Question 1

Is VEX required by the EU Cyber Resilience Act?

Accepted Answer

The EU CRA (effective September 2026) doesn't explicitly mandate VEX documents by name. However, it requires manufacturers to "identify and document vulnerabilities and components contained in the product" and provide "information about the vulnerabilities that have been fixed, including through security updates." VEX is the most practical machine-readable format for meeting these disclosure requirements. Organizations preparing for CRA compliance are adopting VEX as the standard way to communicate vulnerability status to downstream users.

Question 2

How is VEX different from EPSS?

Accepted Answer

VEX and EPSS answer fundamentally different questions. VEX is a product-specific assessment you create: "This CVE does not affect our product because we don't call the vulnerable function." EPSS is a global statistical prediction from FIRST.org: "This CVE has a 73% chance of being exploited somewhere in the next 30 days." You might have a CVE with a high EPSS score (likely to be exploited in the wild) but a VEX status of "not affected" (not exploitable in your specific product). Both signals are valuable — VEX eliminates false positives from your queue, and EPSS prioritizes whatever remains.

Question 3

Does GeekWala generate VEX documents?

Accepted Answer

Not yet. GeekWala scans your dependencies, cross-references them against the OSV vulnerability database, and enriches findings with EPSS scores and CISA KEV status. This enrichment data — exploitation probability, confirmed exploitation status, severity context — gives you the information you need to make VEX assessments faster. When you see a CVE in your scan results with an EPSS score of 0.02 and no KEV listing, you can confidently investigate whether it's worth a "not affected" VEX statement rather than an emergency patch.