Vulnerability Exploitability eXchange
VEX is a machine-readable format for a vendor to state whether their product is actually affected by a given vulnerability, for example noting that a vulnerable library is present but the risky code path is never called. It complements SBOMs, which reveal what components are inside software but not whether flaws in them matter. VEX statements let consumers skip patching noise and focus on vulnerabilities that are truly exploitable.