VEX (Vulnerability Exploitability eXchange).

A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'. サイバーセキュリティの アプリケーションセキュリティ カテゴリに属します。

A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.

VEX (Vulnerability Exploitability eXchange) is a class of attestation document, formalized by CISA and the U.S. NTIA in 2022–2023, designed to suppress SBOM noise. When a customer scans a vendor's product, they typically discover every CVE listed against every transitive dependency — most of which are not actually exploitable because the affected code path is unused, mitigated, or compiled out. A VEX statement, signed by the vendor or downstream maintainer, declares one of four statuses for each (product, CVE) pair: not_affected, affected, fixed, or under_investigation, plus a justification (e.g. 'vulnerable_code_not_in_execute_path'). VEX is format-agnostic and is currently produced as OpenVEX (a minimal JSON profile), CSAF VEX (an OASIS-standardized profile), or embedded in CycloneDX vulnerability extensions. It is becoming a contractual deliverable alongside SBOMs in regulated sectors.

VEX (Vulnerability Exploitability eXchange) に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: Vulnerability Exploitability eXchange, OpenVEX, CSAF VEX。