OpenVEX – Open Source Security Foundation

OpenVEX is an implementation of the Vulnerability Exploitability Exchange (VEX for short) that is designed to be minimal, compliant, interoperable, and embeddable.

OpenVEX is…

A Specification

OpenVEX documents are minimal JSON-LD files that capture the minimal requirements for VEX as defined by the VEX working group organized by CISA. The OpenVEX Specification is owned and steered by the community.

A Go Library

The project has a go library (openvex/go-vex) that lets projects generate, transform and consume OpenVEX files. It enables the ingestion of VEX metadata expressed in other VEX implementations.

A Set of Tools

Work is underway to create the tools software authors and consumers need to handle VEX metadata. The current flagship project is vexctl, a CLI to create, merge and attest VEX documents.

The project has a growing ecosystem with known implementations in:

Go (original): https://github.com/openvex/go-vex
.NET: NuGet GitHub

Rust: https://docs.rs/openvex/latest/openvex/

GitHub

Copyright © 2024 The Linux Foundation® . All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use.

Subscribe to the OpenSSF Newsletter!

Get the latest announcements, event info, and the community news in your inbox