# Latticra Vulnerability Management Release Gate Baseline

Status: vulnerability management release gate baseline
Source refresh date: 2026-05-26
Scope: CISA KEV review, NVD/CVE review, coordinated vulnerability disclosure, dependency/component inventory, release blocking, mitigation/exception records, and public non-claims before production release, update, installer, package, internet-facing service, or security-product claims.

This baseline records vulnerability-management release gates only. It does not run vulnerability scans, query live feeds, publish advisories, submit CVEs, patch dependencies, produce an SBOM, publish releases, grant release authority, or claim product security.

## Authoritative Vulnerability Sources

Date checked: 2026-05-26

| Source | Latticra use |
| --- | --- |
| CISA Known Exploited Vulnerabilities Catalog | exploited-in-the-wild prioritization input before release or internet-facing claims |
| NIST National Vulnerability Database and CVSS metrics | CVE/CVSS enrichment vocabulary, severity context, and non-risk-score caveat |
| CISA Coordinated Vulnerability Disclosure Program | disclosure coordination and mitigation workflow vocabulary |
| CISA Vulnerability Disclosure Policy Template | good-faith reporting, authorized testing, report intake, and disclosure-scope vocabulary |
| CISA/FBI Product Security Bad Practices | avoid release posture that ignores known exploited vulnerabilities or fails to document non-exploitability claims |

Authoritative URLs:

```text
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln-metrics/cvss
https://www.cisa.gov/coordinated-vulnerability-disclosure-process
https://www.cisa.gov/vulnerability-disclosure-policy-template
https://www.cisa.gov/resources-tools/resources/product-security-bad-practices
https://www.cisa.gov/news-events/alerts/2025/01/17/cisa-and-fbi-release-updated-guidance-product-security-bad-practices
```

## Current Fields

```text
vulnerability_management_release_gate_baseline_present=1
vulnerability_management_release_gate_guard_present=1
cisa_kev_catalog_tracked=1
nvd_cve_review_required=1
cvss_context_required_not_risk_score_only=1
coordinated_vulnerability_disclosure_required=1
vulnerability_disclosure_policy_scope_required=1
dependency_component_inventory_required=1
sbom_required_before_production_release=1
kev_nvd_review_required_before_release=1
known_exploited_vulnerability_mitigation_required=1
non_exploitability_claim_requires_written_record=1
vulnerability_exception_owner_required=1
vulnerability_exception_expiration_required=1
release_block_on_unmitigated_known_exploited_vulnerability=1
internet_facing_asset_inventory_required_before_release=1
security_advisory_process_required_before_supported_release=1
implementation_behavior_changed=0
live_feed_query_added=0
vulnerability_scan_added=0
release_publishing_authority_granted=0
security_advisory_published=0
cve_submission_performed=0
sbom_generated=0
production_release_claim_allowed=0
product_security_claim_allowed=0
compliance_claim_allowed=0
external_endorsement_claimed=0
```

## Required Release Gate

No production release, production installer, production package, update lane, internet-facing service, hosted service, security-product claim, or supported-version claim may be promoted until this gate is complete:

```text
release_artifact_inventory_present=1
component_inventory_present=1
dependency_inventory_reviewed=1
sbom_present=1
sbom_reviewed=1
cpe_or_purl_mapping_reviewed=1
cisa_kev_review_completed=1
nvd_cve_review_completed=1
known_exploited_vulnerability_mitigation_recorded=1
critical_high_vulnerability_exception_recorded=1
non_exploitability_claim_evidence_recorded=1
vulnerability_exception_owner_recorded=1
vulnerability_exception_expiration_recorded=1
vulnerability_disclosure_path_present=1
coordinated_disclosure_escalation_path_present=1
security_advisory_template_present=1
supported_version_scope_recorded=1
release_non_claim_review_completed=1
```

Until this gate is complete:

```text
release_artifact_published=0
production_release_claim_allowed=0
production_installer_claim_allowed=0
production_update_claim_allowed=0
supported_version_claim_allowed=0
security_product_claim_allowed=0
vulnerability_free_claim_allowed=0
known_exploited_vulnerability_exception_allowed=0
internet_facing_service_claim_allowed=0
security_advisory_publication_allowed=0
```

## Exception Record Requirements

Any future exception for an unresolved vulnerability must include:

```text
vulnerability_identifier_recorded=1
affected_component_recorded=1
affected_version_recorded=1
exposure_context_recorded=1
exploitability_analysis_recorded=1
mitigation_or_compensating_control_recorded=1
owner_recorded=1
review_deadline_recorded=1
operator_visible_status_recorded=1
public_claim_review_recorded=1
```

## Current Evidence

Current supporting evidence:

```text
docs/HIGH_ASSURANCE_SECURITY_BASELINE.md
docs/SUPPLY_CHAIN_SECURITY_BASELINE.md
docs/CYBER_INCIDENT_REPORTING_RESPONSE_BASELINE.md
SECURITY.md
scripts/test-high-assurance-security-baseline.sh
scripts/test-supply-chain-security-baseline.sh
scripts/test-vulnerability-management-release-gate-baseline.sh
```

## Validation

This baseline is guarded by:

```sh
sh scripts/test-vulnerability-management-release-gate-baseline.sh
```