VEX explained: telling customers which vulnerabilities actually matter

Here's the paradox of doing security right: the moment you publish an SBOM and scan it, you're staring at hundreds of vulnerabilities in your dependencies. The uncomfortable truth is that most of them aren't exploitable in your product — the vulnerable code path is never reached. But how do you say that credibly, for hundreds of findings, to customers who are scanning you too?

Enter VEX

VEX (Vulnerability Exploitability eXchange) is a companion to your SBOM that records, for each vulnerability, whether it actually affects your product. It turns "here are 300 CVEs, good luck" into "here are the 4 that matter, and here's why the rest don't."

The four statuses

  • Not affected — the vulnerable component is present but not exploitable (with a reason).
  • Affected — action is required.
  • Fixed — already remediated.
  • Under investigation — you're still assessing.

Why it pays off

VEX saves everyone downstream from chasing phantom risks, and it's fast becoming an expectation for serious vendors. It's also evidence: a documented, reasoned "not affected" is far stronger than silence.

Proofwright pairs OSV vulnerability monitoring with VEX so your customers see signal, not noise.