Producer Guide
Guidance for organizations that build and distribute software
You manufacture, supply, or distribute software and need to provide transparency information to your customers. This guide helps you understand what to include and how to deliver it — whether you're starting from scratch or refining an existing process.
New to SBOMs?
A Software Bill of Materials (SBOM) is a machine-readable inventory of your software's components. If this is unfamiliar, start with the Explorer Guide for a full introduction.
Get Started
Review content requirements
Understand what information consumers expect in your SBOMs, VEX, and VDR documents — from component identity to vulnerability disclosures. Content Requirements →
Ensure your SBOMs meet content expectations
SBOM generation tooling is widely available and out of scope here. This framework focuses on what your SBOMs should contain and how to communicate vulnerability impact via VEX.
Operationalize transparency
Learn when to issue new SBOMs, how to handle update triggers, and how to respond to customer requests. Operational Model →
Framework Sections
Content Requirements
What to include in your SBOMs, VEX, and VDR — component identity, supplier info, vulnerabilities, licenses, and more.
Operational Model
How to integrate transparency into your workflows — triggers, delivery, updates, and customer communication.
Assessment Tool
Measure your SBOM maturity and get actionable pointers for improvement.
Want to improve?
Use the Assessment Tool to evaluate your SBOM practices and get targeted recommendations into content requirements and operational processes.
Key Responsibilities
- Generate accurate SBOMs for your products
- Communicate vulnerability impact via VEX
- Respond to customer transparency requests
- Maintain documentation as software evolves