CVEium
Sign Up

Approval Workflow

Submit, review, approve, and manage VEX documents through the multi-step approval process.

VEX documents go through a controlled approval workflow before they can be published. This ensures that vulnerability disclosures are reviewed and authorized by appropriate team members.

Workflow stages

Draft

A newly generated VEX document starts in Draft status. In this stage:

  • The document content can be reviewed
  • The document can be deleted and regenerated
  • No changes to dispositions are blocked

Submitted

When a team member submits a draft for review:

  1. The document moves to Submitted status
  2. The release is locked — no changes to SBOMs, dispositions, or other VEX documents
  3. The document is ready for an owner or admin to review

To submit, click Submit for Approval on the VEX tab and optionally add a comment explaining what the reviewer should look for.

Approved

When an owner or admin approves the submission:

  1. The document moves to Approved status
  2. The release remains locked
  3. The document is ready for publication

To approve, click Approve on the submitted VEX document. You can add an optional comment.

Rejected

If the reviewer finds issues, they can reject the submission:

  1. The document returns to Draft status
  2. The release is unlocked — dispositions and other data can be modified again
  3. The submitter can address the issues and resubmit

To reject, click Reject and provide a comment explaining what needs to be changed.

Published

When an approved document is published:

  1. A Published Disclosure record is created with a permanent public URL
  2. The content, product, release, SBOM, vulnerability, and disposition data are captured as immutable snapshots
  3. A content hash is computed for integrity verification
  4. If digital signing is enabled, the content is signed with HMAC-SHA256
  5. The release remains locked

To publish, click Publish on the approved VEX document.

Who can perform each action

ActionRequired role
Generate VEXAny team member
Submit for approvalAny team member
ApproveOwner or Admin
RejectOwner or Admin
PublishOwner or Admin

Approval history

Every action in the workflow is logged with:

  • Who performed the action
  • When it was performed
  • Any comments provided

You can view the approval history on the VEX tab. All workflow actions are also recorded in the Audit Log.