Current alpha feed: https://security.access.redhat.com/data/csaf/v2/vex-alpha/

Current issues:

• Binary RPMs will not be present for unfixed items yet. We plan to address this, but are currently waiting for TPA. If that continues to delay, we will investigate other solutions
• Some products / components may be missing. This is a result of ongoing CPE and purl clean up from different systems
• Some older CVEs may have incorrect CPEs.  i.e. Old files where RHEL 7 was main stream use to have main CPE and is now a EUS CPE 
• Middleware is purposefully excluded

Changes (non-comprehensive):

• https://gitlab.cee.redhat.com/ps-microservices/csaf-generator/-/blob/master/docs/requirements/csaf-vex.md
• Product granularity added - New VEX files will explicitly list minor versions when unfixed
• Simplification of product tree - Removed product_family and architecture branches 
• Minor changes to product naming and product_id to improve consistency of naming between fixed/unfixed status 
• Simplification of “duplicate” products/CPEs - Removed different “variants”
• Fixed product:component pairs will no longer be listed under a ‘workaround’ remediation object 
• Simplification of included fields - Removed unrequired fields. I.e CVSS score simplification, removal of multiple “title” fields, removal of some note objects, etc
• Modernization of tooling infrastructure - Will improve performance and supportability of VEX, including debugging issues
• Actual requirements were documented!!! This helps us make changes much easier (based on vendor feedback) and file bugs  

Report Issues:

• File an issue in SECDATA project
• Issue type should be 'Ticket'
• Set the component to 'feedback-new-vex'
• Link back to this issue