Don't waste time searching the internet for vulnerability information: let the FACT platform do the searching for you.
FACT automatically checks each file and all of its subcomponents against both vulnerability databases and advisories published on vendor websites. When a potential match is found, FACT adds the vulnerability to the parent file as a suggested association.
Each vulnerability associated with a file can negatively impact its trust score.
FACT uses Artificial Intelligence (AI), specifically Machine Learning (ML) and Natural Language Processing (NLP), to perform the extraordinarily difficult task of linking vulnerabilities to products.
Vulnerability Exploitability eXchange or VEX plays a crucial role within the Software Bill of Materials (SBOM) and vulnerability management space.
A VEX document is what the US National Telecommunications and Information Administration (NTIA) describes as a "companion artifact" to an SBOM. VEX allows vendors to clarify when components bearing vulnerabilities can’t be exploited in their product. FACT produces VEX documents to help streamline vulnerability management between vendors and their customers.
VEX helps vendors communicate to customers which vulnerabilities to prioritize and which ones can be safely ignored. Not all vulnerabilities are actually exploitable in any given product. In many cases, a vulnerability may exist in a dependent component, but for the specific product, it either has been mitigated by the vendor development team or is inaccessible to attackers. VEX enables vendors to share that information and help their customers optimize their patching strategy.
There can be thousands of components in complex ICS products and each component can have multiple vulnerabilities listed in the National Vulnerability Database (NVD), all resulting in too many vulnerabilities to reasonably address. VEX reduces the number of vulnerabilities that asset owners need to patch, helping them focus on the ones that actually pose a risk.
Software vendors generate VEX documents to discover vulnerabilities within the third-party dependencies of their products and preemptively assess the exploitability of these vulnerabilities. Once shared with their customers, VEX eliminates all the manual back and forth communication – emails, PDF documents, and phone calls – between product support and concerned customers.
VEX documents are machine readable, allowing complex trees of component relationships to be automatically processed and ingested into patch management solutions at a large scale.