Vulnerability Exploitability eXchange, or VEX, plays a crucial role within the Software Bill of Materials (SBOM) and vulnerability management space.
A VEX document is what the U.S. National Telecommunications and Information Administration (NTIA) describes as a "companion artifact" to an SBOM. VEX allows vendors to clarify when components bearing vulnerabilities can’t be exploited in their product. FACT produces VEX documents to help streamline vulnerability management between vendors and their customers.
VEX helps vendors communicate to customers which vulnerabilities to prioritize and which ones can be safely ignored. Not all vulnerabilities are actually exploitable in any given product. In many cases, a vulnerability may exist in a dependent component, but for the specific product, it either has been mitigated by the vendor development team or is inaccessible to attackers. VEX enables vendors to share that information and help their customers optimize their patching strategy.
There can be thousands of components in complex ICS products and each component can have multiple vulnerabilities listed in the National Vulnerability Database (NVD), all resulting in too many vulnerabilities to reasonably address. VEX reduces the number of vulnerabilities that asset owners need to patch, helping them focus on the ones that actually pose a risk.
Software vendors generate VEX documents to discover vulnerabilities within the third-party dependencies of their products and preemptively assess the exploitability of these vulnerabilities. Once shared with their customers, VEX eliminates all the manual back and forth communication — emails, PDF documents, and phone calls — between product support and concerned customers.
VEX documents are machine readable, allowing complex trees of component relationships to be automatically processed and ingested into patch management solutions at a large scale.