CVEium
Sign Up

Disposition Workflow

Learn the four disposition statuses and when to use each one.

Each vulnerability in your release must be assigned a disposition that describes how it affects your product. These dispositions are recorded in the VEX document you publish.

Affected

Use Affected when the vulnerability genuinely impacts your product and requires remediation.

When to use:

  • The vulnerable code path is reachable in your product
  • The vulnerability can be triggered by end users or external input
  • No mitigation is currently in place

You should provide an action statement describing what remediation steps are planned or in progress.

Not Affected

Use Not Affected when the vulnerability exists in a component you use, but does not impact your product.

When to use:

  • The vulnerable code path is not reachable in your product
  • The vulnerable feature is disabled or not configured
  • Your product's architecture prevents exploitation
  • The component is only used during development, not in production

You should provide a justification explaining why the vulnerability does not affect your product.

Fixed

Use Fixed when the vulnerability has been remediated in this specific release.

When to use:

  • You upgraded the affected component to a patched version
  • You applied a security patch to the component
  • You implemented a workaround that eliminates the vulnerability

You should provide an action statement describing what fix was applied.

Under Investigation

Use Under Investigation when you are still evaluating the vulnerability's impact.

When to use:

  • You need more time to assess the vulnerability
  • You are waiting for vendor guidance
  • The impact analysis is in progress

Vulnerabilities marked "Under Investigation" block VEX document generation. You must resolve them to one of the other three statuses before proceeding.

Decision guide

When evaluating a vulnerability, consider:

  1. Is the vulnerable component used in production? If only in development or testing, likely Not Affected.
  2. Is the vulnerable code path reachable? If the vulnerable function is never called, likely Not Affected.
  3. Has the component been patched? If you are using a fixed version, mark as Fixed.
  4. Can the vulnerability be exploited in your context? Consider your deployment environment, network configuration, and access controls.
  5. Are you still evaluating? Use Under Investigation temporarily, but resolve it before generating VEX.