FAQ resource for What are CRA remediation metrics?.
Answer
When `vg scan --vulns` runs in a git repository, Vibgrate attributes each vulnerability to the commit that introduced the affected version and measures how long you have been exposed. Those exposure windows roll up into remediation metrics framed around the EU Cyber Resilience Act (CRA): open counts by severity, mean and maximum time exposed, and per-severity SLA breaches. They show whether remediation keeps pace; they are not a compliance certification.