Microsoft has announced it will publish standard attestations for third-party CVEs. This will be done through the Vulnerability Exploitability eXchange (VEX) standard. The first release features the Azure Linux Distribution, formerly known as CBL-Mariner. These VEX attestations clarify which vulnerabilities affect specific products and services. They explain when these vulnerabilities can be used. They also guide customers on securing their systems. “This means fewer false positives, quicker decisions, and stronger protections for security vendors, enterprises, and governments worldwide,” the company notes. This initiative builds on Microsoft’s 2024 use of the Common Security Advisory Framework (CSAF). It improves transparency in managing vulnerabilities.
Also Read: Rubrik Launches Agent Cloud to Accelerate Enterprise AI Adoption Safely
VEX is a standard format that people and machines can easily read. It helps organizations quickly check if a vulnerability impacts their software. This way, they avoid confusion and unnecessary details. Each VEX document clearly shows the status for each product. It shows if a product is Not Affected, Under Investigation, Known Affected, or Fixed. This helps clarify exploitability, even for open-source components like OpenSSL. Microsoft helps businesses, vendors, and governments by standardizing vulnerability status in software. This makes security decisions faster and smarter. It also strengthens defenses in supply chains and critical infrastructure.