Distribution Builders Meet VEX
CVE/FIRST VulnCon 2025 · Main Stage
In this insightful talk, Marta Rybczynska, a seasoned expert in open-source security, delves into the complex intersection of **Vulnerability Exploitability eXchange (VEX)** and the **Yocto Project**, a powerful framework for building custom **Linux distributions** for **embedded systems**. The presentation outlines an experimental journey to generate standard VEX documents from the Yocto Project's extensive metadata, highlighting both significant successes and the inherent challenges in adapting generic VEX standards to the unique requirements of the embedded world.
AI review
Competent, practitioner-focused case study on the operational friction between Yocto Project's internal vulnerability metadata and the current state of VEX standards. Rybczynska knows her domain — she's not hand-waving, she's done the actual work of trying to emit standard VEX from CVE-check output and hit real walls. The gap analysis between what Yocto captures internally (NVD-is-wrong, abandoned-upstream, config-conditional non-exploitability) and what CSAF VEX / OpenVEX can actually express is the most useful part of this talk. The layer-inheritance problem — downstream layers silently…