Vulnerability Exploitability eXchange (VEX)

The primary use cases for VEX are to provide users (e.g. operators, developers, and services providers) additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate.

To reduce effort spent by users investigating non-exploitable vulnerabilities that don’t affect a software product, suppliers can issue a VEX. A VEX is an assertion about the status of a vulnerability in specific products. The status can be:

• Not affected – No remediation is required regarding this vulnerability.

• Affected – Actions are recommended to remediate or address this vulnerability.

• Fixed – Represents that these product versions contain a fix for the vulnerability.

• Under Investigation – It is not yet known whether these product versions are affected by

the vulnerability. An update will be provided in a later release.

(Quoted from NTIA VEX One-page Summary)

For latest updates, please refer to VEX Status Justifications, June 2022.

## Useful References

• VEX Guide from Rezilion.

• VEX Tools