Supply-chain transparency

ThreatZ Platform SBOM

We sell an automotive SBOM platform. We publish the same kind of transparency about our own platform that we help our customers establish for theirs.

Format & standards

FormatCycloneDX 1.5 (JSON) GenerationCI-pipeline-generated at every release; signed with our build provenance key ComponentsApplication code, runtime dependencies, container base images, build-time tooling VEXVulnerability Exploitability Exchange documents available alongside each SBOM release Update cadenceWith every minor and patch release; emergency updates within 24h of critical CVE disclosure

How to access the SBOM

The ThreatZ platform SBOM is available to:

Active customers — through your tenant’s admin console, under Settings > Compliance > Platform SBOM.
Active prospects in procurement review — on request through your sales contact or by emailing security@uraeus.io with your evaluation context.
Security researchers reporting vulnerabilities under our disclosure policy — provided as part of the disclosure response.

Request the SBOM

Send a brief email to security@uraeus.io with your organization, evaluation context, and intended use. We will respond within 2 business days with the current SBOM and applicable VEX documents.

Why not fully public?

Publishing a complete platform SBOM without context can give a head-start to adversaries who would otherwise need to enumerate components themselves. For automotive cybersecurity software in particular, our customers' procurement teams prefer that detailed dependency information is provided under a non-disclosure agreement that establishes legitimate use. We honor that preference.

This aligns with the NIST Software Supply Chain Security Guidance and ISO/IEC 5230 (OpenChain) approach: SBOMs should be discoverable, requestable, and timely — not necessarily anonymous-downloadable.

For ThreatZ customers

If you are using ThreatZ to manage SBOMs for your own vehicle programs, you can: