Templates

Dear [Supplier Contact],

As part of our supply chain security program, we are requesting Software Bill
of Materials (SBOM) for products we deploy from [Supplier Name].

PRODUCT AND VERSION:
[Product Name] version [X.Y.Z] currently deployed in our environment

REQUIREMENTS:
- Format: CycloneDX 1.6+ or SPDX 2.3+ (JSON or XML)
- Scope: All direct and transitive dependencies
- Content: Component names, versions, PURLs, and license information
- Delivery: Please upload to our customer portal or email to [email address]
- Timeline: By [Date - typically 30-60 days from request]

PURPOSE:
This SBOM will support our vulnerability management and regulatory compliance
obligations under [NIS2 / CRA / federal procurement / etc.]. We use SBOMs to
rapidly assess impact when security advisories are published, enabling faster
response and reducing risk.

ONGOING UPDATES:
For future releases, we request updated SBOM provided within 24-48 hours of
software delivery. We are happy to discuss integration approaches that minimize
overhead for your team.

SUPPORT:
If you need guidance on SBOM generation, we can provide resources and tool
recommendations. SBOM requirements are becoming standard across the industry,
and early implementation provides competitive advantage.

Please confirm receipt of this request and expected delivery timeline.

Thank you,
[Your Name]
[Title]
[Contact Information]

Dear [Customer Name],

We are pleased to announce that Software Bill of Materials (SBOM) is now
available for [Product Name] version [X.Y.Z].

DOWNLOAD LOCATIONS:
- Customer Portal: [URL]
- Direct Download: [URL]
- API Access: [URL/documentation]

FORMATS AVAILABLE:
- CycloneDX 1.6 (JSON): [filename].cdx.json
- SPDX 2.3 (JSON): [filename].spdx.json [if applicable]
- Cryptographic Signature: [filename].sig

VERIFICATION:
To verify SBOM authenticity, see our verification guide:
[URL to verification instructions]

Public Key Fingerprint: [fingerprint]

WHAT'S INCLUDED:
This SBOM enumerates all software components in [Product Name], including:
- Direct and transitive dependencies (full dependency tree)
- Component versions and identifiers (PURLs)
- License information
- Supplier/author details
- Cryptographic hashes for integrity verification

UPDATES:
We provide updated SBOMs with each product release. Subscribe to SBOM update
notifications at [URL] or via our customer portal.

QUESTIONS?
For questions about the SBOM or assistance using it for your security or
compliance workflows, contact us at [email address].

ABOUT SBOMS:
Software Bills of Materials provide transparency into software composition,
enabling faster vulnerability assessment, license compliance verification, and
supply chain risk management.

Thank you for your business,
[Your Name / Team Name]
[Product Security Team]
[Contact Information]

Date: [YYYY-MM-DD]
Product: [Product Name]
Affected Versions: All versions
CVE: [CVE-ID]
Severity: [CVSS Score / Severity Level]
Status: NOT AFFECTED

SUMMARY:
[Product Name] includes [Component Name] version [X.Y.Z], which is listed as
affected by [CVE-ID]. However, after thorough analysis, we have determined
that [Product Name] is NOT exploitable via this vulnerability.

ANALYSIS:
[CVE-ID] affects the [specific functionality] in [Component Name]. [Product Name]
uses [Component Name] but does not invoke the vulnerable functionality. The
vulnerable code path is not reachable through any [Product Name] feature or API
endpoint.

JUSTIFICATION:
- Justification Code: vulnerable_code_not_in_execute_path
- Details: [Product Name] uses only the [safe subset] of [Component Name] APIs.
  The vulnerable [function/module] is never invoked in any product code path.

VERIFICATION:
We verified this assessment through:
- Static code analysis of all call paths to [Component Name]
- Dynamic testing confirming vulnerable code is unreachable
- Security team review of component usage patterns

VEX DOCUMENT:
Machine-readable VEX document available at: [URL]
Format: CycloneDX 1.6 VEX / CSAF VEX [as applicable]

CUSTOMER ACTIONS:
No action required. [Product Name] is not vulnerable to [CVE-ID].

QUESTIONS:
For questions about this assessment, contact our security team at [email].

[Company Name] Security Team

Date: [YYYY-MM-DD]
Product: [Product Name]
Affected Versions: [Version range]
Fixed Version: [New version]
CVE: [CVE-ID]
Severity: HIGH / CRITICAL

SUMMARY:
[Product Name] versions [X.Y.Z and earlier] are affected by [CVE-ID], a
[vulnerability type] vulnerability in [Component Name]. We have released
[Product Name] version [X.Y.Z+1] which remediates this vulnerability.

IMPACT:
[CVE-ID] could allow [attack scenario] if [conditions]. This affects [Product Name]
deployments where [exposure scenario].

AFFECTED VERSIONS:
- [Product Name] [version range]

FIXED VERSIONS:
- [Product Name] [new version] (released [date])

REMEDIATION:
1. Upgrade to [Product Name] [new version] or later
2. [Alternative workaround if upgrade not immediately possible]
3. Verify remediation by checking deployed version matches fixed version

UPGRADE INSTRUCTIONS:
[Link to upgrade documentation]

WORKAROUND (if upgrade not immediately possible):
[Workaround steps if applicable, or "No workaround available - upgrade required"]

TIMELINE:
- CVE Published: [Date]
- [Company] Notified: [Date]
- Assessment Completed: [Date]
- Fix Released: [Date]
- Time to Fix: [X hours/days]

VEX DOCUMENT:
Machine-readable VEX document: [URL]
Updated SBOM showing patched component: [URL]

CUSTOMER SUPPORT:
For assistance with upgrade or questions about impact, contact:
- Support: [support email/phone]
- Security: [security email]

We recommend upgrading at your earliest convenience. For critical deployments,
consider expedited change management given vulnerability severity.

[Company Name] Security Team

Dear [Supplier Contact],

Thank you for providing SBOM for [Product Name] version [X.Y.Z]. As part of our
supplier management program, we provide feedback on SBOM quality to support
continuous improvement.

OVERALL ASSESSMENT: [Excellent / Good / Needs Improvement]

POSITIVE ASPECTS:
✓ [Specific positive feedback - e.g., "Complete transitive dependency enumeration"]
✓ [e.g., "Timely delivery within 24 hours of release"]
✓ [e.g., "High-quality license information"]

AREAS FOR IMPROVEMENT:
1. [Specific improvement area - e.g., "PURL coverage"]
   Current: [Metric - e.g., "45% of components have PURLs"]
   Target: [Target - e.g., "90%+ PURL coverage"]
   Impact: [Why it matters - e.g., "PURLs enable accurate vulnerability matching"]

2. [Another area - e.g., "Update frequency"]
   Current: [Current state]
   Target: [Desired state]
   Impact: [Business impact]

RECOMMENDATIONS:
- [Specific actionable recommendation]
- [Another recommendation]
- [Resource or tool suggestion if helpful]

QUALITY METRICS:
- Schema Validation: [Pass/Fail]
- Completeness Score: [X/100]
- License Coverage: [X%]
- PURL Coverage: [X%]
- Transitive Depth: [X levels]

NEXT STEPS:
We would appreciate improved [specific areas] in future SBOM deliveries. If you
need assistance implementing improvements, we're happy to discuss approaches or
recommend tooling.

For [Product Name] version [Next Version], we request SBOM incorporating the
recommendations above.

Thank you for your partnership in supply chain transparency,
[Your Name]
[Title]
[Contact Information]

## Executive Summary

[2-3 sentence summary of program status, key achievements, and priorities]

## Key Metrics

### Coverage
- Products with SBOMs: X/Y (Z%)
- Target: [Target %]
- Change from last period: [+/- X%]

### Quality
- Average Completeness Score: [X/100]
- Validation Pass Rate: [X%]
- Signed SBOMs: [X%]

### Operational Performance
- Avg Time to Vulnerability Assessment: [X hours]
- VEX Publication Latency: [X hours/days]
- SBOM Freshness: [X days average age]

### Supplier Engagement
- Suppliers Providing SBOMs: X/Y (Z%)
- Average Supplier Quality Score: [X/100]
- New Suppliers Onboarded This Period: [X]

## Achievements This Period

- [Specific accomplishment - e.g., "Achieved 80% product coverage milestone"]
- [e.g., "Reduced vulnerability assessment time from 48h to 8h average"]
- [e.g., "Implemented automated SBOM distribution reducing manual effort by 15 hours/week"]

## Challenges and Mitigation

### Challenge 1: [Description]
- Impact: [How it affects program]
- Mitigation: [What we're doing about it]
- Timeline: [Expected resolution]

### Challenge 2: [Description]
- Impact: [Impact description]
- Mitigation: [Mitigation approach]
- Timeline: [Timeline]

## Use Case Highlights

### Incident Response
[Example of SBOM enabling faster incident response - with metrics if possible]

### Compliance
[Progress toward regulatory compliance requirements]

### Supplier Management
[Example of SBOM-driven supplier assessment or decision]

## Upcoming Priorities

### Next Month
1. [Priority item]
2. [Priority item]
3. [Priority item]

### Next Quarter
1. [Strategic priority]
2. [Strategic priority]

## Resource Needs

- [Any resource requests - budget, tooling, personnel]
- [Blocking issues requiring executive support]

## Recommendations

[Any strategic recommendations for executive consideration]

---

**Prepared by:** [Your Name/Team]
**Date:** [Date]
**Next Report:** [Date]

Product: [Product Name]
Version: [X.Y.Z]
SBOM Received: [Date]
Assessment Date: [Date]
Status: REJECTED - Corrections Required

SUMMARY:
The SBOM provided for [Product] [Version] does not meet our minimum quality
standards for operational use. Specific issues are detailed below.

QUALITY ASSESSMENT RESULTS:

Schema Validation: [Pass / FAIL]
- [If fail: specific schema errors]

Completeness Score: [X/100] (Minimum required: 70)
- Component Count: [X] (Suspiciously low for product complexity)
- Missing PURLs: [X%] of components (Target: under 10%)
- Missing Licenses: [X%] of components (Target: under 20%)
- Missing Versions: [X%] of components (Target: 0%)

Critical Issues:
1. [Specific critical issue - e.g., "No transitive dependencies enumerated"]
2. [e.g., "Schema validation failed - invalid JSON structure"]
3. [e.g., "Major components known to exist are missing from SBOM"]

REQUIRED CORRECTIONS:

Must Fix (Blocking):
- [ ] [Specific correction required]
- [ ] [Another blocking issue]

Should Fix (Important):
- [ ] [Non-blocking but important improvement]
- [ ] [Another improvement]

RESUBMISSION:
Please provide corrected SBOM by [Date - typically 14 days].

If you need assistance addressing these issues, we can provide:
- Tool recommendations for your technology stack
- Example SBOMs from similar products
- Technical consultation on SBOM generation best practices

IMPACT:
Until acceptable SBOM is provided, we cannot:
- Complete security assessment for deployment approval
- Fulfill regulatory compliance requirements for this product
- Proceed with procurement/renewal processes [if applicable]

We value our partnership and want to work together toward successful SBOM
delivery. Please contact us with questions or for assistance.

Best regards,
[Your Name]
[Title]
[Contact Information]

# SBOM Repository API Documentation

## Base URL
`https://sbom.example.com/api/v1`

## Authentication
All API requests require authentication via bearer token:

Request API token through customer portal or contact [email].

## Endpoints

### List Products
GET `/products`

Returns list of all products with available SBOMs.

**Response:**
```json
{
  "products": [
    {
      "id": "product-api",
      "name": "Product API",
      "versions": ["1.2.3", "1.2.4", "1.3.0"],
      "latest_version": "1.3.0"
    }
  ]
}

{
  "product_id": "product-api",
  "webhook_url": "https://your-service.com/webhook",
  "events": ["sbom.updated", "vex.published"]
}

{
  "subscription_id": "sub_abc123",
  "status": "active"
}

{
  "vex_documents": [
    {
      "cve_id": "CVE-2024-1234",
      "status": "not_affected",
      "published": "2024-01-15T10:30:00Z",
      "url": "https://sbom.example.com/.../vex-CVE-2024-1234.json"
    }
  ]
}

{
  "event": "sbom.updated",
  "product_id": "product-api",
  "version": "1.3.1",
  "sbom_url": "https://sbom.example.com/.../sbom.json",
  "timestamp": "2024-01-20T14:30:00Z"
}

---

## Next Steps

- Customize templates for your organization
- Store templates in accessible location for team use
- Review and update templates quarterly based on feedback
- Share effective variations with team for consistency
- Reference templates during [Producer Workflows](/docs/operational-model/workflows-producer) and [Consumer Workflows](/docs/operational-model/workflows-consumer)