Guidance on Issuing VEX Information

The Cybersecurity and Infrastructure Security Agency (CISA) has published When to Issue Vulnerability Exploitability eXchange (VEX) Information, a guide to help strengthen software security and supply chain risk management. This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information.
Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. This document identifies factors that influence the decision.
VEX allows a software supplier or other parties to assert the exploitability status of specific vulnerabilities in a particular product or set of products. Issuing VEX information allows developers, suppliers and others to provide information in a human-readable and machine-comprehensible format, regardless of whether software is affected by a specific vulnerability.
Widespread adoption of VEX is one of three critical steps CISA outlined for transforming and advancing the vulnerability management ecosystem. Also, VEX helps support secure-by-design practices and rewards organizations with proactive product security teams by streamlining responses to newly-discovered risks.
For more information this and other VEX resources, visit Software Bill of Materials (SBOM).