BOF - Discussion Regarding False Positive Results from Vulnerability Scanners and the Use of VEX
CVE/FIRST VulnCon 2025 · Birds of a Feather
This Birds of a Feather (BoF) session, facilitated by Lisa from Microsoft and Pete from Red Hat, delved into the pervasive problem of **false positives** generated by vulnerability scanners and explored the critical role of **Vulnerability Exploitability eXchange (VEX)** as an industry-wide solution. The discussion brought together producers, scanning vendors, and enterprise consumers to collectively address the fragmentation and lack of trust plaguing current vulnerability management practices. The core premise is that VEX, if standardized and widely adopted, can significantly reduce the noise in vulnerability reports, allowing organizations to focus on actual risks and improve automation.
AI review
A competent BoF session on a real and underappreciated problem — VEX adoption and the false positive epidemic from vulnerability scanners. Lisa and Pete clearly know the space and are doing actual work at their organizations. The discussion surfaces genuine industry pain points and captures the current state of fragmentation honestly. But this is practitioner shop-talk, not research. Nothing here advances the technical conversation in a way that an informed reader couldn't piece together from existing CSAF documentation, the OpenVEX spec, and a few vendor blog posts. The value is in the room…