OSSeva Patch

CVE remediation. Drop-in. Signed.

The table-stakes offering: patched binaries for the EOL OSS version you're running, delivered quarterly or out-of-cycle for critical vulnerabilities. No forks, no proprietary runtime, no per-core licensing.

Start with PatchCompare tiers

What's included

  • Quarterly CVE patches for all covered versions
  • Out-of-cycle patches for CVSS 9.0+ vulnerabilities
  • Signed artifacts via GPG and Sigstore
  • Helm / Maven Central / OCI registry delivery
  • Vulnerability disclosure notifications
  • Version compatibility matrix (runtime + OS)
  • Integration with Artifactory, Nexus, Harbor
  • Erlang/OTP, JVM, and glibc compatibility validation

How delivery works

Same pull path, new registry

You configure your existing repo manager (Artifactory, Nexus, Harbor) to proxy the OSSeva registry. Your CI/CD pipeline changes zero lines.

Signed artifacts

Every OSSeva build is signed with GPG and attested via Sigstore Cosign. Your artifact integrity policy passes without a waiver.

No fork, no lock-in

OSSeva patches apply directly to upstream source. If you ever stop the subscription, you continue running the last patched version — no proprietary runtime dependency.

Verify a signed artifact

Artifact verification commands are provided to customers upon onboarding. Contact us for early access to our build pipeline.

Frequently asked questions

What does a CVE patch from OSSeva include?

Each OSSeva CVE patch delivery includes: the patched binary build for all affected supported versions, a signed checksum file, a GPG-signed artifact for Maven or an OCI-signed container image for Docker, a CVE attestation letter documenting the vulnerability ID, CVSS score, affected versions, and fix description, and — for Assure customers — a compliance mapping to relevant audit frameworks.

How does OSSeva know about CVEs before official disclosure?

OSSeva engineers actively participate in the OSS security community, monitor NIST NVD, GitHub Security Advisories, and vendor-specific mailing lists, and maintain relationships with upstream project maintainers. For technologies we support, we receive advance notice through coordinated disclosure processes and have internal tooling to detect vulnerable patterns in the codebases we maintain.

Can I verify that an OSSeva patch binary hasn't been tampered with?

Yes. OSSeva signs all Maven artifacts with a GPG key (Key ID B7C4E831, fingerprint E8A1 3F92 D4B7 C401 8E35 F067 A293 B84C E7C4 E831) and all container images using Sigstore cosign. SHA-256 checksums are also provided for every binary release. Customers can independently verify integrity before deploying in any environment.

Does OSSeva patch all CVEs or only critical ones?

OSSeva patches all CVEs with a CVSS score of 4.0 or higher that affect supported runtimes. Low-severity issues (CVSS < 4.0) are evaluated case-by-case and typically bundled quarterly. All CVE decisions are documented in the customer-facing vulnerability directory with triage notes.

What is the difference between a backport patch and a version upgrade?

A backport applies the security fix from a newer upstream version to an older EOL version, without changing the runtime's public APIs, behavior, or configuration surface. This is critical for enterprises: a backport lets you close the CVE without the compatibility testing, code changes, and operational risk of a major version migration. OSSeva specializes in surgical, tested backports — not version upgrades.

Start getting patched this quarter.

Discovery call → scope confirmation → first patch delivery within your first quarter. Priced per cluster, not per core.

Book a Discovery CallView supported technologies