VEX (Vulnerability Exploitability eXchange) is a standardized format designed to exchange information about whether a specific vulnerability can be exploited in a given environment.
Unlike traditional vulnerability reports – such as CVE and VDR (Vulnerability Disclosure Report) – VEX focuses on providing a context-based assessment of risk.
By including details about system configuration, existing security measures and how the component is used, a more nuanced picture of the actual threat is provided.
Purpose and Value
The goal of VEX is to transform vulnerability data into a practical resource for security work. By considering the specific environment, VEX enables:
- Effective risk assessment: By identifying which vulnerabilities can actually be exploited, organizations can focus their resources where they do the most good.
- Reduced uncertainty: A clear assessment of exploitability reduces guesswork and creates a more realistic understanding of risks.
- Improved communication: A standardized format makes it easier to share and understand vulnerability information between different parties – from development teams to decision makers.
VEX Status – How is Exploitability Assessed?
To describe how a vulnerability can be exploited, a series of defined statuses are used within VEX. Here are some examples:
| VEX Status | Description |
|---|---|
| Not Affected | The product or system is not affected at all by the current vulnerability. |
| Affected | The vulnerability exists, but no known exploitation paths have been identified in the current context. |
| Exploitable | The vulnerability is actively exploitable with a known attack vector, representing a direct security threat. |
| Remediated | The vulnerability has been addressed – for example through patching or other countermeasures. |
| Under Investigation | An investigation is ongoing to determine whether the vulnerability can be exploited in the current environment. |
The Difference Between VEX and VDR
Although VEX and VDR both handle vulnerability information, they complement each other by having different focuses:
- VDR: Provides an in-depth technical description of the vulnerability, including details about type, severity and suggested actions.
- VEX: Assesses the vulnerability's exploitability based on the specific context – a tool for determining which vulnerabilities are real threats in practice.
The Difference Between VEX and CVE
While CVE (Common Vulnerabilities and Exposures) provides unique identifiers and a standardized description of vulnerabilities, VEX focuses on assessing whether and how a vulnerability can be exploited in a specific environment. CVE provides a general "fact compilation" while VEX contributes with a contextual risk assessment that helps organizations prioritize actions based on the actual threat.
VEX and SBOM – A Complete Security Picture
When VEX is combined with an SBOM (Software Bill of Materials), security work becomes even more effective:
- SBOM: Provides a complete overview of all components in software.
- VEX: Indicates which of these components contain exploitable vulnerabilities.
By working with both formats, you can:
- Prioritize actions: Identify and handle the most critical vulnerabilities first.
- Reduce risk: Get a holistic picture of which threats are real and where to direct efforts.
- Optimize security work: Streamline decision-making and resource allocation based on concrete data.
VEX Formats and Initiatives
There are several variants and initiatives around VEX, for example OpenVEX1, CSAF VEX and CycloneDX VEX.
By offering tools and resources for creating, sharing and interpreting VEX information, such initiatives contribute to a more transparent and secure software supply chain.