CRA Ledger home
Join early access
Back to resources

Vulnerability review9 min readUpdated May 22, 2026

Why vulnerability review needs evidence history

See how CVE triage, ownership, SLA pressure, review decisions, and remediation updates become retained product-security evidence.

For product security and compliance teams

A finding is not a review record.

A scanner result is not the same as a review record. For readiness, teams need retained context showing what was found, who reviewed it, what decision was made, what remediation happened, and when.

Why scanner exports are not enough

Scanner exports show findings at a point in time. They often do not preserve product-version context, ownership, rationale, remediation state, and review history.

That missing context matters later when a team needs to explain whether a finding affected a release and how the decision changed.

Scanner result

FindingSeverityComponentScan time

Review record

Product versionOwnerDecision rationaleRemediation stateSLA pressureTimestampsLinked SBOM

What teams usually track today

Vulnerability handling is already spread across the tools teams use to ship software.

  • Scanner exports.
  • CVE lists.
  • Jira or issue tickets.
  • Spreadsheets.
  • Email approvals.

Why that breaks down

Across product releases, scattered evidence becomes stale or hard to reconstruct. A closed ticket may not show which product version was reviewed, which SBOM record informed the decision, or whether remediation updates were preserved.

CVE review evidence timeline

Useful evidence follows the risk review, not just the first finding.

Finding detected

Severity reviewed

Owner assigned

SLA pressure tracked

Decision recorded

Remediation updated

Evidence retained

What a useful review record includes

A review record should keep enough context to make decisions understandable after handoffs and releases.

CVE or vulnerability ID.

Affected component.

Product version.

Severity.

Owner or reviewer.

Decision and rationale.

Remediation status.

SLA state.

Timestamp.

Linked SBOM or product record.

Field 01

CVE / vulnerability ID

Field 02

Affected component

Field 03

Product version

Field 04

Severity

Field 05

Owner / reviewer

Field 06

Decision / rationale

Field 07

Remediation status

Field 08

SLA state

Field 09

Timestamp

Field 10

Linked SBOM / product record

Decision rationale examples

Teams need concise rationale, not mystery statuses. These examples are decision context only and do not imply a formal VEX workflow.

Decision

Affected

Decision

Not affected

Decision

Mitigated

Decision

Accepted risk

Decision

Pending remediation

Remediation evidence

A remediation trail should show ownership, state changes, blocked work, updates, and final decision context. This lets release and compliance reviewers see whether an item is merely detected, actively handled, or ready for a next decision.

Reporting context

From 11 September 2026, CRA reporting obligations for actively exploited vulnerabilities and severe incidents apply. This guide is not legal advice; teams should confirm reporting duties with counsel and official guidance.

How CRA Ledger supports this workflow

CRA Ledger keeps vulnerability review, ownership, SLA pressure, remediation updates, and retained evidence connected to the product version.

See Product findings reviewReview retained evidence history

Vulnerability review evidence checklist

A practical review pass should answer these questions without relying on one person remembering the ticket history.

Can the finding be traced to a product version and component?

Is ownership visible?

Is the decision rationale retained?

Are SLA pressure and blocked work visible where relevant?

Do remediation updates stay attached to the product history?

Can a later review see timestamps and review state?

Product alignment

How CRA Ledger maps this into a workflow

Product-version record

Released versions are anchored with metadata.

SBOM retained

Original formats are retained with source-artifact context.

Vulnerability review tracked

CVE triage decisions document ownership.

Remediation status connected

Fix updates and SLA tracking stay visible.

Decisions & timestamps preserved

Provenance is recorded for every decision.

Readiness evidence summarized

Evidence summaries keep output context reviewable.

See the product workflow

CRA Framework

References and official sources

These references point to official EU sources. This guide is informational and does not replace legal advice.

Regulation (EU) 2024/2847 — official EUR-Lex text

Official regulation text for the Cyber Resilience Act, including Article 13, Article 14, Article 31, Annex I, Annex VII, and Article 71.

European Commission CRA overview

Scope, readiness context, and the CRA timeline overview.

European Commission CRA reporting page

Reporting duties that apply from 11 September 2026.

Referenced sections in Regulation (EU) 2024/2847:

Article 13
Manufacturer obligations.
Article 14
Reporting obligations.
Annex I
Vulnerability handling requirements.
Article 31 and Annex VII
Technical documentation context where review evidence is relevant.

Notice

Operational guidance only. Confirm product scope and CRA duties with official sources and advisers.

CRA Ledger supports readiness workflows and evidence organization. It does not guarantee compliance or replace legal advice.

See how CRA Ledger keeps vulnerability review evidence connected.

Related resources

Continue through the evidence workflow

CRA readiness guideSBOM evidence guideVulnerability remediationBrowse all resources