SBOMs (Software Bills of Materials) were meant to strengthen software supply chain security. Instead, attacks are increasing, and one researcher believes the problem is not the data itself, but how organizations use it.
SBOMs were introduced and made mandatory in 2021. The intention was, and remains, to provide a list of components within software to improve visibility and better secure the supply chain.
While SBOMs provide a detailed software ingredients list, they do not provide information on any known poisons that might affect the ingredients. Vulnerability Exploitability eXchange declarations (VEX statements) were also introduced – a statement on whether a known vulnerability within an SBOM component is exploitable within the context of its use.
Together, SBOM and VEX were designed to march in step to defeat the supply chain threat. They have failed.
Five years after their introduction, supply chain attacks are more frequent than ever. In March 2026 alone, two attacks (Trivy and Axios) reportedly infected tens of thousands of organizations.
Independent security researcher Devashri Datta, whose research has appeared on Zenodo, OpenSSF, Revenera, and more, has been researching the failure of the SBOM/VEX initiative. She talked to SecurityWeek about her current findings.
“Software supply chain security isn’t suffering from a lack of data,” she concludes; “it’s suffering from a lack of decision clarity.”
The data exists in SBOMs and VEX statements, and vulnerability intelligence and third-party disclosures. “Despite all this data, security and compliance decisions remain inconsistent, difficult to justify, and often reactive. The issue isn’t visibility. It’s interpretation.”
There is also a lack of uniformity in the issuance and receipt of fresh SBOMs. While software providers are required to generate a new SBOM for every new software build (updates, patches, new versions), they are not universally required to deliver these new SBOMs to all customers. Some do, and some don’t. In many cases, if the customer doesn’t request updated SBOMs, it might be unaware that the SBOM has changed.
This is changing, and global regulations are becoming stricter, but still vary between location and industry.
The quality of VEX statements also varies. “VEX has struggled to gain traction,” says Datta, “not because of tooling limitations alone, but because organizations lack confidence in making and defending exploitability assertions. In many cases, this hesitation is driven as much by liability concerns as by technical uncertainty.”
The result, she suggests, is “Security teams rely on severity scores without context, engineering teams lack clear consistent decision criteria, and legal teams operate on disconnected disclosure data.”
The first requirement is for software customers to ensure they have current data. But then, the bigger problem – in Datta’s view – is not simply owning this data but being able to interpret it. “The real problem,” she says, “is the absence of a governance layer that can interpret changes across SBOMs over time.”
So, what is missing is not more data or another tool, but “A unified decision intelligence approach that can operate across these inputs.”
This, she continues, “Can be thought of as a governance-driven intelligence layer that interprets SBOMs as lifecycle signals, not just inventories; uses VEX as contextual input, not absolute truth; integrates third-party disclosures into risk reasoning; and produces decisions that are explainable and defensible.”
The goal is not automation alone but consistent, auditable decision-making across the lifecycle. This is increasingly urgent and important. So far, SBOM and VEX have failed to reduce supply chain attacks at a time when supply chain threats are increasing. The latest AI models in the hands of attackers have collapsed the time from vulnerability discovery to vulnerability exploitation to just hours or less. With this level of speed, defenders’ reliance on outdated documentation becomes a security liability.
At the same time, says Datta, “Regulatory pressure is increasing with SBOM mandates, secure development requirements, and supply chain transparency requirements.” Now is the time to get ahead of the problem.
“The real challenge is: ‘Can organizations explain why a decision is made and defend it later?’ Without a unified decision model, the answer is often, ‘No’.”
Related: SBOM Pioneer Allan Friedman Joins NetRise to Advance Supply Chain Visibility
Related: US, Allies Push for SBOMs to Bolster Cybersecurity
Related: CISA Requests Public Feedback on Updated SBOM Guidance
Related: New UK Framework Pressures Vendors on SBOMs, Patching and Default MFA
