Data on Use of CSAF VEX profile

[duncan sfractal.com <duncan@sfractal.com>]

There is frequently a debate on the several of the CISA Software Transparency Workstreams (notably VEX and Onramps/Adoption) between two camps on the topic of VEX adoption. One person in particular is adamant that VEX isn’t used by anyone anywhere. I fall in the other camp that VEX does have valid use cases (eg https://github.com/opencybersecurityalliance/PACE/tree/main/docs/UseCases/Pace_Sbom_Vex_Flags_Prioritization on status_justification use cases) and that VEX is beginning to be used.

 

Data would greatly help quiet our debates. I’m willing to shut up if the answer to all 3 of the following questions is no (ie not in use publicly or privately, and no plans to use). Hopefully the other side of debate is willing to do similar if data is provided showing usage. The data desired is:

• Does anyone on this list know of any published CSAF using VEX profile?
• Does anyone know of ‘internal’  CSAF/Vex use? Ie not a public website but used either inside a company, or between company and supplier/customers but only available within trust group?
• Is anyone not using CSAF/VEX yet but plans to?

 

I also think having this data will help with CSAF adoption (ie orgs hesitating, or debating using one of the VEX alternatives, may decide to use CSAF if they see who else is using CSAF).

 

Please respond (even if it’s all 3 no) so we have some data to work with.

 

-- 

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/