Vulnerability Exploitability eXchange
A machine-readable statement that explains whether a known vulnerability is actually exploitable in a specific product.
Definition
Vulnerability Exploitability eXchange (VEX) is a machine-readable security advisory format that lets a software producer state, for each CVE that appears in their product's SBOM, whether the vulnerability is exploitable in their product ("affected"), not exploitable ("not_affected" with a justification), already fixed, or under investigation. VEX is typically expressed in CycloneDX VEX, CSAF (Common Security Advisory Framework), or OpenVEX formats. CISA publishes the canonical use cases.What this means in practice
Without VEX, every CVE that touches any SBOM component becomes a triage burden for hospitals. With VEX, vendors push the exploitability decision once and operators can filter their device fleet to the truly affected subset. Mature MedTech teams generate VEX as part of the same CI/CD flow that emits the SBOM.- •Marking components 'not_affected' without a documented justification - the justification field is the whole value of VEX.
- •Publishing VEX once at release and never updating as new CVEs are disclosed against existing components.
- •Using inconsistent identifiers (CPE vs PURL vs SWID) that prevent automated matching against the SBOM.
Frequently asked questions
Cross-references
See also
Related terms
Shared paths + categoryA globally unique identifier for a publicly disclosed cybersecurity vulnerability.
A lightweight, OWASP-maintained SBOM format designed for application security and supply-chain use cases.
An industry-standard 0–10 score that quantifies the severity of a software vulnerability.
A machine-readable inventory of all software components, including open-source and third-party libraries, used to build a medical device.
The bundle of cybersecurity artifacts a sponsor includes in a 510(k), De Novo, PMA, or HDE submission for a cyber device.
The federal statute that gives FDA explicit premarket authority over cybersecurity for cyber devices.
Latest in MedTech
Primary references
3 sources- 1CISA VEX Use CasesVerifiedCISAcisa.gov
- 2OASIS CSAF 2.0VerifiedOASISoasis-open.github.io
- 3OpenVEX SpecificationVerifiedOpenVEXgithub.com
Inline markers like [1] jump to the matching reference above.