CVEium
Sign Up

Attestation Reports

Generate, interpret, and share compliance attestation reports for your releases.

Compliance attestation reports provide a comprehensive summary of your vulnerability management posture for a specific release. They are designed for sharing with auditors, customers, and regulatory authorities.

Generating a report

  1. Navigate to the release page
  2. In the overview section, find the Compliance Report card
  3. Click View Report
  4. The report opens in a new browser tab as a print-optimized HTML page
  5. To save as PDF, use your browser's print function (Ctrl+P / Cmd+P) and select "Save as PDF"

Reports are generated on demand with current data. They are not stored — generate a new report each time you need an updated snapshot.

Report sections

Product information

Basic product metadata: name, vendor, description, and website.

SBOM summary

Details about the uploaded SBOM:

  • Format (CycloneDX or SPDX) and specification version
  • Total number of components
  • File hash for integrity verification
  • Upload timestamp

Vulnerability scan results

Summary of all vulnerabilities found:

  • Total count
  • Breakdown by severity: Critical, High, Medium, Low
  • Count of Known Exploited Vulnerabilities (KEV)

Disposition summary

Triage status breakdown:

  • Affected: Vulnerabilities that impact the product
  • Not Affected: Vulnerabilities that do not impact the product
  • Fixed: Vulnerabilities that have been remediated
  • Under Investigation: Vulnerabilities still being evaluated
  • Without Disposition: Vulnerabilities not yet triaged

VEX document status

Status of VEX documents for the release:

  • Format and current workflow status
  • Publication date (if published)
  • Document version

Remediation SLA policy

Your organization's SLA deadlines by severity:

SeverityDeadline
Critical7 days
High30 days
Medium90 days
Low180 days

NIST SSDF practice checklist

A checklist of NIST Secure Software Development Framework practices with descriptions of how CVEium CIS supports each one. This section is particularly useful for US federal compliance attestation.

Sharing reports

Attestation reports are designed to be shared as PDF files. Common recipients include:

  • Auditors: For compliance verification
  • Federal procurement officers: As evidence for SSDF attestation
  • Customers: To demonstrate your security posture
  • Regulatory authorities: As supporting documentation for CRA or EO compliance

Point-in-time nature

Reports reflect the state of data at the moment they are generated. If you need a historical record, save the PDF when you generate it. Published disclosures, by contrast, capture an immutable snapshot of the data at publication time.