Your First Disclosure

This guide walks you through the complete vulnerability disclosure workflow, from creating a product to publishing a VEX document.

Step 1: Create a product

1. Navigate to Products in the sidebar
2. Click New Product
3. Fill in the product details:
   • Name: Your software product name (e.g., "Acme Web Server")
   • Slug: A URL-friendly identifier (auto-generated from the name)
   • Vendor: Your organization name
   • Optionally add a description, website URL, and repository URL
4. Click Create Product

Step 2: Create a release

1. From the product page, click New Release
2. Enter the release details:
   • Version: The version number (e.g., "2.1.0")
   • Name: An optional release name (e.g., "February 2026 Patch")
   • Release Date: When this version was or will be released
   • Status: Set to "Active" for current releases
3. Click Create Release

Step 3: Upload an SBOM

1. From the release page, navigate to the SBOM tab
2. Click Upload SBOM
3. Select a CycloneDX or SPDX JSON file from your computer
4. CVEium parses the file, extracts component information, and computes a SHA-256 hash for integrity

Your SBOM should be generated by your build system or an SBOM tool such as Syft, Trivy, or CycloneDX CLI.

Step 4: Wait for vulnerability scanning

After uploading the SBOM, CVEium automatically creates a match job that scans your components against 300,000+ known CVEs. The scan typically completes within a few seconds.

You can monitor the scan status on the SBOM page. Once complete, the results appear on the Triage tab.

Step 5: Triage vulnerabilities

1. Navigate to the Triage tab on the release page
2. You will see a list of all matched vulnerabilities with their CVE ID, severity, CVSS score, and affected component
3. For each vulnerability, set a disposition:
   • Affected: The vulnerability impacts your product and requires remediation
   • Not Affected: The vulnerability does not impact your product (provide a justification)
   • Fixed: The vulnerability has been remediated in this release
   • Under Investigation: You are still evaluating the impact
4. Add justification and impact statements as needed

Vulnerabilities flagged as KEV (Known Exploited Vulnerabilities) are highlighted in red and sorted to the top for priority attention.

All vulnerabilities must have a disposition (other than "Under Investigation") before you can generate a VEX document.

Step 6: Generate a VEX document

1. Navigate to the VEX tab on the release page
2. Click Generate VEX
3. Choose a format:
   • CycloneDX VEX: The most widely supported format
   • OpenVEX: A lightweight VEX-only format
   • CSAF: OASIS Common Security Advisory Framework
4. Click Generate

The VEX document is created in Draft status.

Step 7: Submit for approval

1. From the VEX tab, click Submit for Approval on the draft document
2. Optionally add a comment for the reviewer
3. Click Submit

The release is now locked to prevent changes while the VEX is under review.

Step 8: Approve and publish

An Owner or Admin on the team reviews the submission:

1. Review the VEX document content
2. Click Approve (or Reject to send it back to draft)
3. After approval, click Publish

Publishing creates a permanent public disclosure with:

• A unique public URL for sharing
• A content hash for integrity verification
• An optional digital signature

Step 9: Share your disclosure

1. Navigate to Disclosures in the sidebar
2. Find your published disclosure in the list
3. Copy the public link to share with downstream users, customers, or regulatory authorities

The disclosure is also available via the Public API for automated consumption.

What happens next

• Compliance reports: Generate an attestation report from the release page for auditors
• Ongoing monitoring: CVEium periodically re-scans your SBOMs against new CVEs
• Email notifications: Team owners and admins receive email alerts when new CVE matches are found
• SLA tracking: Monitor remediation deadlines based on vulnerability severity

Congratulations! You have completed the full vulnerability disclosure workflow.