CVEium
Sign Up

NewVulnerability disclosure management for EU CRA and US EO 14028

From SBOM to VEX in minutes, not months.

Upload your SBOM, scan for vulnerabilities, triage with dispositions, and publish machine-readable VEX documents — all in one platform.

Get StartedPricing
Acme Platform v3.2.1
12 components · Last scanned 2 hours ago
3 Critical7 High14 Medium
criticalCVE-2026-1234KEV
log4j-core@2.14.1Affected
highCVE-2026-5678
spring-web@5.3.9Not Affected
highCVE-2025-9012
jackson-databind@2.13.0Fixed
mediumCVE-2026-3456
commons-io@2.8.0Under Investigation
SBOM: CycloneDX 1.5VEX: 2 documentsSLA: 1 overdue
Generate VEX
Complete platform

Everything you need for vulnerability disclosure. From SBOM ingestion to published VEX — a complete workflow.

SBOM Management

Upload CycloneDX and SPDX SBOMs. Automatically parse components, extract Package URLs, and track every dependency across releases.

Automated CVE Scanning

Every SBOM is scanned against 300,000+ known vulnerabilities from NVD and OSV. New CVEs are matched continuously as they are published.

Vulnerability Triage

Record dispositions for each CVE: Affected, Not Affected, Fixed, or Under Investigation. Add justification and impact statements.

VEX Generation

Generate VEX documents in CycloneDX, OpenVEX, and CSAF formats. Built-in approval workflow ensures quality before publication.

Compliance Ready

Meet EU CRA and US EO 14028 requirements. Generate attestation reports, track remediation SLAs, and maintain full audit trails.

Team Collaboration

Role-based access for owners, admins, and members. Email notifications for new CVE matches. Complete audit logging.

How it works

Four steps to compliant disclosure. A clear workflow from detection to publication.

1. Upload

Upload your Software Bill of Materials in CycloneDX or SPDX JSON format. Components and PURLs are extracted automatically.

2. Scan

Your components are matched against known CVEs using Package URLs. CVSS scores, EPSS predictions, and KEV status are included.

3. Triage

Review each vulnerability and record your assessment. Add justification, impact statements, and remediation timelines.

4. Publish

Generate VEX documents, submit for approval, and publish with public URLs, content hashes, and optional digital signatures.

Built for regulatory compliance.

The EU Cyber Resilience Act and US Executive Order 14028 require software producers to manage vulnerabilities and communicate findings. CVEium gives you the tools to meet these obligations.

SBOM Management
Maintain machine-readable inventories of all software components as required by CRA Article 13 and NIST SSDF.
Continuous Monitoring
Scan against 300,000+ CVEs. Automatic re-scanning catches new vulnerabilities affecting existing releases.
VEX Publication
Publish machine-readable VEX documents in CycloneDX, OpenVEX, and CSAF formats with digital signatures.
Audit-Ready Records
Complete audit trails, compliance attestation reports, SLA tracking, and CSV exports for regulatory review.

Start for freeNo credit card required.

Fair pricing for all types of businesses

Get started on our free plan and upgrade when you are ready.

Value
Starter
For individuals getting started with CVE tracking
$10.00/month
Billed monthly
  • CVE feed monitoring
  • Basic reporting
  • Email support
Popular
Teams
For small teams managing vulnerability workflows together
$99.00/month
Billed monthly
  • Everything in Starter
  • Team workspaces
  • Priority email support
Business
For organizations scaling vulnerability management
$499.00/month
Billed monthly
  • Everything in Teams
  • Advanced reporting
  • SLA support
Enterprise
For large-scale programs and custom requirements
$1,200.00/month
Billed monthly
  • Everything in Business
  • SSO / SAML (custom)
  • Dedicated support