Tacit is a vulnerability management platform built for product security teams. It covers the full vulnerability lifecycle, from detection and triage to structured disclosure and audit evidence generation. Core workflow: 1. Detect vulnerabilities - Monitors publisher advisories for new vulnerability disclosures - Imports SBOMs from CI/CD pipelines to track dependency exposure per build and commit - Aggregates vulnerability signals from multiple sources into a single platform 2. Triage what matters - Reviews CVE alerts and publisher statements to validate applicability - Allows teams to set a clear status on each alert - Carries forward past triage decisions per CVE to reduce noise on recurring or updated advisories 3. Disclose with control - Publishes vulnerability updates as structured statements rather than raw CVE entries - Each statement includes affected status, fixed versions, mitigations, and supporting attachments - Delivers disclosures to specific audiences with granular visibility controls 4. Provide evidence on demand - Maintains an exportable record of what was shared, when, and to whom - Attaches supporting artifacts to each requirement - Supports regulatory frameworks including NIS2 and the EU Cyber Resilience Act (CRA) Use cases include software supply chain risk management, vulnerability response and disclosure coordination, and producing evidence for audits, RFPs, and regulatory reviews.