Release Locking

Release locking is a safety mechanism that prevents changes to a release's vulnerability data while a VEX document is under review or after it has been published.

When locking occurs

A release becomes locked when:

• A VEX document is submitted for approval (enters the review process)
• A VEX document is published as a disclosure

What is locked

When a release is locked, you cannot:

• Upload or delete the SBOM
• Change vulnerability dispositions
• Generate new VEX documents
• Edit release metadata

The lock icon appears next to the release version in the releases table and on the release detail page.

Unlocking

A release is unlocked when:

• A submitted VEX document is rejected (returned to draft)
• The lock is removed by the system after specific conditions are met

Why locking matters

Locking ensures the integrity of your published disclosures. When you publish a VEX document, it includes a snapshot of the vulnerabilities and dispositions at that point in time. If someone could change the underlying data after publication, the published disclosure would become inaccurate.

This is particularly important for regulatory compliance, where published disclosures serve as evidence that you have properly assessed and communicated vulnerability information.

Working with locked releases

If you need to update vulnerability information for a locked release:

1. Create a new release version (e.g., "2.1.1" if the locked release is "2.1.0")
2. Upload the updated SBOM to the new release
3. Triage vulnerabilities and generate a new VEX document
4. Publish the updated disclosure

This preserves the audit trail and ensures every published disclosure has a consistent, unchangeable record.