Vulnerability Exploitability eXchange (VEX)¶
The primary use cases for VEX are to provide users (e.g. operators, developers, and services providers) additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate.
To reduce effort spent by users investigating non-exploitable vulnerabilities that don’t affect a software product, suppliers can issue a VEX. A VEX is an assertion about the status of a vulnerability in specific products. The status can be:
Not affected – No remediation is required regarding this vulnerability.
Affected – Actions are recommended to remediate or address this vulnerability.
Fixed – Represents that these product versions contain a fix for the vulnerability.
Under Investigation – It is not yet known whether these product versions are affected by
the vulnerability. An update will be provided in a later release.
(Quoted from NTIA VEX One-page Summary)
For latest updates, please refer to VEX Status Justifications, June 2022.
## Useful References