Microsoft has introduced machine-readable Vulnerability Exploitability Xchange (VEX) attestations for third-party Common Vulnerabilities and Exposures (CVEs), starting with the Azure Linux Distribution (formerly CBL-Mariner). This initiative aims to provide clearer insights into which vulnerabilities impact specific products and services, under what conditions they are potentially exploitable, and to empower customers to take prompt, targeted actions to secure their systems.
The VEX standard is a rapidly evolving industry framework designed to communicate the exploitability status of vulnerabilities across complex software ecosystems. It enables organizations to quickly assess whether a given vulnerability affects specific products, facilitating faster and more accurate decision-making processes.
Each VEX document delivers a concise attestation for every applicable product, declaring its status relative to a vulnerability.
The possible statuses include:
- Not Affected
- Under Investigation
- Known Affected
- Fixed
For instance, in the case of an OpenSSL CVE, an applicable product might be a Microsoft product that includes the OpenSSL library. The VEX attestation would clarify whether that product is affected by the vulnerability.
Also Read: Reflection AI Unveils Next Phase: Building Frontier Open Intelligence Accessible to All
This straightforward structure provides valuable insights across entire supply chains, whether managing a single enterprise network or assessing national infrastructure risks.
The VEX initiative is part of Microsoft’s broader commitment to transparency and security. Building upon the positive impact of the 2024 adoption of the machine-readable Common Security Advisory Framework (CSAF) for every Microsoft CVE, Microsoft is now adding VEX attestations to further enhance clarity and support for customers and security vendors.
Microsoft’s approach to VEX implementation follows a deliberate, phased strategy. The company is starting with a single product, the Azure Linux Distribution, to collaborate closely with partners, validate the files, and incorporate attestations into patching status reports. This “crawl, walk, run” approach provides the foundation to gradually onboard other Microsoft products and services, expanding the reach of validated VEX disclosures across the ecosystem.
