If you ship software that includes open-source dependencies — and virtually all software does — your users face a flood of CVE alerts every time a vulnerability is published in any component you include. The problem is that most of these CVEs do not actually affect your product.
This is where VEX comes in.
The alert fatigue problem
When a CVE is published for a library like lodash or openssl, every product that includes that library gets flagged. Security scanners do not know whether the vulnerable code path is reachable in your specific context. The result: organizations waste time investigating vulnerabilities that pose no real risk.
A recent study found that over 80% of CVE alerts from container scanning are false positives in context — the vulnerability exists in the component, but the affected function is never called.
What VEX solves
A Vulnerability Exploitability eXchange (VEX) document communicates your assessment of each vulnerability:
- Not Affected: "Yes, we include this library, but the vulnerable function is not reachable in our product."
- Affected: "This vulnerability impacts our product. We are working on a fix."
- Fixed: "This vulnerability was remediated in this release."
This transforms the vulnerability conversation from "this CVE exists somewhere in your dependency tree" to "here is exactly how this CVE affects (or does not affect) our product."
VEX and the regulatory landscape
VEX is not just a best practice — it is becoming a regulatory expectation:
- The EU Cyber Resilience Act requires manufacturers to communicate vulnerability information to downstream users in a timely manner
- US Executive Order 14028 established the foundation for SBOM and VEX requirements for federal vendors
- CISA has published guidance recommending VEX as the standard mechanism for communicating vulnerability exploitability
Getting started with VEX
CVEium CIS automates the VEX workflow: upload your SBOM, triage matched vulnerabilities, and generate VEX documents in CycloneDX, OpenVEX, or CSAF format. The approval workflow ensures documents are reviewed before publication, and the public API makes disclosures machine-readable for automated consumption.
The shift from "scan and alert" to "scan, assess, and communicate" is the future of software supply chain security. VEX is the standard that makes it possible.