At Manifest, we are committed to making cybersecurity easier for our customers by leaning into the latest tech and standards in the field. As we continue to make software bills of material (SBOMs) valuable for organizations of all sizes, we knew we needed to help security teams manage the ongoing deluge of vulnerabilities more efficiently and effectively.
That's why we are thrilled to announce our official support for Vulnerability Exploitability eXchange (VEX) documents!
Understanding VEX: A Game-changer in Cybersecurity
Before delving into the nuances of our new feature, it is essential to comprehend the significance of VEX. In layman's terms, VEX is a standardized format for exchanging information about the exploitability and impact of software vulnerabilities, making it an important companion to SBOMs. The VEX standard serves as a common language for cybersecurity experts, vendors, and end-users alike, facilitating transparent and swift communication about the exploitability of vulnerabilities discovered in software products. This collaboration helps each player take appropriate action swiftly, reducing the time window during which systems remain exposed to potential attacks.
In a world where cyber adversaries use automation to find and exploit vulnerabilities in a matter of minutes, defenders have always been a step behind, needing to manually read manufacturer websites to determine the severity, exploitability, and mitigations for a vulnerability. VEX represents a big step towards leveling the playing field, by making it faster for manufacturers to share information about vulnerabilities in their software, and for security teams to automate their responses.
Our initial path: the OpenVEX Standard
At Manifest, we believe in empowering our customers with open standards. And while VEX is still a relatively new and evolving concept, there are already several standards available, including CSAF, CycloneDX, and others.
For our initial VEX support, we have decided to implement the OpenVEX standard. OpenVEX, created by Chainguard, is a lightweight, clean, and intuitive way to describe vulnerabilities and the products they impact. Since there is no one superior standard, we will incorporate additional support for other VEX standards soon.
The Power of VEX at Your Fingertips with Manifest
With Manifest’s new VEX feature, our customers can generate - and soon share - VEX documents with the click of a button. This will allow Manifest customers to easily and rapidly disseminate and receive information about new vulnerabilities, easing the burden on both software manufacturers and security teams alike. This feature saves time, reduces the margin of error, and ensures the rapid delivery of exploitability information to the parties that need it most.
Next we will set our sights on easily sharing VEX documents. Next on the roadmap are features to automate the dissemination of VEX documents to relevant parties, and automated VEX ingestion. Relevant customers will receive the VEX notices automatically, thereby enhancing the pace at which vulnerabilities can be addressed, reducing potential security risks.
A Step Forward for Cybersecurity
By officially supporting VEX and the OpenVEX standard, we're not just enhancing the features of our platform; we're paving the way for stronger cybersecurity measures for our customers. This update underscores our commitment to unlocking the power and promise of SBOMs, without burdening already over-worked security teams. In a world where new vulnerabilities are continually surfacing, it's crucial to have efficient means of communication and vulnerability management. Through VEX support, we're ensuring that our customers are not just informed but prepared to take immediate action.
We are thrilled about this new addition to our platform, and we believe it will transform the way our customers handle their vulnerability management. This is just another step in our ongoing mission to empower security teams around the world, one SBOM and one vulnerability at a time.
Stay tuned for more exciting updates from Manifest!