Tacit is a vulnerability management platform built for product security teams. It provides an integrated workflow covering the full vulnerability lifecycle: detection, triage, disclosure, and audit evidence generation. The platform enables teams to monitor publisher advisories and import SBOMs (Software Bill of Materials) from CI/CD pipelines to track dependency exposure across builds and commits. When vulnerabilities are identified, Tacit helps teams triage CVE alerts by reviewing publisher statements, validating applicability, and setting statuses. It carries forward past triage decisions to reduce noise when new statements are published. For disclosure, Tacit allows teams to publish structured vulnerability statements rather than raw CVE entries. Each statement can include impact assessments ("Am I affected?"), fixed versions, mitigations, and supporting attachments, with granular control over audience visibility. The platform also supports audit and compliance workflows, maintaining exportable records of what was shared and when, with artifacts tied to specific requirements. It includes support for regulatory frameworks such as NIS2 and the EU Cyber Resilience Act (CRA). Key use cases include: - Software supply chain risk management - Vulnerability response and disclosure - Audits, RFPs, and regulatory reviews Tacit targets security and engineering teams within software product companies that need to manage vulnerability signals from multiple sources, coordinate internal response, and communicate clearly with customers, partners, and regulators.