VEX Formats Explained
Understand the differences between CycloneDX VEX, OpenVEX, and CSAF formats.
CVEium CIS supports three VEX formats. Each format serves the same purpose — communicating vulnerability exploitability — but with different structures and ecosystems.
CycloneDX VEX
Best for: Organizations already using CycloneDX SBOMs
CycloneDX VEX is an extension of the CycloneDX BOM standard maintained by OASIS. It embeds vulnerability assessments directly into the CycloneDX JSON structure.
- Content type:
application/vnd.cyclonedx+json - File extension:
.cdx.vex.json - Ecosystem: Widely supported by SBOM tools (Syft, Trivy, Dependency-Track)
- Structure: BOM-like format with components, vulnerabilities, and analysis sections
CycloneDX VEX is the most comprehensive format, including full component and vulnerability details alongside your assessments.
OpenVEX
Best for: Lightweight, VEX-focused use cases
OpenVEX is a purpose-built format designed exclusively for VEX data. It is maintained by the OpenVEX community and focuses on simplicity.
- Content type:
application/vnd.openvex+json - File extension:
.openvex.json - Ecosystem: Growing adoption in cloud-native and container ecosystems
- Structure: Flat document with product, vulnerability, and statement entries
OpenVEX documents are typically smaller than CycloneDX VEX because they only contain VEX-relevant data, not the full SBOM structure.
CSAF (Common Security Advisory Framework)
Best for: Organizations requiring OASIS CSAF compliance
CSAF is an OASIS standard for security advisories. It is the most formal format, designed for structured, machine-readable security advisories.
- Content type:
application/json - File extension:
.csaf.json - Ecosystem: Enterprise security advisory platforms, government use
- Structure: Advisory document with product tree, vulnerabilities, threats, and remediations
CSAF is the most detailed format and is recommended by BSI (German Federal Office for Information Security) and used extensively in EU regulatory contexts.
Which format should you use?
| Consideration | Recommended format |
|---|---|
| Your SBOMs are CycloneDX | CycloneDX VEX |
| You want the simplest format | OpenVEX |
| Your consumers require CSAF | CSAF |
| EU CRA compliance | CSAF or CycloneDX VEX |
| US EO 14028 compliance | Any format (no format mandate) |
| Maximum tool compatibility | CycloneDX VEX |
You can generate VEX documents in multiple formats for the same release if your downstream users have different requirements.