Say what's actually affected
An SBOM lists what's inside your software. A VEX tells the people who receive it which of those vulnerabilities actually matter — and why ("not affected — code not reachable"). IsItPatched lets you triage each component and export a CycloneDX VEX, free, in your browser.
1046 actively-exploited CVEs across 613 tracked products right now
The painful, underserved part of vulnerability management
Software vendors
Ship an SBOM and customers come back with a wall of CVEs. A VEX says which ones you've assessed as not exploitable — and cuts the noise.
Security & product teams
Record a defensible exploitability decision per finding, once, and reuse it across every customer and audit.
Buyers & auditors
Receive a machine-readable statement of what's actually affected — not a raw component list to chase down yourself.
How VEX authoring works here
1 · Scan your SBOM
Drop in a CycloneDX or SPDX file. We match each component against OSV and surface the vulnerable ones — parsed in your browser.
Scan an SBOM →2 · Triage exploitability
Per component, set Affected, Not affected (with a justification — code not reachable, requires configuration…), False positive or Resolved.
Open the dashboard →3 · Export a CycloneDX VEX
Download a standards-compliant VEX reflecting your decisions — analysis.state, justification and response per finding.
Pairs with your evidence
Attach the VEX alongside your SBOM and a risk register for a complete vulnerability-handling record.
Compliance editions →VEX justifications we support
- Code not reachable · code not present — the vulnerable path isn't in your build or can't be executed
- Requires configuration / dependency / environment — the issue only triggers under conditions you don't meet
- Protected by a compensating or mitigating control
- False positive and resolved / fixed states, plus a response (update / workaround) where a fix exists
Decisions are stored only in your browser; the CycloneDX VEX export reflects them. Sign in (free) to sync across devices.
Straight with you: a VEX records your exploitability determination — only you know your build and runtime. IsItPatched is an informational tool (NVD · CISA KEV · OSV) that surfaces the findings and structures and exports your decisions as a standards-compliant CycloneDX VEX. It does not make the exploitability judgement for you, and it is not legal advice. Disclaimer.
VEX — frequently asked
What is VEX?
VEX — Vulnerability Exploitability eXchange — is a machine-readable statement of whether a product is actually affected by a vulnerability found in one of its components, and why. An SBOM tells you what is inside your software; a VEX tells the people who receive it which of those vulnerabilities actually matter — for example "not affected, because the vulnerable code is never reached". It cuts the false-positive noise that an SBOM alone creates for your customers.
How does IsItPatched help me author a VEX?
Scan a CycloneDX/SPDX SBOM, then in your dashboard set an exploitability decision per component — Affected, Not affected (with a justification like "code not reachable" or "requires configuration"), False positive, or Resolved. Export a CycloneDX VEX document that reflects those decisions, ready for your customers, auditors or a regulator to ingest. It is free and your SBOM is parsed in your browser.
Why does VEX matter for compliance?
Frameworks that require coordinated vulnerability handling — the EU Cyber Resilience Act, the NTIA SBOM guidance, US federal software rules and others — increasingly expect you to communicate not just your components but your assessment of which vulnerabilities are exploitable. A VEX is the standard, machine-readable way to do that. IsItPatched is informational: you make the exploitability determination; we structure and export it.
Need the framework view? See our compliance editions →