Rufilla Lucerna

Persistent, audit-ready vulnerability
management for Yocto Linux

Global Impact,
UK Innovation
ff red icon

Why we built it

Embedded products live for ten years; upstream CVE feeds refresh daily. Without a clear record of “we looked at this and decided X,” teams find themselves re-examining the same vulnerabilities every sprint. Our platform captures your security decisions and preserves them over your product’s lifetime, turning vulnerability management from a recurring headache into a manageable process.

Core capability

Ingest native Yocto JSON, SPDX, CycloneDX
Persistent ignore/accept with mandatory rationale
Multiple product support with separate tracking
Role-based access and full audit trail
REST API for CI gating
One-line Docker compose for on-prem air-gap installs
Intuitive report generation in CSV, PDF and SPDX-JSON formats
red box icons

Workflow

Incorporate our Yocto layer into your build process and you’re ready to go. The platform creates a baseline from your first upload; every subsequent scan becomes a delta. Triaged CVEs leave the “Open” list and return only if the NVD score changes or you reset the flag.

Triage Taxonomy

All changes are written to PostgreSQL with user ID, timestamp and free-text rationale—providing the evidence that UK PSTI and IEC 81001-5-1 auditors look for.

Let's Innovate Together
red box icons

Patch

Schedule back-port

red arrow

Upgrade

Move to later upstream version

Triage Taxonomy

All changes are written to PostgreSQL with user ID, timestamp and free-text rationale—providing the evidence that UK PSTI and IEC 81001-5-1 auditors look for.

Let's Innovate Together
arrow

Ignore

Acceptable risk; reason text is versioned
red arrow

Review

Needs deeper analysis; stays red and assignable

Global Impact,
UK Innovation
ff red icon

Filtering

Slice by CVSS v3, EPSS percentile, attack vector, package wild-card or Yocto layer. Saved views become shareable URLs—your subcontractors can land on the same filtered list without needing an account if the project is set to read-only.

Continuous-use features:

Diff e-mail

Overnight scan finds new highs; you get a three-line summary with links

Bulk operations

Select multiple mediums, dismiss all with “unused configuration” in one click

API token

Gate nightly builds if critical CVEs remain open

Air-gap bundle

Export the entire database as an encrypted SQLite file for your customer security folder
Transforming Smart Energy for Homes & Businesses
red box icons

Compliance

This tool doesn’t “certify” a build. What it does is record which CVEs were addressed, which were dismissed and why—satisfying both the EU Cyber-Resilience Act technical documentation template and the UK PSTI risk-assessment requirement. It’s about creating a clear, auditable trail that stands up to scrutiny.
Built By People
Who Actually Use It

We created this platform because we needed it ourselves. We work on long-life embedded products where security isn’t a one-time checkbox; it’s an ongoing responsibility. This tool helps us (and now you) stay on top of vulnerabilities without drowning in repetitive triage work.

Let's Innovate Together