Skip to main content
Every vulnerability Root tracks for your subscribed artifacts has one of three statuses. These statuses reflect where Root is in the remediation process and set expectations for when a fix will be available.

Status Definitions

Under SLA

Root has identified the vulnerability in a subscribed image or package, a fix candidate has been found, and AVR is actively working on the patch. The SLA clock is running. SLA timelines:
SeveritySLA
Critical7 days
High14 days
Medium60 days
When a vulnerability enters “Under SLA” status, you can expect a Root Patch within the timeframe above.

Fixed

Root has produced and applied a patched version of the affected package or image. The remediated artifact is available at Root’s registries. An updated SBOM and VEX statement are available documenting the fix.

No Fix Available

Root has identified the vulnerability in a subscribed artifact but cannot currently remediate it — because no upstream fix or applicable patch candidate exists yet. When a vulnerability is in “No Fix Available” status:
  • The SLA clock has not started — Root cannot commit to a timeline without a fix to work from
  • Root monitors the vulnerability continuously and will begin remediation as soon as an upstream fix is available
  • You will be notified when the status changes to “Under SLA”

Viewing Vulnerability Status

Vulnerability statuses are visible in the Root platform UI per-artifact and in the aggregate vulnerability report. They’re also available via the Root API for integration into your ASPM or ticketing tools. See Vulnerability Reports for details on accessing and exporting status data.