OSSeva Patch

CVE remediation. Drop-in. Signed.

The table-stakes offering: patched binaries for the EOL OSS version you're running, delivered quarterly or out-of-cycle for critical vulnerabilities. No forks, no proprietary runtime, no per-core licensing.

Start with PatchCompare tiers

What's included

  • Quarterly CVE patches for all covered versions
  • Out-of-cycle patches for CVSS 9.0+ vulnerabilities
  • Signed artifacts via GPG and Sigstore
  • Helm / Maven Central / OCI registry delivery
  • Vulnerability disclosure notifications
  • Version compatibility matrix (runtime + OS)
  • Integration with Artifactory, Nexus, Harbor
  • Erlang/OTP, JVM, and glibc compatibility validation

How delivery works

Same pull path, new registry

You configure your existing repo manager (Artifactory, Nexus, Harbor) to proxy the OSSeva registry. Your CI/CD pipeline changes zero lines.

Signed artifacts

Every OSSeva build is signed with GPG and attested via Sigstore Cosign. Your artifact integrity policy passes without a waiver.

No fork, no lock-in

OSSeva patches apply directly to upstream source. If you ever stop the subscription, you continue running the last patched version — no proprietary runtime dependency.

Verify a signed artifact

Cosign verification — RabbitMQ 3.13.7bash
cosign verify \
  --certificate-identity "https://osseva.io/builds" \
  --certificate-oidc-issuer "https://accounts.google.com" \
  ghcr.io/osseva/rabbitmq:3.13.7-osseva-1

Start getting patched this quarter.

Discovery call → scope confirmation → first patch delivery within your first quarter. Priced per cluster, not per core.

Book a Discovery CallView supported technologies