This is primarily an index for active Google docs used by the various CISA SBOM workstreams (or working groups).
Types of Software Bill of Materials (SBOM) (April 2023)
There are three subsidiary cloud working groups:
- SBOM classic
- Cloud stack transparency
- Service transparency
The concept of VEX grew out of SBOM, but VEX is not strictly part of or necessary for SBOM.
Weekly meetings on Mondays 1000-1100 EDT. The VEX WG is also piloting a mailing list. To subscribe, send mail to ${group_name}+subscribe@googlegroups.com. You can also subscribe and access the list on the web using a Google account. The name of the list is cisa-sbom-vex.
Vulnerability-Exploitability eXchange (VEX) – An Overview (September 2021)
Vulnerability Exploitability eXchange (VEX) – Use Cases (April 2022)
Vulnerability Exploitability eXchange (VEX) - Status Justifications (June 2022)
Minimum Requirements for Vulnerability Exploitability eXchange (VEX) (April 2023)