What is VEX?
VEX stands for Vulnerability Exploitability eXchange.
It is a concept proposed by the National Telecommunications and Information Administration (NTIA) as a form of security advisory that allows software publishers and suppliers to indicate whether a product (or products) is affected by a known software vulnerability.
By creating and sharing VEX documents, software authors can effectively respond to vulnerability announcement with details on applicability and status in a sane and trusted manner.
VEX documents are intended to be machine readable. This opens the door for automation and integration opportunities that can help preserve the sanity of security and software professionals across the board.
What is a VEX document?
VEX documents are meant to tie together a product (or product family) with one or more vulnerabilities (CVEs).
VEX documents must contain metadata information, product details, vulnerability details, and product status. They also allow for the sharing of remediation guidance that may be critical in securing dependent products quickly.
VEX documents require status information about one or more vulnerabilities within the scope of a product or product family. Possible statuses include:
- Not Affected (no remediation is required)
- Affected (actions are recommended to address)
- Fixed (these versions include a fix)
- Under Investigation
How can VEX help?
It is often estimated that over 90% of vulnerability alerts are false positives or do not require remediation for various reasons.
Most security tools flag software based purely on direct and transitive dependencies which can result in a lot of noise.
It is common for a product that relies on a vulnerable dependency (directly or transitively) to not be affected by that vulnerability despite what security tools might indicate.
Industry-wide adoption and usage of VEX documents has the potential to save billions of dollars and countless hours annually on false positive elimination alone.
By eliminating false positives, software teams can better focus on issues and vulnerabilities that truly matter that previously risked being lost in the noise.
How can VEX documents be used?
Who can issue VEX information?
The VEX specification does not limit who may issue VEX information. Some common examples may include:
- Supplier - provider of a product, software package, library, or component. Could be original developer, a downstream commercial user, or a third party that repackages the software as a component or dependency of another product. Suppliers can issue VEX information to inform their users or customers about the status of a vulnerability in a given product.
- Researcher - individuals or organizations that conduct security research around discovering potential vulnerabilities. This can include individual security researchers, academics, bug bounty hunters, or commercial security companies. Researchers could use VEX to report vulnerabilities to suppliers or to publish that status of their findings.
- Security Tools - vulnerability detection and management tools may consume or even produce VEX information in semi or fully automated manners. This can be especially useful in the trivial case of detecting and ignoring false positives.
- Other Parties - examples include regulators, reviewers, service providers, individual developers, software users, auditors, distributors, and more.
When could VEX information be issued?
The publishing of VEX information may be driven by a variety of situations or events. The document specification does not define or limit these situations. Potentially common examples may include:
- Upstream vulnerability discovery
- Significant public attention
- Active vulnerability exploitation
- Status changes and updates
- Vulnerability disclosure
- With legal obligations
What does a VEX document look like?
An example VEX document
{
"to": "do"
}Conclusion
VEX is a critical component in cybersecurity, providing a standardized method to communicate the exploitability of vulnerabilities in products and systems.
VEX documents are pivotal for developers, security professionals, and software vendors as they offer clear and concise information regarding the status of known vulnerabilities and whether they are exploitable in a particular product or system. This transparency is essential for effective risk management and cybersecurity defense strategies.
VEX serves as a powerful tool to strengthen cybersecurity measures across various digital infrastructures. By providing detailed exploitability information, VEX documents allow organizations to prioritize true vulnerabilities, support risk assessment, facilitate communication, and accelerate response times.