VEX, Explained

A VEX (Vulnerability Exploitability eXchange) statement is a machine-readable note that says, for a given vulnerability in a given product, whether it's actually exploitable, and if not, why. It turns a raw "you contain CVE-X" into "you contain CVE-X, but it's not exploitable because the affected code isn't reached."

Why it exists

The four VEX statuses

Why it matters for you

Standards to know: OpenVEX and CSAF VEX.

How Verifi produces VEX →