SBOMVault.ai
Start Free
Addendum version 1.0.0

SBOMVault.ai Consortium — Sharing Operating Rules

Version 1.0.0 · Effective Date: 2026-04-29

This Sharing Addendum supplements the SBOMVault.ai Master Services Agreement and governs participation in the SBOMVault Consortium ("Consortium"), a privacy-preserving cross-tenant intelligence-sharing program for organizations in the same regulated sector (e.g., financial services).

1. Purpose

The Consortium enables sector-level visibility into vendor incidents, vulnerability prevalence, malicious package observations, and supply-chain concentration patterns. The intent is to give member organizations earlier, higher-confidence threat signals than public sources can provide.

2. Anonymization

When a member organization contributes a signal, SBOMVault publishes the signal under an anonymized member alias (e.g., "Member Bank #4"). The publishing tenant's name, identifiers, employees, customers, and SBOM contents are not exposed to other members. Members may not attempt to deanonymize publishers and agree not to use any side-channel information to do so.

3. Opt-in by signal type

Contribution to the Consortium is opt-in per signal type. A member may choose to consume signals without contributing, contribute without consuming, or both. Subscriptions are configurable at any time at /consortium and may be revoked immediately.

4. Permitted signal types

  • vendor-incident — confirmed compromise, credential leak, or operational outage at a third-party supplier
  • shared-cve — newly disclosed vulnerability prevalent across member SBOM inventories
  • malicious-package — typosquatting or malicious-package observations from internal mirrors
  • concentration-warning — sector-wide concentration on a single vendor or component
  • vex-statement — coordinated VEX positions for shared CVEs

5. Permissible use of received signals

Members may use received signals for internal threat detection, prioritization, vendor management, and regulatory reporting. Members may not republish raw signals to non-members or commercial threat-feed products.

6. Data minimization

Contributed signals contain only the minimum data required for sector value: the signal type, severity, affected component or CVE, recommended action, and aggregated counts. Members will not contribute personally identifiable information (PII), customer data, account numbers, or material non-public information.

7. Liability and warranties

Signals are shared AS IS. SBOMVault.ai and contributing members make no warranty as to accuracy or completeness. Members are responsible for independently verifying any signal before acting on it. SBOMVault.ai's aggregate liability under this Addendum is limited to the fees paid for the Consortium feature in the trailing 12 months.

8. Regulatory cooperation

Members acknowledge that signals may be relevant to regulatory examinations and agree to support good-faith disclosure to relevant supervisors (FRB, OCC, FDIC, NYDFS, ENISA, etc.) where required. SBOMVault.ai will, on member request, provide affidavits attesting to a member's contribution and consumption history.

9. Term and termination

This Addendum is effective upon acceptance and continues until either party terminates. On termination, the member's prospective contribution and consumption ceases; previously published signals remain available to other members for the duration of their natural lifecycle (typically 90 days).

10. Antitrust safeguards

Signal sharing is limited to cybersecurity threat intelligence. Members will not exchange competitively sensitive information (pricing, customer lists, strategic plans) through the Consortium. SBOMVault.ai monitors signal content for compliance and reserves the right to redact or remove signals that exceed scope.

By accepting this Addendum, the signing user represents that they have authority to bind their organization to its terms.