A CRA-grade patch process
Monitor, assess with VEX, remediate, and ship a signed update — with SLAs that scale by severity.
A CRA-grade update process runs a flaw from alert to a signed fix, with SLAs that scale to severity.
1
Monitor for what's exposed
OSV monitoring against your SBOM flags new advisories and names the exact products and versions that carry the affected component.
2
Assess with VEX
Each finding gets a VEX decision — affected, not affected, fixed, or under investigation — so effort goes to what's genuinely exploitable.
3
Remediate against an SLA
The clock to fix is set by severity — critical in days, low in the next planned release — not by whoever shouts loudest.
4
Deliver a signed update
The fix ships as a signed update over an authenticated channel, with a security advisory so users know what changed and why.
this is Proofwright
It's live.
See the real thing at Proofwright.