OpenVEX lively discussion underway on GitHub OpenSSF

Dick Brooks


This video leaves me questioning where Microsoft stands on OpenVEX.


Art Manion’s, description of the CISA process is worth listening to:


The entire segment is also very insightful.


I presume that people understand a VEX is a “negative security advisory”, listing all the products which ARE NOT AFFECTED by a vulnerability, which is the opposite of a Security Advisory that lists product which ARE AFFECTED by a vulnerability.




Dick Brooks


Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership


Never trust software, always verify and report!

Email: dick@...

Tel: +1 978-696-1788