Use this file to discover all available pages before exploring further.
Root is built for organizations with rigorous security and compliance requirements. This section covers Root’s own security posture, the certifications and attestations Root holds, and resources for procurement, legal, and compliance reviews.
Many compliance frameworks (SOC 2, PCI-DSS, FedRAMP) require that vulnerabilities be remediated within defined time windows. Root’s SLA-backed remediation provides the documented evidence auditors need:
Executive Order 14028 and emerging regulations (EU CRA, NTIA minimum elements) require SBOMs for software in production. Every Root artifact ships with an automatically generated SBOM in SPDX or CycloneDX format. See SBOMs.
VEX documents let you communicate to auditors and downstream consumers which vulnerabilities in your software are not exploitable. Root generates VEX statements alongside every Root Patch. See VEX Statements.
SLSA and SSDF frameworks require attestation of how software was built. Root’s provenance attestations provide cryptographic proof that every artifact passed through Root’s verified AVR pipeline. See Provenance.
PCI-DSS 4.0 (Requirement 6.3.3) requires that all software components are protected from known vulnerabilities. Root’s automated, SLA-backed patching and SBOM artifacts directly address these requirements. Contact Root for QSA guidance materials.
