The Promise of VEX and the Infernal Problem of Trust

"Anyone lies when the alternative is intolerable." – Maury Chaykin as Nero Wolfe

Trusting humans is one of the most problematic points in the concern of security.

For those not familiar, a good overview of VEX can be found here (PDF) on the NTIA.gov site.

The value of VEX is clear: signal to consumers of software that a discovered vulnerability may or may not be significant and optionally how and why. In a perfect world, this is exactly what we want. We want to place our trust in a human to tell other humans who use or consume the software if there is a risk it poses. We go through similar routines outside of software. We may take our cars to a mechanic and may be told there is a problem which, although there are no symptoms, can produce a malfunction down the road. We take ourselves to the doctor and may be told, through a panel of blood tests, that we are suffering some malady which, although no symptoms were apparent, needs to be rectified.

The situation that leads to the problem is a VEX, unlike an SBOM and a vulnerability scan which are objective documents, is a subjective document. A VEX is a document created by humans which captures their assessment of a situation from a usability context. VEXs are therefore subjective; they capture what humans have to say about software, not what its nature is. This leads to the problem of trust. Since this is a human-generated document, trust is everything. Whom do we trust to tell us about vulnerabilities in the software upon which we depend?

I have struggled with this concept of VEX for a while now. I also had a good conversation with Andrew Black and Michael Liebermann at KubeCon North America 2022 in Detroit where we discussed this very subject.

And the problem of trusting other humans in this context comes down to two things: bias and motive. The problem is most apparent in commercial software.

SolarWinds LastPass