Many thanks to Steve Springett with the OWASP organization for documenting the differences between the NIST Vulnerability Disclosure Report standard and the many, differing, VEX proposals that are being floated. (Click Read More) below for Steve's analysis.
NIST VDR is the only stable standard available to report software vulnerabilities at the SBOM component level that also serves as an "attestation" showing that a software vendor has checked each component within an SBOM for vulnerabilities and reports the status to consumers within the VDR.