Announcement

Product

Introducing Tacit

Introducing Tacit

Feb 24, 2026

Tacit helps software publishers assess, triage, and communicate vulnerabilities with the rigor regulators and customers now expect.

Green Fern
Green Fern
Green Fern

In the software industry, there’s a tacit agreement we rarely say out loud: sooner or later, our products will be affected by vulnerabilities.

What matters isn’t whether vulnerabilities happen. It’s how clearly and reliably we can assess them, remediate, and communicate relevant information to the right audience.

Today, we’re introducing Tacit: a platform built to help software publishers handle vulnerability communication with the level of rigor it now requires.

Detection is no longer the issue

Vulnerabilities are now a constant stream.

In 2025 alone, more than 48,000 CVEs were published. Automated scanners and AI-assisted tooling surface alerts across every stack, fast, at scale, and often without context.

So the question has shifted.

Finding CVEs is getting easier. Determining applicability and severity isn’t.

Most alerts require work to answer basic questions:

  • Are we affected or not?

  • If yes, which versions?

  • What’s the severity in our context?

  • What should customers do next?

  • When will an update land and what changes in the meantime?

Without a structured way to provide those answers, customers do what humans do: they assume the worst, and they ask.

Support and security teams get pulled into repetition, re-explaining why a CVE is “not applicable”, or rewriting the same update in multiple places.

Meanwhile, the vulnerabilities that truly require structured disclosure struggle to get the clarity and attention they deserve.

This is exactly the gap Tacit addresses.

Tacit: one trusted source of truth, with controlled visibility

Tacit is a secure space for vulnerability communication between publishers and their ecosystem.

It gives publishers a single place to publish a trusted source of truth:

  • what’s affected

  • what’s not

  • what’s changing

  • what to do next

…with the right level of visibility for each audience.

Instead of broadcasting everything to everyone, Tacit lets you share the right information with the right people from early, limited visibility while you investigate, to broader disclosure once you’re ready.

Built for product security teams

We built Tacit specifically for software publishers and the teams that carry vulnerability communication day-to-day: security, product, engineering, and support.

Tacit helps you run three steps as one continuous workflow:

  1. Detect what’s relevant: Import and review signals from SBOM analysis and scanner outputs, so you can focus on what might actually apply to your products.

  2. Triage what matters: Capture your decision: under investigation, affected, not affected, remediated. Add the context customers always ask for: impacted versions, severity in your environment, and the reasoning behind your assessment.

  3. Disclose what must be disclosed: Publish a clear statement with timestamps and update history with controlled visibility for the appropriate audience.

You do the work once. Your ecosystem reuses the answer autonomously.

Why now

Regulatory expectations around vulnerability handling and disclosure are sharply rising, especially in the EU with the Cyber Resilience Act (CRA). Under the CRA, publishers are expected to detect, assess and remediate vulnerabilities continuously over the whole product lifecycle, and to notify consumers and clients about vulnerabilities within short, legally defined timeframes. Failure to comply can lead to significant administrative fines.

At the same time, even without regulation, the pressure is already here: vulnerability volumes keep growing every year, exploit cycles are getting shorter, and customers expect both transparency and concrete remediation timelines when an issue is disclosed. Vulnerability communication is becoming a core part of how software companies demonstrate security maturity and maintain trust with regulators, customers, and partners.

Tacit is built to make this work reliable: helping teams structure, automate, and scale clear, timely, and compliant vulnerability communications rather than improvising under pressure.The MVP is live

Tacit’s MVP is now available.

If you’re a software publisher and want to start structuring your vulnerability workflow, you can create an account and try it today.

Get Started

In the software industry, there’s a tacit agreement we rarely say out loud: sooner or later, our products will be affected by vulnerabilities.

What matters isn’t whether vulnerabilities happen. It’s how clearly and reliably we can assess them, remediate, and communicate relevant information to the right audience.

Today, we’re introducing Tacit: a platform built to help software publishers handle vulnerability communication with the level of rigor it now requires.

Detection is no longer the issue

Vulnerabilities are now a constant stream.

In 2025 alone, more than 48,000 CVEs were published. Automated scanners and AI-assisted tooling surface alerts across every stack, fast, at scale, and often without context.

So the question has shifted.

Finding CVEs is getting easier. Determining applicability and severity isn’t.

Most alerts require work to answer basic questions:

  • Are we affected or not?

  • If yes, which versions?

  • What’s the severity in our context?

  • What should customers do next?

  • When will an update land and what changes in the meantime?

Without a structured way to provide those answers, customers do what humans do: they assume the worst, and they ask.

Support and security teams get pulled into repetition, re-explaining why a CVE is “not applicable”, or rewriting the same update in multiple places.

Meanwhile, the vulnerabilities that truly require structured disclosure struggle to get the clarity and attention they deserve.

This is exactly the gap Tacit addresses.

Tacit: one trusted source of truth, with controlled visibility

Tacit is a secure space for vulnerability communication between publishers and their ecosystem.

It gives publishers a single place to publish a trusted source of truth:

  • what’s affected

  • what’s not

  • what’s changing

  • what to do next

…with the right level of visibility for each audience.

Instead of broadcasting everything to everyone, Tacit lets you share the right information with the right people from early, limited visibility while you investigate, to broader disclosure once you’re ready.

Built for product security teams

We built Tacit specifically for software publishers and the teams that carry vulnerability communication day-to-day: security, product, engineering, and support.

Tacit helps you run three steps as one continuous workflow:

  1. Detect what’s relevant: Import and review signals from SBOM analysis and scanner outputs, so you can focus on what might actually apply to your products.

  2. Triage what matters: Capture your decision: under investigation, affected, not affected, remediated. Add the context customers always ask for: impacted versions, severity in your environment, and the reasoning behind your assessment.

  3. Disclose what must be disclosed: Publish a clear statement with timestamps and update history with controlled visibility for the appropriate audience.

You do the work once. Your ecosystem reuses the answer autonomously.

Why now

Regulatory expectations around vulnerability handling and disclosure are sharply rising, especially in the EU with the Cyber Resilience Act (CRA). Under the CRA, publishers are expected to detect, assess and remediate vulnerabilities continuously over the whole product lifecycle, and to notify consumers and clients about vulnerabilities within short, legally defined timeframes. Failure to comply can lead to significant administrative fines.

At the same time, even without regulation, the pressure is already here: vulnerability volumes keep growing every year, exploit cycles are getting shorter, and customers expect both transparency and concrete remediation timelines when an issue is disclosed. Vulnerability communication is becoming a core part of how software companies demonstrate security maturity and maintain trust with regulators, customers, and partners.

Tacit is built to make this work reliable: helping teams structure, automate, and scale clear, timely, and compliant vulnerability communications rather than improvising under pressure.The MVP is live

Tacit’s MVP is now available.

If you’re a software publisher and want to start structuring your vulnerability workflow, you can create an account and try it today.

Get Started

More articles

More articles

Tacit for Open Source

Tacit for Open Source

Feb 26, 2026

Announcement

Green Fern
Green Fern
Green Fern

Introducing Tacit

Introducing Tacit

Feb 24, 2026

Announcement

Product

© 2026 Tacit. All rights reserved.

Privacy

Terms of Service

Privacy

Terms of services

© 2026 Tacit. All rights reserved.

Privacy

Terms of services

© 2026 Tacit. All rights reserved.