Weaving a VEX Feed Through the Kubernetes Project

This 26-minute conference talk by Adolfo García Veytia from Stacklok explores how the Vulnerability Exploitability eXchange (VEX) is being implemented within the Kubernetes project. Learn about VEX, a metadata format designed to complement Software Bills of Materials (SBOMs) by communicating the actual impact of vulnerabilities on software. Discover how VEX helps organizations reduce false positives in vulnerability scanning, saving thousands of dollars in engineering time that would otherwise be spent on triaging non-exploitable issues. The presentation details the collaborative effort between Kubernetes SIG Release, the Security Response Committee, and SIG Security to create a Kubernetes VEX feed, explaining the data sources and demonstrating practical applications with real vulnerability scanners. Gain insights into how software authors can effectively communicate when their software remains safe to use despite security scanner alerts.