Consumer Guide
Orientation for organisations that procure and operate software and need visibility into what they run
Organisations that procure and operate software need visibility into what's running in their environment. Transparency artifacts from suppliers reveal what components are inside a product and whether known vulnerabilities affect it.
This guide covers what to expect from suppliers, how to track software composition across your environment, and how to act on vulnerability data.
What to expect from suppliers
Suppliers should provide three types of transparency artifacts:
SBOM. A Software Bill of Materials lists the components inside a product: names, versions, and dependency relationships. It tells the consumer what they are running and enables vulnerability correlation when new CVEs are disclosed.
VEX. A Vulnerability Exploitability eXchange document states whether a known vulnerability in a component affects the product. The supplier's analysis narrows the consumer's triage list to vulnerabilities that require attention, replacing per-CVE investigation with an authoritative assessment.
VDR. A Vulnerability Disclosure Report documents all known vulnerabilities across a product's components rather than addressing individual CVEs.
Content Requirements define the data quality bar: which fields, identifiers, and structures make these artifacts actionable.
Where are you starting from?
Not yet requesting SBOMs? Start with procurement. Build transparency requirements into RFPs and contracts before focusing on tooling or processes.
Already receiving SBOMs? Focus on validating quality, adopting VEX, and integrating supplier data into your security workflows. The sections below cover each of these.
Tracking software composition
Most environments contain internally developed systems and third-party products. Suppliers provide SBOMs for their products; internal teams generate their own. The consumer's challenge is consolidating both into a single inventory.
This view requires ongoing maintenance. Process updated SBOMs when suppliers release new versions. Track VEX statements as vulnerability assessments evolve.
Acting on vulnerability data
When a CVE is disclosed, consumers need to determine which products in their environment include the affected component. SBOMs make this possible by correlating the CVE's affected package against the component inventory.
A match does not mean the product is exploitable. VEX from the supplier communicates whether the vulnerability affects the product, whether a fix is available, or whether analysis is ongoing. Processing VEX alongside SBOMs eliminates redundant triage.
The Vulnerability Management use case covers the full workflow: correlation, prioritisation, and response.
Integrating transparency into procurement
Requesting SBOMs from suppliers is a procurement activity. Set transparency expectations before contract signature, when the organisation has bargaining position.
Include transparency requirements in RFPs and vendor contracts: artifact types (SBOM, VEX), format (CycloneDX or SPDX), update cadence (per release, within defined timeframes for VEX), and a minimum content quality bar based on Content Requirements.
For existing suppliers, request SBOMs as part of contract renewals or security reviews. Some suppliers will be ready; others will need time to build the capability. Either way, the requirement is on record.
The Supplier Transparency use case covers the full procurement integration.
Regulatory context
CRA and NIS2 apply to consumers as operators, not only to producers. NIS2 requires operators of essential services to manage supply chain risk, including knowing what software runs in their environment and responding to disclosed vulnerabilities. Transparency artifacts are the mechanism for meeting that obligation.
The framework defines two maturity levels. Content Requirements specify the data quality bar for artifacts: L1 covers minimum viable fields, L2 adds a higher level of completeness and signed artifacts.
The Operational Model defines corresponding operational expectations: L1 covers semi-automated generation and ad-hoc sharing, L2 adds CI/CD integration and systematic monitoring. Consumers can use these levels to set expectations for what suppliers deliver and how they deliver it.
Related workflows and use cases
Browse all Use Cases and Workflows, or start with the most relevant for consumers:
Vulnerability Management
Process supplier SBOM and VEX updates and prioritize response work.
Vulnerability Management
Impact assessment and prioritization using SBOMs and VEX.
Supplier Transparency
Evaluate vendor software composition and manage third-party risk.
License Compliance
License obligations and compliance risk across your software inventory.
Organisations already working with supplier SBOMs can use the Maturity Assessment to benchmark capabilities across supplier management and vulnerability correlation.