The Cybersecurity and Infrastructure Security Agency worked with software and other IT experts to formulate a guide to help organizations decide when to issue a vulnerability exploitability exchange — a.k.a. VEX — information.
CISA said Monday that the document will facilitate the creation of machine-readable VEX data notices that will aid downstream software users in their own discernment of vulnerability risks.
VEX information is issued by software suppliers, researchers and related entities that need to assert the level of risk that their products’ vulnerabilities pose.
VEX data may be published when the weakness is found in upstream component, or if it has been publicly disclosed. Legal circumstances such as contract terms and government requirements may also warrant VEX issuance.
Issuers of VEX data should regularly update changes in status and time, and utilize automated response tools to support maintenance of the information, CISA stated.
Cybersecurity is one of the focal points at the Potomac Officers Club’s 2023 Homeland Security Summit on Nov. 15. Register here to attend the event.
