What is VEX? Vulnerability Exploitability eXchange, explained
A plain-English guide · author a VEX free at /vex · all security terms → · updated June 2026
VEX (Vulnerability Exploitability eXchange) is a machine-readable statement of which vulnerabilities in your software's components actually affect it — and why. An SBOM tells you what's inside; a VEX tells the people who receive it what actually matters, cutting the false-positive noise an SBOM alone creates.
What does VEX stand for?
VEX stands for Vulnerability Exploitability eXchange. It can be expressed in standard formats such as CycloneDX and CSAF, so customers, auditors and tools can ingest it automatically.
Why an SBOM needs a VEX
A good SBOM is honest — it lists every component, including ones with known CVEs that may not actually be exploitable in your product. Hand that to a customer with no context and they'll chase dozens of false positives. A VEX records your exploitability decision per finding, so recipients only act on what truly affects them.
VEX statuses & "not affected" justifications
Each finding gets a status — typically Affected, Not affected, Fixed or Under investigation. A "Not affected" is paired with a justification, such as:
- Code not present / code not reachable — the vulnerable path isn't in your build or can't execute.
- Requires configuration / dependency / environment — only triggers under conditions you don't meet.
- Protected by a compensating or mitigating control.
VEX and compliance
Coordinated vulnerability handling — under the EU Cyber Resilience Act, NTIA SBOM guidance and US federal rules — increasingly expects you to communicate which vulnerabilities are exploitable, not just which components you ship. VEX is the standard way.
Author a VEX from your SBOM, free
IsItPatched lets you scan an SBOM, triage each component's exploitability, and export a CycloneDX VEX — in your browser, no account needed to start.
- VEX authoring — triage and export a CycloneDX VEX.
- Scan an SBOM — find the vulnerable components first.
Frequently asked questions
What is VEX?
VEX — Vulnerability Exploitability eXchange — is a machine-readable statement of whether a product is actually affected by a vulnerability found in one of its components, and why. Where an SBOM lists what is inside your software, a VEX tells the people who receive it which of those vulnerabilities actually matter — for example "not affected, because the vulnerable code is never reached".
What does VEX stand for?
VEX stands for Vulnerability Exploitability eXchange. It can be expressed in formats including CycloneDX and CSAF.
Why is VEX needed alongside an SBOM?
An SBOM honestly lists every component — including ones with known CVEs that may not actually be exploitable in your product. Without VEX, customers chase false positives. A VEX reduces that noise by recording your exploitability assessment for each finding, so recipients focus only on what truly affects them.
What are the VEX statuses?
A VEX records a status per vulnerability — commonly Affected, Not affected, Fixed, or Under investigation. A "Not affected" status is paired with a justification such as "code not present", "code not reachable", "requires configuration", or "protected by a compensating control".
Is VEX required for compliance?
Increasingly, yes — frameworks that require coordinated vulnerability handling, including the EU Cyber Resilience Act and US federal software guidance, expect you to communicate not just your components but your assessment of which vulnerabilities are exploitable. VEX is the standard, machine-readable way to do that.
IsItPatched is independent and not affiliated with OWASP/CycloneDX, CISA or NIST. See our disclaimer.