security

VEX

Vulnerability Exploitability eXchange

Definition

VEX is a security advisory format that allows software suppliers to communicate whether their products are affected by a given CVE, even if a vulnerable component is present in the SBOM. A VEX statement can assert that a component is not exploitable due to compensating controls, code path analysis, or platform conditions.

VEX reduces alert fatigue from transitive dependency vulnerabilities.

Related Terms

SBOM

Software Bill of Materials

CVE

Common Vulnerabilities and Exposures

CSAF

Common Security Advisory Framework

← Back to Glossary

Ship secure code faster

Crash Override integrates security into the developer workflow. No context switching, no waiting on reviews.

Talk to a Human See the Product