Create policy for publishing VEX documents #487
Description
Address OSPS-VM-04.02 baseline requirement.
Requirement: While active, any vulnerabilities in the software components not affecting the project MUST be accounted for in a VEX document, augmenting the vulnerability report with non-exploitability details.
Recommendation: Establish a VEX feed communicating the exploitability status of known vulnerabilities, including assessment details or any mitigations in place preventing vulnerable code from being executed.
Control applies to: Maturity Level 3
External Framework Mappings
CRA: 1.2a, 1.2b, 2.1, 2.4, 2.6
SSDF: PO.4.1, RV.2.1, RV.2.2
CSF: ID.RA-01
ISO-18974: 4.1.5
PSSCRM: G2.2, D1.1
PCIDSS: 6.2.3, 6.3.1, 6.3.2, 6.3.3, 11.3.1
UKSSCOP: 3.4, 3.5, 4.3
800-161: CA-7, CM-3, CM-8, IR-5, SI-2, SI-4, SI-5
https://baseline.openssf.org/versions/2025-10-10#osps-vm-0402