reel-vex is an open-source platform designed to aggregate and manage VEX (Vulnerability Exploitability eXchange) statements, focusing on software vulnerability information from multiple Linux vendors. The service addresses the challenge of determining which vulnerabilities are relevant or actionable in a given software context by centralizing vendor statements and providing tools for annotation and analysis.
The platform enables users to search for vendor VEX statements by entering a CVE ID, allowing them to see every vendor statement associated with that vulnerability. reel-vex supports the upload of SBOMs (Software Bill of Materials) in CycloneDX format, VEX documents in OpenVEX or CycloneDX VEX formats, or both. Users can drop these files directly into the platform or interact programmatically via a documented HTTP API. When a CycloneDX SBOM with a vulnerabilities section is provided, the tool returns the SBOM annotated with the vendor's verdict on each vulnerability. If only SBOM components are provided, vulnerabilities are filled in from vendor data and then annotated. Uploading only a VEX document results in an OpenVEX document with user statements merged and vendor views presented alongside. When both SBOM and VEX are supplied, the tool annotates the SBOM, giving precedence to user-provided VEX statements over vendor verdicts in case of conflict.
reel-vex aggregates VEX data from a range of Linux vendors, including Oracle, Amazon, Red Hat, SUSE, Ubuntu, Debian, Alpine, AlmaLinux, and Rancher. This breadth allows users to analyze vulnerability relevance across diverse distributions. The platform can also generate SBOMs using the 'reel export sbom' command, which scans container images for vulnerabilities and outputs them in CycloneDX format.
The service is free and open source, making it accessible for organizations or individuals seeking to enhance their vulnerability management and compliance workflows. reel-vex is positioned as a VEX hub, providing a unified interface for querying, annotating, and merging vulnerability statements from multiple sources.
In the Infrastructure & Backend space, reel-vex takes a focused approach. It focuses on aggregating and querying vulnerability information (VEX) across multiple vendors for software supply chain security. reel-vex is an open-source project aimed at security engineers and DevOps teams. The project is open source (Apache-2.0). It runs on the web and API, and it can be self-hosted.
It is developed by reel, and the product first shipped in 2026. The project is developed in the open on GitHub with 93 commits in the last 90 days. Among its 5 catalogued features are VEX aggregation, SBOM upload, and CVE search. It exposes integrations via a public API.
Latest indexed changes and source events
Show HN: Free API of 248M aggregated VEX statements: 45% of CVEs not affected verified by the PulseGate indexer
Other apps tracked under the same category.