I think there's a real, recurring job here that someone outside the product team could be doing — and I'm trying to figure out whether that's true at your company, or whether I'm describing a problem you don't actually have. I'd value thirty minutes either way.
The clause your legal team agreed to commits you to remediating CRITICAL CVEs within 48 hours and producing evidence in a form the customer's compliance team accepts. You don't currently have a process that can meet that.
The auditor wants documented evidence that you continuously monitor and remediate CVEs in your dependencies, in a form they can sign off on. You produce a vulnerability scan once a quarter and email it to whoever asks.
Your anchor customers are still on the older product line, and they're now demanding SBOMs, licence notices, and timely CVE patches as a condition of renewal. Your engineering team is on the next product and not coming back.
Four days establishing whether you were actually exploitable, three days producing a patched build, one day writing the customer notification. Nobody wants this to become a recurring event.
If you've read this far and the framings on this page still don't fit, that's the most useful signal you could give me. Tell me what would.
This is customer discovery. I want to understand whether the problem you're facing is one I can actually help with — and whether the way I'm describing it on this page lands the way I think it does. Pick a slot below.
Twenty-five years in software engineering, DevOps, SRE, and release engineering — Pivotal, VMware, Shopify, Mechanical Orchard. I work specifically on the supply-chain side: reproducible builds, SBOM generation, dependency provenance, CVE remediation pipelines. Lately, I've been discovering I love supervising LLM agents through this kind of work — the patient, tedious compliance grind that makes other engineers run away screaming. Based in Dublin.
An assessment if you don't yet know what you need. A pipeline if you know what you need but don't have time to build it. A retainer if the work is going to be recurring and you want it off your team's plate.
A short, fixed-scope engagement to map what you actually need to produce against the regime you're being held to — CRA, DORA, NIS2, ISO 27001, or a specific customer's questionnaire. You finish with a written gap analysis, a prioritised remediation list, and a defensible answer to "what do we need and what does it cost?"
I build, alongside your existing CI, a release pipeline that takes the artifacts you already produce and packages them with the compliance evidence — SBOM, licence notices, provenance attestation, VEX — automatically generated and signed at every release. After delivery, every future release of yours produces an audit-ready evidence bundle without your team thinking about it.
A monthly retainer that watches the CVE feeds against your shipping artifacts, triages each finding against your actual deployment context, produces patched releases inside the SLA windows your customer contracts demand, and keeps the VEX and SBOM artifacts current. You stop being in permanent reactive mode; the customer's security team gets evidence in the form they already accept.