BCB 538 · CMN 5.274 · PCI DSS v4.0.1

Compliance

that starts in build

Compliance that starts at build

For financial and payment institutions, regulatory compliance is no longer solved with documentation alone. It requires verifiable hardening, timely remediation, and technical evidence for software components, without expanding a backlog that is already running at its limit. At Quor, these requirements translate into continuous operation and evidence by version.

How Quor supports these

requirements in practice

How Quor supports these

requirements in practice

97%

Reduction of CVEs in POC

Reduction of CVEs in POC

+2.739

Automatic rebuilds in the catalog

Automatic rebuilds in the catalog

+24.095

Fixed CVEs

Fixed CVEs

What the regulator began to require

Three mandatory and auditable pillars

Three mandatory and auditable pillars

In December 2025, BCB 538 and CMN 5.274 elevated security controls to auditable requirements for Financial and Payment Institutions.

In December 2025, BCB 538 and CMN 5.274 elevated security controls to auditable requirements for Financial and Payment Institutions.

Art. 3, § 10

Mandatory hardening

Mandatory hardening

It is necessary to verify secure configuration profiles across all computing resources. Isolated scanning does not replace verifiable hardening.

Art. 3, § 8

Timely correction

Timely correction

Vulnerabilities require a documented action plan, correction within a verifiable timeframe, and an objective record of the remediation performed.

Article 14

Supply chain integrity

Supply chain integrity

IF is responsible for all software in operation, including third-party components and dependencies. Demonstrable end-to-end traceability.

PCI DSS v4.0.1

For operations within PCI DSS scope, these three pillars are added to the standard’s specific requirements, including remediation of critical vulnerabilities within 30 days, risk classification, documentation, and continuous monitoring.

For operations within PCI DSS scope, these three pillars are added to the standard’s specific requirements, including remediation of critical vulnerabilities within 30 days, risk classification, documentation, and continuous monitoring.

Why manual remediation of CVEs does not

meet the regulatory requirement

More FTEs do not solve

the backlog of CVEs

More FTEs do not solve

the backlog of CVEs

Most of the operations still try to meet this regulatory requirement through manual remediation of CVEs, with public image, scanner, manual triage, sprint-based fixes, and evidence assembled afterward for audit.

The problem is that this workflow consumes engineering resources, does not keep up with the volume of new CVEs, and keeps the backlog growing, even with more FTEs.

Most of the operations still try to meet this regulatory requirement through manual remediation of CVEs, with public image, scanner, manual triage, sprint-based fixes, and evidence assembled afterward for audit.

The problem is that this workflow consumes engineering resources, does not keep up with the volume of new CVEs, and keeps the backlog growing, even with more FTEs.

1:63

For every 1 CVE addressed, 63 new ones arise in the same period.

CVEs published per month (average)

CVEs published per month (average)

5,040

Hours per CVE (average)

Hours per CVE (average)

6h

Capacity for 3 FTEs

Capacity for 3 FTEs

80

5040

5040

80

80

New CVEs

fixed

Calculation basis

-> 3 FTEs × 160h/month = 480h available

-> 480h ÷ 6h per CVE = 80 CVEs handled/month

How does Quor change that equation?

Quor reduces liabilities at the source

Built on Getup's experience with Kubernetes, Quor delivers container images compiled from source code, with a reduced attack surface and controlled builds from the start. Each release is published with zero CVEs and with technical evidence such as SBOM, verifiable provenance (SLSA), changelog, and VEX. The result is less reactive effort, lower operational cost, and less pressure on teams already affected by CVE accumulation.

How Quor delivers deadlines, traceability, and version-based evidence

Front Icon

Automatic rebuild

When a new CVE affects a catalog base image, Quor triggers the rebuild and republishes the fixed image within the SLA, without relying on manual triage. Each cycle is recorded in the changelog.

SLA: 7 days critical · 14 days high
What Does This Guarantee

Contractual correction period

Documented and verifiable, without depending on sprint or internal prioritization.

Front Icon

SBOM in standard format

Inventory of the image components and dependencies, linked to the published version.

CycloneDX · SPDX
What Does This Guarantee

Image composition in an auditable format

Compatible with external tools and available by version.

Front Icon

Verifiable provenance

Cryptographically verifiable attestation of the artifact's origin and the build process that generated it.

SLSA Attestation
What Does This Guarantee

Source and build traceability

With signature verification and associated metadata.

Front Icon

Changelog by version

Objective history by image and by version: CVE, severity, affected package, fixed version, digest, and publication date.

By image · by version
What Does This Guarantee

Auditable correction trail by version

No manual reconciliation between teams, spreadsheets, and systems.

Compliance as a consequence

Less manual effort to support

regulatory evidence

Less manual effort to support

regulatory evidence

When SBOM, provenance, changelog, and VEX are created with the base image, responding to regulators no longer depends on reconciling across teams, tickets, and spreadsheets.

CRITERION

CRITERION

QUOR

QUOR

Reactive Internal Process

Reactive Internal Process

Hardening

Compiled images from source code, with a reduced attack surface from the ground up.

Compiled images from source code, with a reduced attack surface from the ground up.

Manual configuration, variable between images and teams.

Manual configuration, variable between images and teams.

Correction SLA

Automatic rebuild and publication of the fixed image within the contractual SLA for critical and high CVEs.

Automatic rebuild and publication of the fixed image within the contractual SLA for critical and high CVEs.

Remediation depends on the backlog, prioritization, and a task force among teams with partial dedication. CVE inventory.

Remediation depends on the backlog, prioritization, and a task force among teams with partial dedication. CVE inventory.

Audit trail

Changelog by version with CVE, severity, affected package, digest, and publication date.

Changelog by version with CVE, severity, affected package, digest, and publication date.

Evidence distributed across spreadsheets, tickets, and different systems, requiring manual consolidation.

Evidence distributed across spreadsheets, tickets, and different systems, requiring manual consolidation.

SBOM and provenance

SBOM and provenance attestation generated during the build and associated with the published version.

Official images or images already known in the environment, generally without an SBOM and provenance associated with the published version.

Official images or images already known in the environment, generally without an SBOM and provenance associated with the published version.

Applicability of vulnerabilities

Version-based VEX to indicate whether a CVE applies to the published version or is still under investigation.

Version-based VEX to indicate whether a CVE applies to the published version or is still under investigation.

Without VEX, findings enter triage without enough context to determine applicability.

Audit preparation

Technical evidence available in the Quor interface, by version, without manual reconciliation between systems.

Technical evidence available in the Quor interface, by version, without manual reconciliation between systems.

Manual, fragmented preparation that depends on reconciling data across teams and systems.

Manual, fragmented preparation that depends on reconciling data across teams and systems.

Start here!

Start here!

Complying with regulations should not increase engineering operating costs.

Quor reduces liability at the source and delivers technical evidence by version to support hardening, remediation timelines, and traceability with less manual effort.

Quor reduces liability at the source and delivers technical evidence by version to support hardening, remediation timelines, and traceability with less manual effort.

Request an evaluation

Request an evaluation

To continue

Content to expand this discussion

Content to expand this discussion

Three perspectives that help deepen the discussion on cost, compliance, and supply chain security.

operational cost

How much does CVE management cost and why does it become an operational tax

The cost of reactive remediation doesn’t show up in the security budget. It shows up in the sprint, in on-call, and in team burnout.

COMPLIANCE

Container image changelog for auditing and compliance

How the automatic history of each version eliminates the manual work of building an audit trail for regulators.

supply chain

Verifiable trust in containers: SBOM, VEX, SLSA and attestations

The technical mechanisms that support the integrity and traceability of the software supply chain.

By Getup Cloud

quor.dev