Glossary
Vulnerability Exploitability eXchange (VEX)
What Is Vulnerability Exploitability eXchange (VEX)?
Vulnerability Exploitability eXchange (VEX) is a standardized format for communicating whether a vulnerability in a software component is actually exploitable in a given product — so consumers of SBOMs can filter the noise of "present but not exploitable" findings from real exposure.
A vulnerable component in a shipped product is not automatically an exploitable vulnerability. The vulnerable function may not be called, the affected configuration may not be enabled, or compensating controls may neutralize the risk. VEX statements communicate that context: "this component is affected," "not affected," "fixed," or "under investigation." VEX is increasingly required alongside SBOMs in regulated procurement.
Related Terms
Software Bill of Materials · Execution-Aware Reachability · CVE · Vulnerability Management


