How to write a VEX (and why your SBOM needs one)

Q: What are the VEX statuses?

Typically Affected , Not affected , Fixed and Under investigation . A "Not affected" must carry a justification such as "code not present" or "code not reachable".

VEX · 6-min read · Author a VEX → · updated June 2026

An SBOM tells people what's inside your software. A VEX tells them what actually matters — which of those components' vulnerabilities are exploitable in your product, and which are noise.

The statuses

Status	Use when
Affected	The vulnerability is exploitable in your product; remediation is needed.
Not affected	It is present in a component but not exploitable here — requires a justification.
Fixed	You have already remediated it in this version.
Under investigation	You have not yet determined impact.

"Not affected" justifications

Code not present / code not reachable — the vulnerable path isn't in your build or can't execute.
Requires configuration / dependency / environment — only triggers under conditions you don't meet.
Inline mitigation already exists — a compensating control neutralises it.

A simple authoring workflow

Scan the SBOM

Find every component with a known vulnerability.

Decide a status + justification

For each finding, record Affected / Not affected / Fixed / Under investigation, with a reason.

Export CycloneDX VEX

Share it with customers, auditors and tools that can ingest it automatically.

Why it pays off: coordinated vulnerability handling under the EU CRA and US federal guidance increasingly expects you to communicate exploitability, not just components. VEX is the standard way to say it.

Turn this into action. An SBOM lists what is inside; a VEX says what actually affects you. The statuses, the justifications, and how to author one from a scan.

Author a VEX — free →

Frequently asked questions

What is a VEX?

A Vulnerability Exploitability eXchange is a machine-readable statement of which vulnerabilities in your components actually affect your product, and why. See what is VEX.

Why does an SBOM need a VEX?

An honest SBOM lists components that may carry known CVEs which are not actually exploitable in your product. Without a VEX, recipients chase false positives; a VEX records your assessment so they focus on what matters.

What are the VEX statuses?

Typically Affected, Not affected, Fixed and Under investigation. A "Not affected" must carry a justification such as "code not present" or "code not reachable".

How do I produce one?

Scan your SBOM, decide a status and justification per finding, and export a CycloneDX VEX. You can do this free in the browser with the IsItPatched VEX authoring tool.

This guide is vendor-neutral and informational, grounded in publicly-available guidance from bodies such as OWASP, NIST and CISA. IsItPatched is independent and not affiliated with them, and this is not legal or compliance advice. See our disclaimer.

← Browse all guides · Security glossary →