# VEX consensus

Purpose
- Merge multiple evidence sources into a single, reproducible VEX status.
- Preserve explicit unknown states instead of false safety.
- Produce evidence-linked decisions that are audit ready.

Inputs
- SBOM identity and component provenance.
- Advisory feeds and snapshots.
- Reachability evidence (static and runtime).
- VEX statements from vendors and internal issuers.
- Waivers, mitigations, and policy rules.

Lattice logic (simplified)
- under_investigation < not_affected < affected < fixed
- Joins are monotonic; conflicts resolve by trust tier and evidence strength.
- Unknown is preserved when critical inputs are missing.

Decision artifact (core fields)
- component, vulnerability, status, confidence, justification.
- evidence references (sbom, advisories, reachability, vex statements).
- policy version and policy hash.
- timestamp and status notes.

Decision capsules
- Bundle decision, inputs, policy version, and DSSE signatures.
- Enable replay and offline verification without network access.

VEX propagation
- Export to OpenVEX and CSAF formats.
- Downstream consumers can verify proof references and signatures.

Related references
- docs/vex/consensus-overview.md
- docs/vex/consensus-json.md
- docs/vex/aggregation.md