Practical takes on supply-chain security
Compliance deep-dives, engineering posts, and product updates from the team building SBOMVault.ai.
A bad SBOM is worse than none: why document quality matters
Most SBOMs are generated to satisfy a checkbox, and create false confidence precisely because they exist. The new bar is not existence — it is quality.
Container SBOMs: accounting for the layers you actually ship
A container is your code plus an operating system plus everything in between. An SBOM that captures only app dependencies misses most of the attack surface.
EU CRA: What software vendors need to know before 2027
The EU Cyber Resilience Act enters full enforcement in December 2027. Here's a practical breakdown of what it requires and how to prepare.
VaultScore: how we prioritize vulnerabilities (and why CVSS isn't enough)
CVSS tells you how bad a vulnerability could be in theory. VaultScore tells you how bad it is for you. Here's the math.
Why we built the Trust Portal
Sharing SBOMs with enterprise customers used to mean a Slack thread, a zip file, and a prayer. Here's how we replaced it.
SBOMs for medical devices: navigating FDA premarket cybersecurity
The FDA's 2023 final guidance made SBOMs mandatory for premarket submissions. Here's how to ship one that won't get bounced.
Open-source license compliance starts with your SBOM
The inventory you built to manage vulnerabilities already solves a problem lurking in every codebase: license risk that surfaces at the worst possible moment.
EPSS and CISA KEV: scoring vulnerabilities by real-world risk
CVSS labels too many things critical to be a useful queue. Exploitation data — EPSS and the KEV catalog — is how you sort a wall of red into the few that matter.
Generating SBOMs in your CI/CD pipeline without slowing builds
The most reliable SBOM is the one your build produces automatically, every release. How to wire it into CI/CD — including the gate mistake to avoid.
VEX, explained: telling customers which CVEs actually matter
A scanner says you have 600 vulnerabilities; most are not exploitable in your product. VEX is how you say so in a way a machine can read.
Transitive dependencies: the 80% of your SBOM you never wrote
The bulk of your attack surface is inherited, not authored — and invisible until you inventory it. Why transitive dependencies are where the risk lives.
The NTIA minimum elements, explained
The closest thing the SBOM world has to a baseline definition — its data fields, its automation requirement, and the practices most teams forget.
EO 14028, three years on: where federal SBOM requirements actually stand
An honest status check on the executive order that turned SBOMs into a procurement requirement — what is binding, what is still messy, and why it matters even if you do not sell to the government.
CycloneDX vs SPDX: how to choose an SBOM format
The two dominant SBOM formats, compared — and why the choice matters far less than the discipline of producing an SBOM at all.
What is an SBOM? A plain-English guide to the Software Bill of Materials
Strip away the acronyms and an SBOM is just an ingredients list for software. Here is what goes in one, and why it became unavoidable.
The xz backdoor: what CVE-2024-3094 means for your supply chain
A volunteer maintainer spent two years earning trust, then planted a backdoor days from shipping in every major Linux distribution. Here is what it teaches about supply-chain risk.