The term "VEX" has been receiving some wide-spread press coverage due to the efforts of a few people with a vested interest in seeing VEX get traction and the efforts of Allan Friedman promoting the VEX concept which he introduced while working at NTIA. I'm not aware of any working, production implementations of "CSAF VEX" that satisfy Executive Order 14028 requirements.
The 5/5 NIST Guidance on SBOM and vulnerability disclosure reporting recommends the use of vulnerability disclosure reports (VDR) following internationally recognized standard specifications contained in ISO 29147:2018 (see link below). Some excerpts from this ISO standard are provided below:
This document describes vulnerability disclosure: techniques and policies for vendors to receive vulnerability reports and publish remediation information. Vulnerability disclosure enables both the remediation of vulnerabilities and better-informed risk decisions. Vulnerability disclosure is a critical element of the support, maintenance, and operation of any product or service that is exposed to active threats. This includes practically any product or service that uses open networks such as the Internet. A vulnerability disclosure capability is an essential part of the development, acquisition, operation, and support of all products and services. Operating without vulnerability disclosure capability puts users at increased risk.
Major goals of vulnerability disclosure include:
-
โ reducing risk by remediating vulnerabilities and informing users;
-
โ minimizing harm and cost associated with the disclosure;
-
โ providing users with sufficient information to evaluate risk due to vulnerabilities;
-
โ setting expectations to facilitate cooperative interaction and coordination among stakeholders.
Here are the links to NIST's May 5th recommendations for Executive Order 14028 Implementation of SBOM and Vulnerability Disclosure Reporting:
SBOM and Vulnerability Disclosure Reporting (VDR) implementation recommendations
Recommendation to use ISO 29147:2018 standard for vulnerability disclosure reporting
A public endorsement of these NIST recommendations by CISA would help to eliminate some uncertainty with regard to software vulnerability reporting expectations by software vendors and harmonize efforts with other government agencies seeking to implement SBOM and vulnerability disclosure reporting practices for Executive Order 14028.