Where should we publish VEX?

Most MedTech teams publish via a vendor security advisory portal (often paired with PSIRT) and also embed VEX inside the CycloneDX SBOM file. CSAF is becoming the preferred wire format for distribution.

Is VEX required by FDA?

Not explicitly required, but FDA's 2023 guidance expects a process to 'monitor, identify, and address' vulnerabilities - VEX is the most efficient way to do that at scale and is the de facto industry expectation.

All terms

CybersecurityConnected & Cyber-Physical DevicesVEX

Vulnerability Exploitability eXchange

A machine-readable statement that explains whether a known vulnerability is actually exploitable in a specific product.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

Vulnerability Exploitability eXchange (VEX) is a machine-readable security advisory format that lets a software producer state, for each CVE that appears in their product's SBOM, whether the vulnerability is exploitable in their product ("affected"), not exploitable ("not_affected" with a justification), already fixed, or under investigation. VEX is typically expressed in CycloneDX VEX, CSAF (Common Security Advisory Framework), or OpenVEX formats. CISA publishes the canonical use cases.

What the regulation says

FDA's 2023 guidance encourages but does not yet mandate VEX. CISA strongly recommends pairing every SBOM with a VEX feed so operators can triage CVEs that affect components but not the integrated product. EU NIS2 and the upcoming Cyber Resilience Act in Europe move toward expecting VEX-style exploitability disclosures.

What this means in practice

Without VEX, every CVE that touches any SBOM component becomes a triage burden for hospitals. With VEX, vendors push the exploitability decision once and operators can filter their device fleet to the truly affected subset. Mature MedTech teams generate VEX as part of the same CI/CD flow that emits the SBOM.

Common pitfalls

•Marking components 'not_affected' without a documented justification - the justification field is the whole value of VEX.
•Publishing VEX once at release and never updating as new CVEs are disclosed against existing components.
•Using inconsistent identifiers (CPE vs PURL vs SWID) that prevent automated matching against the SBOM.

Frequently asked questions

CISA defines five: component_not_present, vulnerable_code_not_present, vulnerable_code_not_in_execute_path, vulnerable_code_cannot_be_controlled_by_adversary, and inline_mitigations_already_exist. Every 'not_affected' status should cite one.

Cross-references

Primary references

3 sources

Link health: 3 verified· last checked 2026-05-09

CISA·1OASIS·1OpenVEX·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: VEX
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

A machine-readable statement that explains whether a known vulnerability is actually exploitable in a specific product.

·Without VEX, every CVE that touches any SBOM component becomes a triage burden for hospitals.
·With VEX, vendors push the exploitability decision once and operators can filter their device fleet to the truly affected subset.
·Mature MedTech teams generate VEX as part of the same CI/CD flow that emits the SBOM.

Remember this

Watch out: Marking components 'not_affected' without a documented justification - the justification field is the whole value of VEX.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.

Definition

What this means in practice

Frequently asked questions

See also

Primary references