The Original Intent of SBOMs in Supply Chain Security
Software Bills of Materials (SBOMs) were introduced to enhance visibility into the components within software products. The core idea was to provide an ingredients list for software, enabling organizations to assess and secure their supply chains more effectively. By mandating SBOMs in 2021, regulators aimed to create a standardized approach to tracking software dependencies and mitigating risks from outdated or vulnerable components.
However, while SBOMs offer detailed insight into software compositions, they fall short of providing actionable information on the exploitability of known vulnerabilities. This gap necessitated the parallel development of Vulnerability Exploitability eXchange (VEX) statements. VEX was intended to clarify whether known vulnerabilities in SBOM components could be exploited in specific use scenarios. Together, SBOMs and VEX were envisioned as a dual toolset to counteract the growing threat landscape.
Rising Attacks Despite SBOM Adoption
Despite their promise, the adoption of SBOMs and VEX has not curtailed the rise in supply chain attacks. The year 2026 saw significant incidents, such as the Trivy and Axios attacks, which impacted tens of thousands of organizations globally. These breaches emphasize that the presence of SBOMs alone is insufficient to prevent sophisticated exploitation.
Security researcher Devashri Datta attributes these failures not to the lack of data but to its inadequate utilization. Organizations face challenges in effectively interpreting the wealth of information provided by SBOMs, VEX statements, vulnerability intelligence, and third-party disclosures. The result is decision-making that often remains inconsistent, reactive, and difficult to justify, leaving systems exposed to preventable risks.
Challenges in Maintaining Updated SBOMs
One of the operational issues undermining the utility of SBOMs lies in their lack of standardization for updates. Software providers are required to generate new SBOMs for every build, update, or patch. However, they are not uniformly mandated to share these updates with all customers unless explicitly requested. This creates gaps in awareness, as many organizations may unknowingly rely on outdated SBOMs.
While some jurisdictions and industries are implementing stricter regulations to address this inconsistency, the pace of change remains uneven. This lack of uniformity hinders the ability of organizations to maintain a comprehensive and current understanding of their software environments.
Inconsistencies in VEX Adoption
VEX statements, despite their potential, have struggled to gain widespread traction among software providers and security teams. The variability in the quality and clarity of VEX declarations often undermines their effectiveness. For instance, vague or incomplete statements about exploitability can lead to either overreaction or complacency within organizations.
Moreover, the absence of a standardized framework for VEX issuance complicates its integration into existing security workflows. Without consistent and transparent communication, VEX fails to fulfill its role as a critical complement to SBOMs in risk assessment and mitigation strategies.
The Need for Decision Clarity in Security Practices
The overarching issue lies in the interpretation and application of available security data. While SBOMs and VEX provide a wealth of information, their potential remains unfulfilled due to the lack of structured decision-making processes. Security teams often struggle to prioritize actions based on this data, leading to inefficiencies and missed opportunities to preempt threats.
To address this challenge, organizations must invest in capabilities that enhance their ability to derive actionable insights from SBOMs and VEX. This includes adopting advanced analytical tools, fostering collaboration between security and compliance teams, and ensuring that updated SBOMs and high-quality VEX statements are consistently integrated into their workflows.