VEX (Vulnerability Exploitability eXchange).

A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'. Относится к категории Безопасность приложений в кибербезопасности.

A machine-readable companion to the SBOM that tells consumers whether a listed CVE actually affects a given product — distinguishing 'present in the bill of materials' from 'reachable and exploitable'.

VEX (Vulnerability Exploitability eXchange) is a class of attestation document, formalized by CISA and the U.S. NTIA in 2022–2023, designed to suppress SBOM noise. When a customer scans a vendor's product, they typically discover every CVE listed against every transitive dependency — most of which are not actually exploitable because the affected code path is unused, mitigated, or compiled out. A VEX statement, signed by the vendor or downstream maintainer, declares one of four statuses for each (product, CVE) pair: not_affected, affected, fixed, or under_investigation, plus a justification (e.g. 'vulnerable_code_not_in_execute_path'). VEX is format-agnostic and is currently produced as OpenVEX (a minimal JSON profile), CSAF VEX (an OASIS-standardized profile), or embedded in CycloneDX vulnerability extensions. It is becoming a contractual deliverable alongside SBOMs in regulated sectors.

Защита от VEX (Vulnerability Exploitability eXchange) обычно сочетает технические меры и операционные практики, как описано в определении выше.

Распространённые альтернативные названия: Vulnerability Exploitability eXchange, OpenVEX, CSAF VEX.