Skip to main content
The time between a CVE being published and it being fixed in your environment is your exposure window. Without Root, this is measured in weeks or months. With Root, it’s measured in hours.

Without Root: The CVE Treadmill

A typical remediation cycle without Root:
  1. CVE is published
  2. Scanner detects the vulnerability in your images or packages (hours to days later)
  3. AppSec triages the finding and opens a ticket (days later)
  4. Engineering receives the ticket and investigates (days to weeks later)
  5. A fix is applied, reviewed, and merged (weeks later)
  6. The fix is deployed to production (weeks to months later)
Throughout this entire cycle, your systems remain exposed. And the next CVE is already in the queue.

With Root: Automated Remediation

When a CVE is published for a package in your Root subscription:
  1. Seconds — AVR ingests the CVE and identifies affected components
  2. Hours — Research agents analyze the vulnerability and build a remediation plan
  3. Hours to days (within SLA) — Patching agents generate and test the fix
  4. On delivery — The patched artifact is published at Root’s registries with updated SBOM, VEX, and provenance
  5. On your next pull/install — Your environment gets the fix
See Vulnerability Statuses for SLA timelines by severity.

Exposure Window Reduction

The exposure window collapses from weeks or months to the time between CVE publication and your next deployment cycle — because Root has already done the remediation work before you even know the CVE exists.

Continuous Coverage

Root doesn’t remediate once and stop. Every subscribed artifact is monitored continuously. When a new CVE is discovered for a package you’re using:
  • AVR automatically begins the remediation pipeline
  • Your existing deployment gets a patched update at the same tag or version
  • You receive notification of the new patch and updated artifacts

Zero-Day and No-Fix Scenarios

When a CVE is published with no upstream fix available, Root tracks the vulnerability and assigns it a “No Fix Available” status. As soon as an upstream fix or viable patch candidate exists, AVR begins remediation and the SLA clock starts. See Vulnerability Statuses for the full status model.