VEX (Vulnerability Exploitability eXchange)
What is VEX (Vulnerability Exploitability eXchange)?
VEX (Vulnerability Exploitability eXchange)A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
VEX (Vulnerability Exploitability eXchange) is a class of attestation document, formalized by CISA and the U.S. NTIA in 2022–2023, designed to suppress SBOM noise. When a customer scans a vendor's product, they typically discover every CVE listed against every transitive dependency — most of which are not actually exploitable because the affected code path is unused, mitigated, or compiled out. A VEX statement, signed by the vendor or downstream maintainer, declares one of four statuses for each (product, CVE) pair: not_affected, affected, fixed, or under_investigation, plus a justification (e.g. 'vulnerable_code_not_in_execute_path'). VEX is format-agnostic and is currently produced as OpenVEX (a minimal JSON profile), CSAF VEX (an OASIS-standardized profile), or embedded in CycloneDX vulnerability extensions. It is becoming a contractual deliverable alongside SBOMs in regulated sectors.
● Examples
- 01
A library upgrade adds a transitive dep flagged with five CVEs; the vendor ships an OpenVEX document marking four as 'not_affected: vulnerable_code_not_in_execute_path'.
- 02
An automated scanner consumes the customer's SBOM plus the vendor's VEX statements and reduces 200 raw CVE findings to 7 actionable ones.
● Frequently asked questions
What is VEX (Vulnerability Exploitability eXchange)?
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'. It belongs to the Application Security category of cybersecurity.
What does VEX (Vulnerability Exploitability eXchange) mean?
A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.
How does VEX (Vulnerability Exploitability eXchange) work?
VEX (Vulnerability Exploitability eXchange) is a class of attestation document, formalized by CISA and the U.S. NTIA in 2022–2023, designed to suppress SBOM noise. When a customer scans a vendor's product, they typically discover every CVE listed against every transitive dependency — most of which are not actually exploitable because the affected code path is unused, mitigated, or compiled out. A VEX statement, signed by the vendor or downstream maintainer, declares one of four statuses for each (product, CVE) pair: not_affected, affected, fixed, or under_investigation, plus a justification (e.g. 'vulnerable_code_not_in_execute_path'). VEX is format-agnostic and is currently produced as OpenVEX (a minimal JSON profile), CSAF VEX (an OASIS-standardized profile), or embedded in CycloneDX vulnerability extensions. It is becoming a contractual deliverable alongside SBOMs in regulated sectors.
How do you defend against VEX (Vulnerability Exploitability eXchange)?
Defences for VEX (Vulnerability Exploitability eXchange) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for VEX (Vulnerability Exploitability eXchange)?
Common alternative names include: Vulnerability Exploitability eXchange, OpenVEX, CSAF VEX.
● Related terms
- appsec№ 1185
Software Bill of Materials (SBOM)
A formal, machine-readable inventory of the components, libraries, and dependencies that make up a piece of software, along with their versions and relationships.
- appsec№ 297
CycloneDX
An OWASP-curated open standard for software, SaaS, ML, and crypto bills of materials, designed from the start for security use cases and now widely used to ship SBOMs alongside releases.
- appsec№ 1190
SPDX (Software Package Data Exchange)
A Linux Foundation-maintained, ISO/IEC 5962-standardized open format for software bills of materials, originally focused on license metadata and now broadly used for SBOMs.
- vulnerabilities№ 285
CVE (Common Vulnerabilities and Exposures)
A public catalogue that assigns a unique identifier to each disclosed software or hardware vulnerability so they can be referenced unambiguously across the industry.
- vulnerabilities№ 428
EPSS (Exploit Prediction Scoring System)
A data-driven model, maintained by FIRST, that estimates the probability a given CVE will be exploited in the wild within the next 30 days.
- vulnerabilities№ 663
Known Exploited Vulnerability (KEV)
A CVE that the U.S. CISA confirms is being actively exploited and adds to its public KEV Catalog, triggering remediation deadlines for U.S. federal agencies.