← Cybersecurity Alphabet Soup

VEX

Vulnerability Exploitability eXchange

appsechard

VEX is a machine-readable format for a vendor to state whether their product is actually affected by a given vulnerability, for example noting that a vulnerable library is present but the risky code path is never called. It complements SBOMs, which reveal what components are inside software but not whether flaws in them matter. VEX statements let consumers skip patching noise and focus on vulnerabilities that are truly exploitable.

Sources

More in appsec