Security Experts:

Connect with us

Hi, what are you looking for?


Supply Chain Security

OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings

Chainguard OpenVEX Spec adds clarity to Supply Chain Vulnerability warnings specifications to help software vendors and maintainers communicate precise metadata about the vulnerability status of products.


Chainguard on Tuesday published a draft OpenVEX specification to help software vendors and maintainers communicate precise metadata about the vulnerability status of products directly to end users.

The Chainguard specification is an implementation of the NTIA’s VEX (Vulnerability Exploitability eXchange) concept that aims to provide additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate.

In an interview with SecurityWeek, Chainguard chief executive Dan Lorenc said OpenVEX is designed to meet the minimum requirements defined by the U.S. government’s CISA cybersecurity agency and will help reduce false-positives and improve the quality of SBOMs (software bill of material).

Lorenc said OpenVEX, which was designed in collaboration with CISA’s VEX working group, will allow software suppliers to communicate precise, actionable metadata to improve the signal to noise ratio and add important context to vulnerability warnings.

OpenVEX makes it easy for software producers to accurately describe their artifacts’ exploitability [and] makes it easier for software consumers to filter out false positives from vulnerability scanners. This means security professionals spend more time investigating worthwhile security concerns, and less time wading through erroneous findings,” Chainguard said in a note announcing the draft specification.

“OpenVEX encodes learnings of false positives and enables consumers to prioritize vulnerability reports much more effectively,” the company added.

Chainguard’s Lorenc said OpenVEX is complementary to SBOMs and is the first format to meet the VEX Minimum Requirements.  To prove functionality end-to-end, the company has also put OpenVEX into production in its Wolfi Linux distro and its own Chainguard Images product.

The spec, designed with support from Google, HPE, VMWare, and the Linux Foundation, is being positioned as an important piece of the industry wide push to improve the security of software supply chains.  

“As an end-user responsible for implementing solutions that secure our software supply chain, I often look to community efforts that show collaborative support because I know they can be trusted to deliver the best outcomes. OpenVEX is one of those projects that gives me hope we are getting to a better place both for vulnerability management but also solving some of the biggest challenges facing the production of quality SBOMs,” said Tim Pletcher,  a research engineer at Hewlett Packard Enterprise.

Related: Chainguard Trains Spotlight on SBOM Quality Problem

Related: Big Tech Vendors Object to US Gov SBOM Mandate

Related: New ‘Wolfi’ Linux Distro Focuses on Software Supply Chain Security

Related: Chainguard Bags Massive $50M Series A for Supply Chain Security

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Supply Chain Security

A new report found that 98% of organizations have a relationship with a third party that has been breached, while more than 50% have...

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Cybersecurity Funding

Software supply chain security management startup Lineaje raises $7 million in a seed funding round led by Tenable Ventures.

Supply Chain Security

Endor Labs has introduced an OWASP-style listing of the most important or impactful risks inherent in the use of open source software (OSS).