Public beta trial

StreamingVEX

Beta

A secure aggregation and discovery service for VEX and vulnerability disclosure payloads — match SBOMs to catalog sources that matter to you, and stay current as upstream publishers refresh. Now open for early adopters.

Publishers push once through validated supplier ingest or approved public pull. Subscribers use client-first SBOM matching to find gaps, subscribe at supplier, product, or release scope, and receive updates through outbound pull, signed webhooks, or authenticated APIs — without every team rebuilding ingest parsers and delivery fan-out.

During the beta trial we're refining limits, monitoring, and operator tooling. Expect occasional maintenance windows; we welcome feedback from production-shaped workflows. After you join, VEXpert, our in-app AI assistant, helps your team get started on StreamingVEX — configuring VEX sources, catalog subscriptions, SBOM matching, and delivery. See our Privacy & data use notice for what we collect, what appears in the public catalog, and how beta feedback (including screenshots) is handled.

Supply chain stakeholders

Silicon vendors

Publish reference firmware, BSP, and microcode VEX from CI with streamingvex-push. When NDAs apply, push encrypted VEX so StreamingVEX stores and forwards ciphertext only. Downstream vendors register a public PGP key with you; you associate only the vendor certificates you authorize with each release so permitted partners can decrypt — others may receive updates but cannot read the document.

OSS developers

StreamingVEX creates VEX reports automatically for downstream vendors who depend on your projects — or, if you already maintain official VEX in your source repositories, pulls directly from your repos and distributes it across the supply chain. Registered sources are checked multiple times a day and changes are fanned out downstream so subscribers stay current on the latest vulnerabilities. Opt in to have StreamingVEX maintain your NVD CPE dictionary entries from the CPE metadata embedded in your VEX documents.

Independent firmware vendors

Central to the supply chain, use StreamingVEX to source VEX from silicon vendors and OSS maintainers so you receive the latest upstream remediations. Author VEX for your own releases, automate CI with streamingvex-push, and let StreamingVEX distribute current VEX to every downstream vendor who subscribes to your products.

ODM/OEMs

Don’t get caught off-guard by EU CRA obligations — non-compliance can carry fines up to 2.5% of global revenue. StreamingVEX helps you mature remediation and reporting in line with Article 13 and Article 14. Push platform VEX for your product releases with streamingvex-push so customers receive the latest status on vulnerabilities affecting your products.

CSPs

Cloud service providers

Integrate catalog subscriptions into tenant-facing vulnerability workflows with REST APIs and personal API keys. Pull normalized VEX into fleet scanners and compliance pipelines without maintaining per-upstream parsers.

Security DevOps

Wire streamingvex-pull and webhook receivers into CI/CD. Ack delivery cursors, force-sync public sources, and export subscription lists for audit — one broker instead of bespoke cron jobs per VEX publisher.

PSIRTs

Track supplier and product VEX in one catalog hierarchy. Get exploit alerts when CVEs in subscribed VEX hit KEV or EUVD, and prefer high-frequency pull or webhooks when regulatory notification timelines apply — essential for EU CRA Article 14 reporting compliance.

CERTs

Point constituents at catalog-backed VEX sources and coordinated public-pull intake. Authenticity tiers distinguish supplier-direct VEX from third-party publishers such as community aggregators.

“Organizations cannot patch vulnerabilities that they don’t know about.”

Built for production supply chains