ProofwrightWalkthrough

A CRA-grade patch process

Monitor, assess with VEX, remediate, and ship a signed update — with SLAs that scale by severity.

A CRA-grade update process runs a flaw from alert to a signed fix, with SLAs that scale to severity. Related demos: The CRA incident-reporting clock and Standing up coordinated disclosure.

1

Monitor for what's exposed

OSV monitoring against your SBOM flags new advisories and names the exact products and versions that carry the affected component.

2

Assess with VEX

Each finding gets a VEX decision — affected, not affected, fixed, or under investigation — so effort goes to what's genuinely exploitable.

3

Remediate against an SLA

The clock to fix is set by severity — critical in days, low in the next planned release — not by whoever shouts loudest.

4

Deliver a signed update

The fix ships as a signed update over an authenticated channel, with a security advisory so users know what changed and why.

this is Proofwright

It's live.

See the real thing at Proofwright.