VEX - Cutting through the Noise in Software Supply Chain Security

Security teams are currently drowning in vulnerability data, but the Vulnerability Exploitability eXchange (VEX) offers a solution by providing machine-readable clarity on which exploits actually matter. This technology is rapidly evolving from a "nice-to-have" efficiency tool into a critical compliance enabler for the EU Cyber Resilience Act (CRA), which mandates effective vulnerability handling for the European market.

In this session, Georg and Rao present the findings from the VEX Industry Collaboration Working Group, a group of industry leaders driving the development and application of VEX. The group identified a set of challenges and gaps hampering adoption, ranging from the different evolving technical directions in VEX formats to practical barriers such as discovery and distribution of VEX documents, immature tooling, and education. Rao and Georg will outline a shared path forward, advocating for the creation of a common distribution system, development of necessary tooling, and establishing a forum for collaboration between industry partners and open source projects to drive adoption and education.