Redefining security data: Red Hat’s new VEX experience heading to Red Hat Summit 2026

At Red Hat, our deep focus on security doesn't stop at the code, it extends to how we communicate vulnerability information to our partners and customers. Based on valuable feedback from our partner community, Red Hat Product Security is announcing a major evolution in our security data ecosystem—the complete overhaul of our Common Security Advisory Framework (CSAF) and Vulnerability Exploit eXchange (VEX ) files.

Why the change?

Security data is only as good as its usability. We are modernizing and transforming our formats to improve clarity and simplify integration for the entire security ecosystem. By adopting a standardized CSAF VEX format with a modernized and improved infrastructure, we are better able to deliver a service that enhances performance and long-term support for the security ecosystem.

What’s new in our VEX evolution?

This update introduces several key improvements designed for precision and simplicity:

• Improved product granularity: We are moving beyond major versions. VEX files will now explicitly list affected supported streams, such as RHEL 9.6, RHEL 9.4 EUS, rather than just "RHEL 9."
• Simplified product trees: We’ve removed inconsistent nesting for architecture and product families, reducing complexity and redundant entries.
• Enhanced validation: Better validation for CSAF VEX formats and improved identification helpers like Common Platform Enumerations (CPEs) and Package URLs (PURLs).
• Better consistency: Standardized product names and IDs provide better clarity when tracking both "fixed" and "unfixed" statuses.
• Optimized content: We’ve removed redundant fields and duplicate data points to provide a cleaner, more focused data set.

The road to GA at Red Hat Summit 2026

We are committed to a transparent rollout so all partners are prepared for this transition:

• Now (Beta): We've incorporated initial vendor feedback into the Beta version, which is available now. We recommend vendors begin their formal adoption process at this time.
• Red Hat Summit 2026—General Availability: We plan to officially launch the new VEX files at Red Hat Summit 2026. At that time, legacy VEX files will be deprecated.

Join the journey

Your feedback is crucial to a successful launch! If you are a Red Hat partner, we encourage you to explore the Beta version and provide feedback through our Jira project under the ‘feedback-new-vex’ component. You can learn more about the Beta changes in the VEX-Beta Announcement documentation. We look forward to seeing you at Red Hat Summit for the official release!