Revenera Announces Availability of Vulnerability Disclosure Reports and Vulnerability Exploitability eXchange Reports to Help Optimize SBOMs
Reports allow Revenera SCA users to document vulnerabilities and communicate vulnerability management plans
Itasca, IL - May 2, 2023 Revenera, producer of leading solutions that help technology companies build better products, accelerate time to value and monetize what matters, today announced the availability of Vulnerability Disclosure Reports and Vulnerability Exploitability eXchange reports in the current release of Revenera SBOM Insights, which provides the ability to manage security and legal risk by operationalizing SBOMs in the cloud.
To optimize a software bill of materials (SBOM) and make it actionable, accurate reporting is required about the vulnerabilities (known and unknown) inside applications, as well as about the level of impact and exploitability of those vulnerable components. Because the security state of a given SBOM is always changing, it is imperative that a view into the current state is available for downstream partners and customers. VDR and VEX reports achieve this and help software companies comply with SBOM-related guidelines of the National Institute of Standards and Technology (NIST).
Vulnerability Disclosure Report (VDR)
A VDR, provided by a software supplier or a third-party, demonstrates proper and complete vulnerability assets for components listed in an SBOM, showing that all vulnerabilities, for all parts of an application(s), have been disclosed. The VDR 1.) enumerates vulnerabilities, including sources, severity scores, common weaknesses, and dates; and 2.) references the part(s) in the SBOM with which the vulnerability is associated.
Vulnerability Exploitability eXchange (VEX)
A VEX, provided by a software supplier or a third-party, is an important artifact for security transparency, providing software suppliers and other parties information about the status of specific vulnerabilities in SBOM parts associated with a particular application. It can explain either a company’s plans for mitigating a true-positive vulnerability or explaining why a particular vulnerability doesn’t impact a particular application.
“VDR and VEX reports provide the security companion to SBOMs to allow software companies the ability to accurately communicate the true vulnerability state of their products to their downstream software supply chain partners and customers,” said Alex Rybak, Senior Director of product management at Revenera. “Revenera SBOM Insights has the composition and licensing information, along with a snapshot of users’ security state, that provides for the creation of VDR and VEX reports to help optimize SBOMs and their efficacy—if and when vulnerabilities are discovered.”
Additional information is available in the blog post Level Up Your Security Game with VDR and VEX Reports.
Revenera helps product executives build better products, accelerate time to value and monetize what matters. Revenera's leading solutions help software and technology companies drive top line revenue with modern software monetization, understand usage and compliance with software usage analytics, empower the use of open source with software composition analysis and deliver an excellent user experience—for embedded, on-premises, cloud and SaaS products. To learn more, visit www.revenera.com.
For More Information, Contact: