A Practical Guide to VEX in 2026, with Allan Friedman

Each year, tens of thousands of new CVEs are reported. This means security teams are tasked with figuring out how to triage hundreds and often thousands of vulnerabilities that theoretically impact their software.

The reality, however, is that a large percentage of vulnerabilities aren't actually exploitable in the context of the software being deployed. This gap leads to waste of time and effort.

The Vulnerability Exploitability eXchange (VEX) was created to solve this problem. VEX documents are automation-friendly advisories that allow software suppliers to communicate whether a product is affected by a specific vulnerability (and if not, why not), providing context for vulnerability management programs.

VEX has gained gradual adoption since it was proposed in the early part of the decade, but a variety of factors (such as improvements in automated tooling and new regulations with vulnerability reporting requirements) have made it more of a focus in recent months.

We invite you to join one of the creators of VEX, Dr. Allan Friedman, for a webinar that will offer practical guidance on using the specification. We'll discuss different VEX use cases, utility in the context of global cybersecurity requirements, automation, and more.

Key topics will include how to:

• Manage different parts of the VEX workflow, including research and analysis, document production, consumption, and storage
• Determine the right time to produce VEX documents
• Use VEX documents to simplify compliance with regulatory requirements, such as the CRA (Cyber Resilience Act)
• Automate elements of the VEX workflow