Skip to main content
XOR
[COMPLIANCE]

Compliance Evidence

Machine-readable evidence for every triaged vulnerability. VEX statements, verification reports, and audit trails produced automatically.

VEX statements

For every NOT EXPLOITABLE verdict, XOR generates an OpenVEX document with vulnerability ID, product PURL, status, justification, and impact statement. Download as JSON or attach to your SBOM.

SBOM integration

VEX documents reference products by PURL (Package URL). If your SBOM pipeline produces CycloneDX or SPDX, XOR's VEX statements link to the same package identifiers.

3
Evidence formats (VEX, CSAF, OSV)
250-500h
Audit prep time saved quarterly
CRA 13.6
EU compliance evidence

Machine-readable evidence for every triaged vulnerability

VEX statements, verification reports, and audit trails, produced automatically as XOR triages your PRs. No manual evidence gathering. Point your auditor at the PR comments.

VEX statements

For every NOT EXPLOITABLE verdict, XOR generates an OpenVEX document:

{
"@context": "https://openvex.dev/ns/v0.2.0",
"author": "XOR Platform <security@xor.tech>",
"statements": [{
  "vulnerability": { "name": "CVE-XXXX-XXXXX" },
  "products": [{ "@id": "pkg:github/your-org/your-repo" }],
  "status": "not_affected",
  "justification": "vulnerable_code_not_present",
  "impact_statement": "Static analysis confirms no call path."
}]
}

Supported formats

OpenVEX

openvex.dev v0.2.0. Primary format. Machine-readable, interoperable.

CSAF VEX Profile

OASIS CSAF v2.0. BSI TR-03183-3 recommended for EU/CRA.

OSV

Google OSV schema. Integration with OSV.dev vulnerability database.

CRA Article 13.6 compliance

The EU Cyber Resilience Act requires manufacturers to share vulnerability information in machine-readable format. XOR's VEX output satisfies this requirement:

  • Machine-readable: JSON format, parseable by any SBOM or GRC tool
  • Structured justification: Includes the specific reason (not just "not affected")
  • Product identification: PURL identifiers that match SBOM entries
  • Timestamps and versioning: Dated and versioned for audit trails

XOR produces evidence for CRA compliance. It does not certify compliance. That responsibility stays with the product manufacturer. Your organization remains accountable for the content of VEX statements and compliance determinations.

SBOM integration

VEX documents reference products by PURL (Package URL). If your SBOM pipeline produces CycloneDX or SPDX documents, XOR's VEX statements link to the same package identifiers. This allows your compliance tools to automatically enrich SBOMs with verdict information, reducing manual data entry and keeping vulnerability assessments in sync across your infrastructure stack.

Audit trail

Every XOR triage produces:

  1. PR comment: structured verdict with metrics (visible in GitHub)
  2. VEX document: for not-affected verdicts (downloadable JSON)
  3. Verification report: for exploitable verdicts with patching evidence
  4. Agent trace: full analysis trajectory, signed with COSE_Sign1

All evidence is timestamped and retained in your GitHub PR history indefinitely. Auditors can trace every verdict back to the CVE, the metrics used, and the remediation taken. This creates a permanent record that satisfies regulatory documentation requirements without manual bookkeeping.

[NEXT STEPS]

Related documentation

Dependabot verification →Standards overview →Agent compliance evidence →Platform capabilities →

FAQ

What evidence formats does XOR produce?

OpenVEX (primary), CSAF VEX Profile (EU/CRA recommended), and OSV. All machine-readable JSON, parseable by any SBOM or GRC tool.

Does XOR handle CRA Article 13.6 compliance?

XOR produces evidence for CRA compliance: machine-readable VEX documents, structured justifications, PURL product identifiers, and timestamped audit trails. Certification is the manufacturer's responsibility.

How does the audit trail work?

Every triage produces: a PR comment with structured verdict, a VEX document for not-affected verdicts, a verification report for exploitable verdicts, and an agent trace signed with COSE_Sign1.

[RELATED TOPICS]

Automated Vulnerability Patching and PR Review

Patches CVEs automatically. Reviews every AI-generated PR with a pass/fail verification report.

Getting Started with XOR GitHub App

Install in 2 minutes. First result in 15. One-click GitHub App install, first auto-review walkthrough, and engineering KPI triad.

Platform Capabilities

One install. Seven capabilities. Prompt-driven. CVE autopatch, PR review, CI hardening, guardrail review, audit packets, and more.

Dependabot Verification

Dependabot bumps versions. XOR verifies they're safe to merge. Reachability analysis, EPSS/KEV enrichment, and structured verdicts.

Compatibility and Prerequisites

Languages, build systems, CI platforms, and repository types supported by XOR. What you need to get started.

Command Reference

Every @xor-hardener command on one page. /review, /describe, /ask, /patch_i, /issue_spec, /issue_implement, and more.

See which agents produce fixes that work

128 CVEs. 15 agents. 1,920 evaluations. Agents learn from every run.