As software supply chain attacks and risks become more common, organizations are increasingly concerned about what is in their software. Visibility is a vital first step, and more organizations are both supplying and asking for Software Bills of Materials (SBOMs). An SBOM is a formal record containing the details and supply chain relationships of various components used in building software. As SBOMs grow more popular, and implementation matures, there is demand to help process them, especially when a risk may NOT be present in a product.
This has given rise to the Vulnerability Exploitability eXchange (VEX), which can provide an attestation that the supplier believes that a given risk doesn't apply to a given product. This talk will walk through the progress made in both SBOM and VEX, and how both organizations and policy makers can increase transparency and better risk communication.