Skip to main content
XOR
[COMPLIANCE]

Compliance Evidence

Machine-readable evidence for every triaged vulnerability. VEX statements, verification reports, and audit trails produced automatically.

VEX statements

For every NOT EXPLOITABLE verdict, XOR generates an OpenVEX document with vulnerability ID, product PURL, status, justification, and impact statement. Download as JSON or attach to your SBOM.

SBOM integration

VEX documents reference products by PURL (Package URL). If your SBOM pipeline produces CycloneDX or SPDX, XOR's VEX statements link to the same package identifiers.

3
Evidence formats (VEX, CSAF, OSV)
250-500h
Audit prep time saved quarterly
CRA 13.6
EU compliance evidence

Machine-readable evidence for every triaged vulnerability

VEX statements, verification reports, and audit trails — produced automatically as XOR triages your PRs. No manual evidence gathering. Point your auditor at the PR comments.

VEX statements

For every NOT EXPLOITABLE verdict, XOR generates an OpenVEX document:

{
"@context": "https://openvex.dev/ns/v0.2.0",
"author": "XOR Platform <security@xor.tech>",
"statements": [{
  "vulnerability": { "name": "CVE-XXXX-XXXXX" },
  "products": [{ "@id": "pkg:github/your-org/your-repo" }],
  "status": "not_affected",
  "justification": "vulnerable_code_not_present",
  "impact_statement": "Static analysis confirms no call path."
}]
}

Supported formats

OpenVEX

openvex.dev v0.2.0. Primary format. Machine-readable, interoperable.

CSAF VEX Profile

OASIS CSAF v2.0. BSI TR-03183-3 recommended for EU/CRA.

OSV

Google OSV schema. Integration with OSV.dev vulnerability database.

CRA Article 13.6 compliance

The EU Cyber Resilience Act requires manufacturers to share vulnerability information in machine-readable format. XOR's VEX output satisfies this requirement:

  • Machine-readable: JSON format, parseable by any SBOM or GRC tool
  • Structured justification: Includes the specific reason (not just "not affected")
  • Product identification: PURL identifiers that match SBOM entries
  • Timestamps and versioning: Dated and versioned for audit trails

XOR produces evidence for CRA compliance. It does not certify compliance — that responsibility stays with the product manufacturer.

SBOM integration

VEX documents reference products by PURL (Package URL). If your SBOM pipeline produces CycloneDX or SPDX documents, XOR's VEX statements link to the same package identifiers.

Audit trail

Every XOR triage produces:

  1. PR comment — structured verdict with metrics (visible in GitHub)
  2. VEX document — for not-affected verdicts (downloadable JSON)
  3. Verification report — for exploitable verdicts with patching evidence
  4. Agent trace — full analysis trajectory, signed with COSE_Sign1

[NEXT STEPS]

Related documentation

Dependabot verification →

Standards overview →

Agent compliance evidence →

Platform capabilities →

FAQ

What evidence formats does XOR produce?

OpenVEX (primary), CSAF VEX Profile (EU/CRA recommended), and OSV. All machine-readable JSON, parseable by any SBOM or GRC tool.

Does XOR handle CRA Article 13.6 compliance?

XOR produces evidence for CRA compliance: machine-readable VEX documents, structured justifications, PURL product identifiers, and timestamped audit trails. It does not certify compliance — that's the manufacturer's responsibility.

How does the audit trail work?

Every triage produces: a PR comment with structured verdict, a VEX document for not-affected verdicts, a verification report for exploitable verdicts, and an agent trace signed with COSE_Sign1.

[RELATED TOPICS]

Patch verification

XOR writes a verifier for each vulnerability, then tests agent-generated patches against it. If the fix passes, it ships. If not, the failure feeds back into the agent harness.

Automated vulnerability patching

AI agents generate fixes for known CVEs. XOR verifies each fix and feeds outcomes back into the agent harness so future patches improve.

Benchmark Results

62.7% pass rate. $2.64 per fix. Real data from 1,664 evaluations.

Benchmark Results

62.7% pass rate. $2.64 per fix. Real data from 1,664 evaluations.

Agent Cost Economics

Fix vulnerabilities for $2.64–$52 with agents. 100x cheaper than incident response. Real cost data.

Agent Configurations

13 agent-model configurations evaluated on real CVEs. Compare Claude Code, Codex, Gemini CLI, Cursor, and OpenCode.

Benchmark Methodology

How CVE-Agent-Bench evaluates 13 coding agents on 128 real vulnerabilities. Deterministic, reproducible, open methodology.

Agent Environment Security

AI agents run with real permissions. XOR verifies tool configurations, sandbox boundaries, and credential exposure.

Security Economics for Agentic Patching

Security economics for agentic patching. ROI models backed by verified pass/fail data and business-impact triage.

Validation Process

25 questions we ran against our own data before publishing. Challenges assumptions, explores implications, extends findings.

Cost Analysis

10 findings on what AI patching costs and whether it is worth buying. 1,664 evaluations analyzed.

Bug Complexity

128 vulnerabilities scored by difficulty. Floor = every agent fixes it. Ceiling = no agent can.

Agent Strategies

How different agents approach the same bug. Strategy matters as much as model capability.

Execution Metrics

Per-agent session data: turns, tool calls, tokens, and timing. See what happens inside an agent run.

Pricing Transparency

Every cost number has a source. Published pricing models, measurement methods, and provider rates.

Automated Vulnerability Patching and PR Review

Automated code review, fix generation, GitHub Actions hardening, safety checks, and learning feedback. One-click install on any GitHub repository.

Getting Started with XOR GitHub App

Install in 2 minutes. First result in 15. One-click GitHub App install, first auto-review walkthrough, and engineering KPI triad.

Platform Capabilities

One install. Seven capabilities. Prompt-driven. CVE autopatch, PR review, CI hardening, guardrail review, audit packets, and more.

Dependabot Verification

Dependabot bumps versions. XOR verifies they're safe to merge. Reachability analysis, EPSS/KEV enrichment, and structured verdicts.

Compatibility and Prerequisites

Languages, build systems, CI platforms, and repository types supported by XOR. What you need to get started.

Command Reference

Every @xor-hardener command on one page. /review, /describe, /ask, /patch_i, /issue_spec, /issue_implement, and more.

Continuous Learning from Verified Agent Runs

A signed record of every agent run. See what the agent did, verify it independently, and feed the data back so agents improve.

Signed Compliance Evidence for AI Agents

A tamper-proof record of every AI agent action. Produces evidence for SOC 2, EU AI Act, PCI DSS, and more. Built on open standards so auditors verify independently.

Compliance Evidence and Standards Alignment

How XOR signed audit trails produce evidence for SOC 2, EU AI Act, PCI DSS, NIST, and other compliance frameworks.

Agentic Third-Party Risk

33% of enterprise software will be agentic by 2028. 40% of those projects will be canceled due to governance failures. A risk overview for CTOs.

MCP Server Security

17 attack types across 4 surfaces. 7.2% of 1,899 open-source MCP servers contain vulnerabilities. Technical deep-dive with defense controls.

How Agents Get Attacked

20% jailbreak success rate. 42 seconds average. 90% of successful attacks leak data. Threat landscape grounded in published research.

Governing AI Agents in the Enterprise

92% of AI vendors claim broad data usage rights. 17% commit to regulatory compliance. Governance frameworks from NIST, OWASP, EU CRA, and Stanford CodeX.

OWASP Top 10 for Agentic Applications

The OWASP Agentic Top 10 mapped to real-world attack data and XOR capabilities. A reference page for security teams.

See which agents produce fixes that work

128 CVEs. 13 agents. 1,664 evaluations. Agents learn from every run.