Weaving a VEX Feed Through the Kubernetes Project
CVE/FIRST VulnCon 2025 · Main Stage
In this insightful talk, Adolfo Garcia, known as "Puerto," from Carabiner Systems and a key contributor to Kubernetes Release Engineering and the OpenVEX project, delves into the complex yet critical endeavor of generating and managing **Vulnerability Exploitability eXchange (VEX)** feeds for the expansive Kubernetes project. The presentation highlights the unique challenges posed by a project of Kubernetes' scale and distributed nature, offering a practical roadmap and newly developed tooling to address these.
AI review
Garcia is the right person giving the right talk at the right conference. He's the OpenVEX technical lead and a Kubernetes Release Engineering contributor — this is his own work, not a summary of someone else's. The talk delivers a concrete architecture for a genuinely hard problem: how do you generate trustworthy, signed, machine-readable vulnerability impact statements at the scale and organizational complexity of Kubernetes? The multi-source feed design, the Vex flow tooling, the OSV-first advisory rewrite, and the Sigstore attestation strategy are all real, implemented (or in-progress)…