Vulnerability Exploitability eXchange (VEX) is a structured security advisory designed to help software vendors and users assess the exploitability of known vulnerabilities. Similar to traditional security advisories issued by mature product security teams, VEX allows organizations to focus on vulnerabilities that pose real and immediate risks while avoiding unnecessary efforts on non-exploitable vulnerabilities.

A key goal of VEX is to empower users with actionable insights rather than definitive statements. By leveraging VEX, organizations can make informed decisions about their cybersecurity posture.

Table of Contents

1. The Role of SBOM in VEX
2. How VEX Works: A Practical Example
3. The CSAF Standard for VEX
4. Standard Formats for SBOMs and VEX
5. Generating VEX Documents Using Vexy
6. Conclusion

The Role of SBOM in VEX

To fully grasp how VEX works, it is essential to understand the Software Bill of Materials (SBOM) and its relationship with vulnerable software.

What is SBOM?

An SBOM (Software Bill of Materials) is a comprehensive list of all open-source and third-party components within a software codebase. It functions as a detailed inventory that provides visibility into the components that make up a piece of software. By detailing component versions, licenses, and patch statuses, SBOM enables security teams to assess potential security or licensing risks quickly.

Why is SBOM Important?

With the rise of open-source software, modern applications often contain hundreds of third-party dependencies. This increases the complexity of managing security risks, as vulnerabilities in any of these dependencies could pose a threat to the entire system.

SBOM helps organizations:

• Improve Security: By identifying all software components, organizations can track vulnerabilities and mitigate risks before they become exploitable.
  
  
• Enhance Compliance: Many regulatory frameworks, such as NIST and ISO 27001, emphasize the need for software transparency. SBOM ensures compliance with security standards.
  
  
• Boost Supply Chain Security: With an SBOM, organizations can trace software origins, helping prevent supply chain attacks by identifying malicious or outdated components.
  
  
• Facilitate Incident Response: In case of a security breach, an SBOM allows teams to quickly locate and address affected components, reducing response times and helping maintain a stronger, more secure software supply chain.
  
  

How SBOM and VEX Work Together

SBOM provides visibility into software components, but it does not indicate which vulnerabilities are actually exploitable. This is where VEX comes into play.

• SBOM identifies potential vulnerabilities: It lists all software dependencies, allowing security teams to check against vulnerability databases.
  
  
• VEX clarifies exploitability: Instead of assuming all vulnerabilities are a threat, VEX documents specify whether a vulnerability is actually exploitable in a particular context.
  
  
• Combined, they optimize security workflows: By using SBOM with VEX, organizations can focus on fixing real risks instead of spending unnecessary effort on non-exploitable vulnerabilities.
  
  

A widely used Software Composition Analysis (SCA) tool, such as Black Duck, can generate an SBOM to analyze the security vulnerabilities of a software product.

How VEX Works: A Practical Example

Scenario

Consider an asset owner managing a critical software product within a mission-critical system. To evaluate potential security risks, the asset owner requests the SBOM from the software vendor.

Upon analyzing the SBOM, the asset owner identifies 200 vulnerabilities, some marked as critical in the National Vulnerability Database (NVD). Concerned, the asset owner contacts the vendor for clarification.

Vendor's Response

The vendor’s support team, overwhelmed by similar inquiries, clarifies that while these vulnerabilities exist within components, their actual exploitability depends on how the software was built and compiled. After thorough testing and code reviews, the vendor determines that only 20 of the vulnerabilities are actually exploitable, and all are categorized as low-risk.

Using VEX for Better Decision-Making

With this information, the asset owner:

• Avoids unnecessary emergency patches for non-exploitable vulnerabilities.
  
  
• Uses the next scheduled maintenance window to address the few low-risk vulnerabilities.
  
  
• Gains clarity on newly discovered vulnerabilities and their real impact by incorporating VEX documents alongside SBOMs.

With VEX, SBOM, and vulnerability assessments combined, the asset owner can quickly assess which vulnerabilities require attention, thereby eliminating unnecessary panic and response efforts.

The CSAF Standard for VEX

VEX documents follow the Common Security Advisory Framework (CSAF), a standardized format for security advisories. CSAF documents contain three main sections:

1. Document Section – Contains metadata such as timestamps, CSAF version, and author details.
   
   
2. Product Tree – Lists the products assessed for vulnerability exploitability.
   
   
3. Vulnerabilities Section – Provides status details (e.g., affected, not affected, under investigation) for each vulnerability within the product tree.
   

By leveraging CSAF, asset owners can efficiently determine which products contain truly exploitable vulnerabilities.

Standard Formats for SBOMs and VEX

There are three standard formats for SBOMs:

• SPDX
  
  
• CycloneDX
  
  
• SWID
  

VEX currently follows a single standardized format: CSAF, released by OASIS Open, a non-profit organization dedicated to developing open-source cybersecurity standards. CSAF evolved from the Common Vulnerability Reporting Framework (CVRF) v1.2, first introduced in 2017.

Generating VEX Documents Using Vexy

VEX documents can be generated using Vexy, a tool designed for CycloneDX format. Below are installation and usage instructions:

Installation

pip install vexy
poetry add vexy
  

Alternatively, install Vexy from PyPi.org using a preferred Python package manager.

Usage

$ vexy --help

usage: vexy [-h] -i FILE_PATH [--format {xml,json}] [--schema-version {1.4}] [-o FILE_PATH] [--force] [-X]

Vexy VEX Generator

options:
  -h, --help            Show this help message and exit
  -X                    Enable debug output
  -i FILE_PATH, --in-file FILE_PATH
                        CycloneDX BOM input file (use "-" to read from STDIN).
  --format {xml,json}   Output format (default: xml)
  --schema-version {1.4}
                        CycloneDX schema version (default: 1.4)
  -o FILE_PATH, --output FILE_PATH
                        Output file path (use "-" for STDOUT output)
  --force               Overwrite existing output file if it already exists.

‍

More details on Vexy can be found at PyPi.

Conclusion

VEX plays a crucial role in modern cybersecurity, allowing organizations to efficiently assess and respond to vulnerabilities. By integrating VEX with SBOMs and leveraging the CSAF format, asset owners can focus their security efforts on real threats rather than wasting resources on non-exploitable vulnerabilities.

The use of tools like Vexy simplifies the VEX generation process, ensuring that organizations can seamlessly adopt this methodology for better risk management.

Incorporating VEX into security strategies is not just a best practice—it is a necessity in today’s evolving threat landscape

Want to learn how to apply VEX, SBOMs, and real-world risk reduction? Explore hands-on labs and guided learning paths on AppSecEngineer to put these concepts into practice.