To assist software vendors and maintainers in communicating precise metadata about the vulnerability status of products directly to end users, Chainguard has published a draft OpenVEX specification.
The Chainguard specification aims to provide additional information on whether a product is impacted by a specific vulnerability in an included component and, if affected, whether there are actions recommended to remediate it. It is an implementation of the NTIA’s VEX (Vulnerability Exploitability eXchange) concept.
According to Chainguard CEO Dan Lorenc in an interview with SecurityWeek, OpenVEX is made to meet the minimum standards established by the CISA cybersecurity agency of the US government and will help lower false-positives and raise the caliber of SBOMs (software bill of material).
Read More: OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
