Vulnerability Exchange Standards and Adoption
| Thesis type | Master Thesis |
| Supervisor | Marius Biebel |
| Starting date | As soon as possible |
| Skills | LaTeX, Git, JSON, Any programming language |
| Language | English (preferred), German |
| Industry cooperation | not possible |
| Publish date |
Problem and context
Vulnerability Exchange (VEX) formats are standardized, machine‑readable formats that allow organizations to share detailed vulnerability data and remediation status in a consistent, automated way to improve security coordination and response. Different standards have emerged in recent years with different use cases in mind.
| Standard | Origin | Description / Focus |
|---|---|---|
| VDR | U.S. CERT/NIST | Reporting – the act of delivering a vulnerability finding (Process based) |
| OpenVEX | OpenVEX WG (OSSF/MITRE) | Status – whether a component is vulnerable, fixed, mitigated, or unknown |
| CSAF | CVE Program (MITRE) | Advisory – Common Security Advisory Framework |
| CycloneDX | CycloneDX Consortium | Inventory – a complete list of components and dependencies as machine readable SBOM that can contain VEX information |
With the upcoming CRA and increasing regulatory requirements, the need for effective VEX standards is more critical than ever. Investigating the adoption of these standards across different industries and use cases will provide valuable insights into their effectiveness and areas for improvement.
Goals
The goal of this thesis could be to analyze the existing VEX standards, their use cases, and their adoption in the industry. It aims to identify gaps and challenges in the current standards and propose recommendations for improving their effectiveness and adoption.
The thesis can focus on a number of sub-topics, including, but not limited to:
- Analyzing the strengths and weaknesses of existing VEX standards
- Investigating the adoption of VEX standards in different areas
- Proposing enhancements to VEX standards for better usability and effectiveness (e.g. signing and validation infrastructure of VEX documents)
- Implementation of open source reference tools to generate / process / convert / validate / analyze VEX documents
- Investigating open sources for VEX data and assessing their quality
Thesis proposals for adjacent topics are welcome. Get in touch if you have further questions.