FDA reviewers are now asking for VEX/VDR files with your SBOM.

A heads-up from the field: W. Alex Smith flagged on LinkedIn that following the recent government shutdown, a manufacturer had received Additional Information Needed (AINN) requests from FDA reviewers asking for VEX and VDR data to be included in their CycloneDX SBOM file.

This isn't in the premarket cybersecurity guidance. But before you reach for the panic button, you're almost certainly already doing the work. You just aren't packaging it in the format the FDA is now asking for.

What are VEX and VDR?

Two acronyms, one purpose: communicating what you know about vulnerabilities in your software components.

VDR (Vulnerability Disclosure Report) is a list of known vulnerabilities in your 3rd party software components. Think of it as the "here's what we found" document. It lists the CVEs present in your SBOM components along with their status: have you patched it, are you monitoring it, or have you assessed it and determined it doesn't apply?

VEX (Vulnerability Exploitability eXchange) goes a step further. It's a machine-readable document that states whether each known vulnerability actually affects your product. A VEX statement might say:

"Yes, this component has CVE-2025-1234, but we don't use the affected function, so our product is not affected."

Or:

"This vulnerability is present and we've applied compensating controls documented in our risk assessment."

Both formats are supported natively within CycloneDX. They aren't separate specifications you need to learn from scratch. They're capabilities built into the SBOM format you're already using.

You're already doing this work

If you've been following the FDA premarket cybersecurity guidance, you've already documented this information. It lives in your cybersecurity risk management report under known vulnerabilities and remaining anomalies. You've assessed each vulnerability, determined whether it affects your device, and documented your rationale and any compensating controls.

The difference is format, not content. Your risk management report is a PDF or Word document that a human reads. VEX and VDR are machine-readable formats that tools can consume automatically.

Why machine-readable matters

An SBOM on its own tells you what components are in a product. Pair it with VEX/VDR data, and now a downstream consumer (a hospital, a procurement team, a security analyst) can automatically determine which vulnerabilities have already been assessed and which ones they need to worry about.

Without VEX/VDR, every consumer of your SBOM sees a list of components but no context about the vulnerabilities you've already assessed. The likely result isn't that they'll quietly do their own analysis. It's that they'll open a support request asking for your assessment or a patch, even for issues you've already evaluated and dismissed. That's avoidable work for both sides.

Machine-readable vulnerability data means better tool support, faster risk assessments, and less back-and-forth between manufacturers and customers. It's a practical improvement in how the industry communicates about software cybersecurity risk.

What to do about it

Don't overhaul your cybersecurity programme. The underlying work hasn't changed. You still need to identify, assess, and document known vulnerabilities in your components, which you're already doing.

Do consider including VEX/VDR data in your CycloneDX files. The CycloneDX specification supports vulnerability information natively. You can embed VEX statements directly in your SBOM file or provide them as a companion document in CycloneDX format.

Check your tooling. If you're generating CycloneDX SBOMs, check whether your tools support adding vulnerability status information. Many do. If you're maintaining vulnerability assessments in spreadsheets or Word documents, this is a good prompt to explore moving that data into a structured format.

Review your cybersecurity risk management report. The vulnerability assessments you've already documented are the source material. Translating them into VEX/VDR format is a packaging exercise, not a new analysis.

The bottom line

FDA reviewers asking for VEX/VDR files alongside your CycloneDX SBOM is a signal, not a surprise. The information has always been expected. The format is catching up.

If your cybersecurity risk management report already documents known vulnerabilities with assessments and rationale, you have the content. Putting it into a machine-readable format makes your SBOM more useful to everyone who consumes it, and it appears to be the direction FDA i heading.

If you have questions about adding VEX/VDR data to your SBOM submissions, just book a call.