Vulnerability Exchange Standards and Adoption

Thesis typeMaster Thesis
SupervisorMarius Biebel
Starting dateAs soon as possible
SkillsLaTeX, Git, JSON, Any programming language
LanguageEnglish (preferred), German
Industry cooperationnot possible
Publish date

Problem and context

Vulnerability Exchange (VEX) formats are standardized, machine‑readable formats that allow organizations to share detailed vulnerability data and remediation status in a consistent, automated way to improve security coordination and response. Different standards have emerged in recent years with different use cases in mind.

Standard Origin Description / Focus
VDR U.S. CERT/NIST Reporting – the act of delivering a vulnerability finding (Process based)
OpenVEX OpenVEX WG (OSSF/MITRE) Status – whether a component is vulnerable, fixed, mitigated, or unknown
CSAF CVE Program (MITRE) Advisory – Common Security Advisory Framework
CycloneDX CycloneDX Consortium Inventory – a complete list of components and dependencies as machine readable SBOM that can contain VEX information

With the upcoming CRA and increasing regulatory requirements, the need for effective VEX standards is more critical than ever. Investigating the adoption of these standards across different industries and use cases will provide valuable insights into their effectiveness and areas for improvement.

Goals

The goal of this thesis could be to analyze the existing VEX standards, their use cases, and their adoption in the industry. It aims to identify gaps and challenges in the current standards and propose recommendations for improving their effectiveness and adoption.

The thesis can focus on a number of sub-topics, including, but not limited to:

Thesis proposals for adjacent topics are welcome. Get in touch if you have further questions.

Literature