbahn ausgenutzt wird.
- vulnerabilities№ 663
Aktiv ausgenutzte Schwachstelle (KEV)
Eine CVE, die die US-CISA als aktiv ausgenutzt bestätigt und in ihren öffentlichen KEV-Katalog aufnimmt, wodurch Behandlungsfristen für US-Bundesbehörden ausgelöst werden.