As more attention is paid to security and the underlying components used in developing software, more organizations will be sending out security advisories. As SBOMs become more widespread, many of these advisories will actually be "false positives," when the underlying component vulnerability isn't actually exploitable. Organizations developing and using software will thus face an increasing amount of information to process and prioritize if they want to address the constantly evolving risk.The German and US governments have ended up partnering to coordinate industry-led initiatives to help automate the production, consumption, and scale of advisories, with particular attention to non-traditional software areas like ICS and healthcare. The Common Security Advisory Framework (CSAF) is an OASIS project that seeks to help automate the creation, management, and use of machine-readable vulnerability-related advisories. This talk will further introduce a key idea at the intersection of advisories and SBOM: the "Vulnerability Exploitability eXchange" (VEX) that allows software providers to explicitly communicate that they are *not* affected by a vulnerability. We close with an overview of the policy context to help practitioners understand where the world of SBOM and advisories is heading.