FAQ

CVEium accepts SBOMs in CycloneDX and SPDX JSON format. When you upload an SBOM, components are automatically parsed, Package URLs (PURLs) are extracted, and file hashes are computed for integrity verification.

Every uploaded SBOM is scanned against 300,000+ known vulnerabilities from NVD and OSV. Matching uses Package URLs for accuracy. New CVEs are checked continuously through periodic re-scans, so you are alerted when newly published vulnerabilities affect your existing SBOMs.

VEX (Vulnerability Exploitability eXchange) documents communicate which vulnerabilities actually affect your product and which do not. Instead of forwarding raw CVE scan results, VEX lets you share your triage assessment — reducing alert fatigue for downstream consumers. CVEium generates VEX in three industry-standard formats: CycloneDX VEX, OpenVEX, and CSAF.

Yes. CVEium supports the vulnerability handling requirements of the EU Cyber Resilience Act, including SBOM management, vulnerability disclosure, remediation SLA tracking, and audit trail maintenance. You can generate compliance attestation reports that cover product information, scan results, disposition status, and NIST SSDF practice checklists.

Yes. The free plan includes 1 product, 3 releases, 1 team member, and 1 published disclosure per month. No credit card is required to sign up. You can upgrade to a paid plan at any time as your needs grow.

Each team workspace has three roles. Owners have full control including billing and team deletion. Admins can manage members, products, and settings. Members can create products, upload SBOMs, triage vulnerabilities, and generate VEX documents but cannot manage team settings or billing.

VEX documents follow a four-stage workflow: Draft, Submitted, Approved, and Published. Authors create and submit documents for review. Approvers (Owners and Admins) review and approve or reject. Only approved documents can be published with public URLs and content hashes.

Yes. You can export audit logs as CSV with date range filtering, download SBOMs in their original format, and generate compliance attestation reports from any release. Published VEX documents are available via public API for machine-readable access.