Skip to main content

AVR — Agentic Vulnerability Remediation

Root’s core technology. A fleet of AI agents — with human-in-the-loop oversight — that automates the full lifecycle of vulnerability remediation: research, patch, test, and deliver. See AVR.

Backported Patch

A fix taken from a newer version of a package and applied to an older version, preserving the version you declared while eliminating the vulnerability. One of two Root Patch types. See Root Patches.

Native Distribution Package Upgrade

A vulnerability fix delivered by applying the package maintainer’s or Linux distribution’s own updated package — used when an upstream fix is available and safe to apply. One of two Root Patch types. See Root Patches.

RIC — Root Image Catalog

Root’s secure container image registry at cr.root.io. Provides drop-in replacements for standard base images with vulnerabilities patched by AVR. See Root Image Catalog.

RLC — Root Library Catalog

Root’s secure application package registry at pkg.root.io. Serves patched versions of Python, JavaScript, and Java packages. See Root Library Catalog.

Root Patch

The unit of remediation in Root’s platform. The smallest safe change that eliminates a known vulnerability in a package or image, applied in-place without forcing version upgrades. See Root Patches.

SBOM — Software Bill of Materials

A machine-readable inventory of all components in a software artifact. Root generates and maintains SBOMs for every artifact in its registries, updated whenever a Root Patch is applied. See SBOMs.

Shift Out

Root’s movement and philosophy: open source should arrive clean and secure by default, shifting remediation out of Engineering and AppSec workflows entirely.

VEX — Vulnerability Exploitability eXchange

A machine-readable document that asserts whether a known vulnerability in a specific software component is actually exploitable. Root generates VEX statements alongside every Root Patch. See VEX Statements.

Vulnerable Package

A package or image component that contains a known security vulnerability (CVE). Root’s preferred term — not “infected package.”