This document seeks to explain the circumstances and events that could lead an entity to issue Vulnerability Exploitability eXchange (VEX) information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. This document identifies factors that influence the decision.