Vulnerability Exploitability eXchange or VEX is a mechanism designed to help organizations more efficiently assess and manage vulnerabilities in their software. VEX is championed by the United States National Telecommunications and Information Administration (NTIA) and supported by the Cybersecurity Infrastructure Security Agency (CISA). The goal of VEX is to improve the ability of an organization to identify and mitigate critical security threats. VEX can be viewed as a companion tool to the now-popular Software Bill of Material (SBOM) tool. However, it can be used independently of an SBOM.
Up until today, VEX has been a concept the industry has invested time debating and building minimum requirements around. With the release of OpenVEX, organizations can now put VEX into practice.
OpenVEX is complementary to SBOMs, allowing suppliers to communicate precise metadata about the vulnerability status of products directly to consumers and end users. OpenVEX was developed in collaboration with CISA’s VEX Working Group, and is the first format to meet the VEX Minimum Requirements. Chainguard has also put OpenVEX into production in its Wolfi Linux (un)distribution and Chainguard Images product, proving its functionality end-to-end.
As veteran CISO Phil Venables puts it, initially increased transparency can often lead to an “uncanny valley” as users become aware of many minor problems they had no idea existed before. Lacking context, these minor problems can appear much larger than they are, leading folks to assume things have gotten worse. The movement to provide SBOMs will dramatically increase transparency throughout the software supply chain. Forward-thinking organizations have realized that while transparency is great, noise in the vulnerability ecosystem will hamper adoption and usefulness of SBOMs.
The OpenVEX specification provides the missing piece, allowing suppliers to communicate precise, actionable metadata to improve the signal to noise ratio for consumers of their software. OpenVEX makes it easy for software producers to accurately describe their artifacts’ exploitability. And, just as importantly, OpenVEX makes it easier for software consumers to filter out false positives from vulnerability scanners. This means security professionals spend more time investigating worthwhile security concerns, and less time wading through erroneous findings. OpenVEX encodes learnings of false positives and enables consumers to prioritize vulnerability reports much more effectively.
There are several ways to get started today with OpenVEX:
Just like with SBOM, VEX requires the industry to come together to build formats and tooling that work and can be easily integrated into existing development practices. That is why OpenVEX is being released and maintained out in the open. Here are some key takeaways from OpenVEX maintainers and end users:
“Managing vulnerability sprawl in software distributions is a significant challenge, as each vulnerability has to be researched by security teams to determine whether they are applicable to the versions present in the software distribution. The launch of OpenVEX allows all stakeholders, from the upstream developer, to distributions and end users, to collaborate together on vulnerability remediation anywhere software is consumed, simplifying the remediation process for everybody.” Ariadne Conill, software engineer, Chainguard.
“We're excited about the new VEX specification, the launch of OpenVEX, and what this means in aiding automation for vulnerability remediation. By integrating with OpenVEX Grype will be able to natively filter results based on the body of available VEX documents, saving users time.” Alex Goodman, software engineer, Anchore
"When used in tandem, VEX and SBOM have the potential to dramatically improve the security of an organization's software supply chain. As an end-user responsible for implementing solutions that secure our software supply chain, I often look to community efforts that show collaborative support because I know they can be trusted to deliver the best outcomes. OpenVEX is one of those projects that gives me hope we are getting to a better place both for vulnerability management but also solving some of the biggest challenges facing the production of quality SBOMs." - Tim Pletcher, Research Engineer, Office of the Security CTO, Hewlett Packard Enterprise
"OpenVEX is a powerful tool that brings transparency and automation to software security. It allows for an accurate understanding of the applicability of vulnerability findings to software products, reducing false positive alerts and increasing the efficiency of security scans. At TestifySec, we recognize the importance of VEX in the software security ecosystem and we plan to support it in our products to provide our users with the most accurate understanding of the security status of their software." - Cole Kennedy, CEO, TestifySec
"We have made significant progress in the last few years laying the groundwork for concepts like SBOM and VEX, but implementing them to drive adoption is the next step. To get them to be ubiquitous, we need standardization. Organizations coming together to champion and refine one specification, such as OpenVEX, is a going to yield a much more robust solution over time than those who choose to go at it alone and introduce multiple options into an already diluted domain." Kate Stewart, Vice President, Dependable Embedded Systems, Linux Foundation
At Chainguard, we are working to build tooling out in the open that makes it easier to generate SBOMs and VEX statements. We believe that these are key pillars to securing the software supply chain. If you are interested in learning more about OpenVEX or would like to get involved with the project, please reach out. We are always looking for ways to improve and welcome any feedback.