KEV, NVD, Disclosure, and Release Blocking

Vulnerability management release gate

Latticra records vulnerability-management requirements before any production release, update, package, installer, internet-facing service, or security-product claim. It does not scan live feeds, publish advisories, submit CVEs, patch dependencies, generate SBOMs, publish releases, or claim product security.

Current Rule

Vulnerability review is a release blocker, not a security claim.

The baseline requires CISA KEV review, NVD/CVE review, coordinated vulnerability disclosure paths, dependency and component inventory, exception ownership, exception expiration, mitigation records, and public non-claim review before release wording can promote.

Source review

CISA KEV, NVD/CVE, CVSS context, coordinated disclosure, vulnerability disclosure policy, and product-security bad-practices sources are tracked as requirements.

Inventory first

Production wording needs release artifact inventory, component inventory, dependency review, SBOM review, and CPE or purl mapping review.

Mitigation records

Known exploited vulnerability handling, critical/high exception records, and non-exploitability claims need written evidence.

Release stays closed

Publication, supported-version claims, security-product claims, vulnerability-free wording, and advisory publication remain blocked.

Current Snapshot

The gate exists to keep release claims closed.

These fields represent a controlled release boundary. They are not evidence that Latticra is vulnerability-free, supported, production-ready, or a security product.

vulnerability_management_release_gate 1

cisa_kev_catalog_tracked 1

nvd_cve_review_required 1

sbom_required_before_production_release 1

live_feed_query_added 0

vulnerability_scan_added 0

security_advisory_published 0

product_security_claim_allowed 0

Release Gate

Release promotion needs inventory, review, mitigation, and disclosure evidence.

No production release, installer, package, update lane, internet-facing service, hosted service, security-product claim, or supported-version claim can promote until the required vulnerability-management fields are complete.

Present now

Baseline, status record, guard script, source references, release blockers, and public non-claim wording.

Required before promotion

Artifact inventory, component inventory, dependency review, SBOM review, CPE or purl mapping, KEV review, NVD/CVE review, mitigation records, exception records, disclosure path, advisory template, supported-version scope, and release non-claim review.

Denied now

Release artifact publication, production release claims, production installer claims, production update claims, supported-version claims, security-product claims, vulnerability-free claims, KEV exceptions, internet-facing service claims, and advisory publication.

Exception Records

An unresolved vulnerability cannot be waved through by wording.

A future exception requires a visible owner, deadline, affected component, exposure context, mitigation or compensating control, and public claim review. Without that record, the release gate remains closed.

Record

Identifier and component

Future exceptions must name the vulnerability identifier, affected component, affected version, and exposure context.

Record

Analysis and mitigation

Exploitability analysis, mitigation, compensating controls, and non-exploitability evidence must be written down.

Record

Owner and deadline

Every exception needs an owner, expiration or review deadline, operator-visible status, and public claim review.

Closed

Release by assertion

A release cannot promote because a vulnerability is described as unlikely, theoretical, out of scope, or non-exploitable without evidence.

Local Commands

Validate the release-gate records without running vulnerability operations.

These guards validate source records and public-entry alignment. They do not query live feeds, scan dependencies, publish advisories, generate SBOMs, submit CVEs, or release artifacts.

Vulnerability gate

sh scripts/test-vulnerability-management-release-gate-baseline.sh

Supply-chain gate

sh scripts/test-supply-chain-security-baseline.sh

Incident boundary

sh scripts/test-cyber-incident-reporting-response-baseline.sh

Source Records

Use exact records before repeating vulnerability-management wording.

Vulnerability management release gate baselineKEV/NVD review, coordinated disclosure, exception records, release blocking, and product-security non-claims. Vulnerability gate statusStatus fields and expected guard output for the release-gate baseline. Supply-chain baselineCI, dependency, SBOM, release, and update-lane security gates. Supply-chain gatesReader-facing release authority, SBOM, update-delivery, and runtime-authority blockers. Incident reporting baselineReporting routes, evidence preservation, response gates, and incident-response non-claims. Incident response boundaryReader-facing guide to reporting routes, preservation rules, and closed response effects. High-assurance baselineSource-tracked security posture and future control allocation. Secure configuration and change managementSecure baselines, approved changes, drift planning, exception records, and hardening non-claims. Network exposure and remote accessInternet exposure inventory, remote access, RMM, DNS/TLS lifecycle, and network-service non-claims. Data classification and protectionSensitive-data flow mapping, PII review, redaction, DLP planning, and customer-data non-claims. Cryptographic assurance and key managementFIPS/CMVP claim gates, key lifecycle, randomness, post-quantum planning, and crypto non-claims. Security overviewSafe testing, effect gates, runtime boundary, and security non-claims. Security policyPrivate vulnerability reporting, safe testing, scope, and security non-claims. Non-claimsUnsupported security, release, incident-response, and product-readiness claims. Evidence modelPromotion levels, public claim boundaries, and exact source records. Status indexDetailed status records and current public status navigation.