The NIST SBOM guidance issued on May 5 advises a software consumer and vendor to:
"Maintain vendor vulnerability disclosure reports at the SBOM component level"
The article linked below describes the difference between a vulnerability disclosure report (VDR) and a VEX.
Key takeaways:
In summary a VEX is an artifact showing the status of vulnerabilities within a product or products. Components with no vulnerabilities are not listed in a VEX, unless there is a "known not affected" status listed in the VEX. A VEX is published by a software vendor when a new vulnerability is reported.
In summary, a VDR is an attestation by a software vendor that they have checked each component of a software product in an SBOM for vulnerabilities and reports on the vulnerability status of each component, for a software product. A VDR is a living document that is dynamically updated and maintained by the software vendor in order to answer the consumer question "What is the vulnerability status of Product P, NOW?"