CVEium
Sign Up

Publishing Disclosures

Publish approved VEX documents to make them publicly accessible via the API.

Publishing an approved VEX document creates a permanent, publicly accessible disclosure that downstream users, customers, and regulatory authorities can access.

What happens when you publish

When you click Publish on an approved VEX document, CVEium CIS:

  1. Creates a Published Disclosure record
  2. Generates a unique public slug — a URL-friendly identifier for the disclosure
  3. Captures immutable snapshots of the product, release, SBOM, vulnerabilities, and dispositions at the time of publication
  4. Computes a content hash (SHA-256) for integrity verification
  5. If a signing key is configured, applies an HMAC-SHA256 digital signature to the content

Viewing published disclosures

Navigate to Disclosures in the sidebar to see all published disclosures for your team. The list shows:

  • Product name and release version
  • VEX format (CycloneDX VEX, OpenVEX, or CSAF)
  • Publication date
  • Public slug

Sharing disclosures

Each published disclosure has a public URL that can be shared without authentication. To share:

  1. Open the disclosure from the Disclosures page
  2. Copy the public link
  3. Share with downstream users, customers, or regulators

Downloading raw VEX content

You can download the raw VEX document file from the disclosure detail page. The file is served with the appropriate content type header for the format.

Public API access

Published disclosures are also available through the Public API. The API supports:

  • Listing all disclosures with pagination
  • Retrieving individual disclosures by slug
  • Filtering by VEX format
  • Downloading raw VEX content
  • Verifying content integrity and signatures

Disclosure limits

The number of published disclosures per month depends on your subscription plan:

PlanDisclosures/month
Free1
Starter10
Teams50
BusinessUnlimited
EnterpriseUnlimited

Immutability

Published disclosures are immutable. Once published, the content cannot be changed. If you need to issue an updated disclosure:

  1. Create a new release version
  2. Upload the updated SBOM
  3. Triage vulnerabilities
  4. Generate and publish a new VEX document

This preserves the audit trail and ensures published disclosures remain a reliable, unchangeable record.