VEX (Vulnerability Exploitability eXchange)

Vulnerability scanners flag every known CVE that matches a package in your dependency tree, even when that vulnerability has already been patched or doesn't apply to your version. As CVE volume continues to grow (over 48,000 published in 2025 alone), the signal-to-noise ratio gets worse.

HeroDevs publishes a VEX feed for NES packages so that supported scanners can automatically filter out findings that have already been addressed — fewer false positives, less noise, and no loss of auditability.

What is VEX?

VEX (Vulnerability Exploitability eXchange) is a CISA-recognized standard for communicating whether a known vulnerability actually affects a specific product version. When a scanner ingests a VEX document, it can automatically suppress alerts for vulnerabilities that are already fixed or don't apply. See the glossary for other terms used on these pages.

Resources

Download the VEX Feed

The current HeroDevs OpenVEX document for all NES packages.

API Reference

Endpoint details, response shape, and error codes.

Scanner Workflows

Step-by-step Trivy and Grype examples with downloadable sample SBOMs.