This release adds several features focused on regulatory compliance and vulnerability prioritization.
Compliance attestation reports
Generate print-ready compliance reports for any release. Reports cover product information, SBOM summary, vulnerability scan results, disposition status, VEX publication records, remediation SLA policy, and a NIST SSDF practice checklist. Access reports from the release detail page.
KEV vulnerability tracking
Vulnerabilities listed in CISA's Known Exploited Vulnerabilities (KEV) catalog are now prominently flagged throughout the platform:
- Red KEV badge next to CVE IDs in the triage table
- KEV filter toggle to focus on exploited vulnerabilities
- KEV count in the triage statistics sidebar
- KEV counts in email notifications
Remediation SLA timers
Each vulnerability now shows an SLA deadline based on severity:
- Critical: 7 days
- High: 30 days
- Medium: 90 days
- Low: 180 days
Warning indicators appear when deadlines are approaching (within 20%) or overdue. The triage sidebar shows the total overdue count.
CVSS v4 support
Vulnerability records now include CVSS v4 scores and vectors when available from NVD. The triage table prefers v4 scores over v3, displayed with a "v4" label.
VEX digital signatures
Published disclosures can now be digitally signed using HMAC-SHA256. Configure a signing key via the VEX_SIGNING_KEY environment variable. A new verification endpoint at /api/disclosures/{slug}/verify allows consumers to confirm content integrity and authenticity.
Audit log export
Export your complete audit log as CSV for external analysis or compliance records. The export button is available on the Audit Log page and supports date range filtering.
OpenAPI documentation
A machine-readable OpenAPI 3.0 specification is now available at /api/docs, documenting all public API endpoints.