This is the Trace Id: 60d4e5c55e539604a3bf4a2a280dfbdf
Skip to main content
MSRC

Toward greater transparency: Introducing machine-readable Vulnerability Exploitability Xchange (VEX) for Azure Linux and beyond

MSRC
/ By Lisa Olson /

Microsoft is now publishing standard attestations about third-party CVEs through the Vulnerability Exploitability eXchange (VEX) standard including vulnerabilities in embedded open-source software in Microsoft products and services and starting with the Azure Linux Distribution (formerly CBL-Mariner). These attestations improve clarity for customers and security vendors on which vulnerabilities affect which products and services, under what conditions the vulnerabilities are potentially exploitable, and empower customers to quickly take specific actions to secure themselves. This means fewer false positives, quicker decisions, and stronger protections for security vendors, enterprises, and governments worldwide.      

This blog is the fourth installment in our series on transparency from the Microsoft Security Response Center (MSRC). Building on the positive impact of the  2024 adoption of the machine-readable Common Security Advisory Framework (CSAF) for every Microsoft CVE, we are now adding VEX attestations, and sharing why it matters, and how Microsoft, customers, and security vendors can use VEX to improve security. 

What is Vulnerability Exploitability eXchange (VEX)?

VEX is a rapidly maturing industry standard for communicating the exploitability status of vulnerabilities across complex software ecosystems. Designed to be both machine-readable and human actionable, VEX enables organizations to quickly assess whether a given vulnerability affects specific products, without wading through noise or ambiguity.

Each VEX document provides a concise attestation for every applicable product, declaring its status relative to a vulnerability:

  • Not Affected

  • Under Investigation

  • Known Affected

  • Fixed 

For an OpenSSL CVE/Vulnerability, an applicable product is for example, a Microsoft product that includes the OpenSSL library. The product may or may not be affected by the vulnerability so the VEX attestation would clarify that status.

This straightforward structure delivers powerful insights across entire supply chains, whether you're managing a single enterprise network or assessing national infrastructure risk.

Why VEX matters

VEX is valuable for governments, enterprises, and security vendors who need to automate vulnerability impact at scale, across embedded components, cloud services, and third-party software dependencies.

Real-world examples:

  • National response teams in the US or EU can evaluate the blast radius of a zero-day vulnerability like Log4j across critical industrial control systems within their jurisdiction.

  • Security vendors ingest VEX files from major suppliers to produce high-fidelity patch analysis reports, such as for FEDRAMP compliance on the Federal Azure Cloud. This dramatically reduces false positives tied to embedded open-source components.

Microsoft’s VEX solution brings clarity, enabling faster triage, smarter automation, and more resilient decision-making across the global vulnerability landscape. 

How VEX fits into Microsoft’s transparency for customers and partners

In our previous blog, we explained the Security.txt file, which points to where the CSAF files are stored: https://msrc.microsoft.com/csaf/provider-metadata.json.

The CSAF standard defines; Microsoft creates two:

  • Security Advisory

  • VEX

The provider-metadata file points to two directory structures for these profiles.  We publish Microsoft-assigned CVEs via the Security Advisory profile and third-party CNA assigned CVEs via the VEX profile.  

Our approach to VEX implementation

A key milestone in our VEX strategy is our deliberate, phased approach. We’re starting with a single product, the Azure Linux Distribution (formerly CBL-Mariner),where we first introduced a method for disclosing third-party vulnerability status. These CVEs have now been republished as VEX files. 

By focusing on one product, we’re able to collaborate closely with partners to validate the files and incorporate attestations into patching status reports. This “crawl, walk, run” approach provides the foundation to gradually onboard other Microsoft products and services, expanding the reach of validated VEX disclosures across our ecosystem.

We appreciate the feedback received during the CSAF publication launch last year.  We continue to value our relationships with our patching partners in securing our complicated supply chains.  Security is definitely a team sport.

Lisa Olson, Principal Program Manager, Security Release