As to "Cross-Site Scripting", Vex checks whether the special character string in a sent payload is to be properly escaped in the response.
Payload try to work as generically as possible, however the script does not necessarily operate with the detected payload since how a payload is inserted into the response depends on the specification of the target page's HTML structure etc.
Also, some signatures work only on older browsers. In this case, even if a pop-up (alert) is displayed on the Vex screen or page capture on the report, it is not reproduced on the latest browser.
* Following cases are applicable; Detection in response body of redirect, and detection in response in which Content-Type is not interpreted as HTML such as JSON, etc.
Due to the reasons above described, to check if it is a false detection of "Cross-Site Scripting", Please check whether the special character string in the sent payload is appropriately escaped in the response or not.
Proper measure is depending on the detected location.
So please refer to signature information and reports.