CISA: CISA Published When to Issue VEX Information

cisa logo 002

CISA Published When to Issue VEX Information


Today, CISA published When to Issue Vulnerability Exploitability eXchange (VEX) Information, developed by a community of industry and government experts with the goal to offer some guidance and structure for the software security world, including the large and growing global SBOM community.

This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. This document identifies factors that influence the decision.

For more information, read the new reference material When to Issue Vulnerability Exploitability eXchange (VEX) Information.


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.