Consumer Guide
Guidance for organizations that procure and operate software
You procure and operate software in your environment. This guide helps you understand how to request, interpret, and act on transparency information from your vendors — whether you're new to SBOMs or looking to mature your processes.
New to SBOMs?
A Software Bill of Materials (SBOM) is a machine-readable inventory of a software product's components. If this is unfamiliar, start with the Explorer Guide for a full introduction.
Get Started
Understand what to request
Learn what information you should expect from vendors in their SBOMs, VEX, and VDR documents. Content Requirements →
Learn to interpret SBOMs and VEX
Understand component identity, vulnerability data, and how to assess the quality of what you receive.
Integrate into your security workflows
Use transparency data in your day-to-day operations — vulnerability management, procurement decisions, and compliance. Operational Model →
How mature are your SBOM practices?
Use the Assessment Tool to evaluate how well you're requesting, interpreting, and acting on transparency data — and where to improve.
Framework Sections
Content Requirements
What to request from vendors — component data, vulnerability disclosures, supplier info, and license details.
Operational Model
How to use SBOMs daily — ingestion, monitoring, update triggers, and vendor communication.
Assessment Tool
Measure your organization's SBOM maturity and identify areas for improvement.
Key Responsibilities
- Request SBOMs and VEX from vendors
- Interpret component and vulnerability data
- Integrate transparency data into security workflows
- Track software composition across your environment