SBOM & Vulnerability

From a CVE to the exact device. In hours, not weeks.

CRA vulnerability notification obligations take effect in September 2026 — early warning within 24 hours. When the SBOM lives in one tool, production records in another, and update status in a third, that timeline is impossible to meet. OnBoardTM IoT Security (OBIS) keeps all three on the same evidence chain — so the path from a CVE to the affected device serial resolves in a single query.

Book a Demo
The Four Questions

Every vulnerability response comes down to the same four questions.

SecOps teams do not need another vulnerability feed. They need to answer — quickly, reliably, and with an auditable record — what a given CVE means for the devices they shipped. Each of these questions has a structured answer when SBOM, VEX decisions, and device history share the same data model.

Q1 · SEVERITY

How bad is it, actually?

A CVSS base score is a starting point. OBIS layers reach ability analysis, EPSS exploitation probability, and the CISA KEV catalog on top — filtering out CVEs that are irrelevant to the actual runtime environment of the device.
Q2 · BLAST RADIUS

Which devices are affected?

From Production Version to Production Batch to the Device Asset Record (DAR) — the per-device history Product Governance maintains across production and field updates — one query returns not just which devices shipped with the component, but which devices are currently running it. Devices already patched via OTA are excluded from the blast radius automatically.
Q3 · REMEDIATION

What's the fastest safe path?

Patch, mitigation, or mark as not affected — VEX disposition records the decision and rationale. Remediation flows in two directions: updates for devices already in the field, and suspended manufacturing authorization so contract factories cannot continue producing exposed devices.
Q4 · COVERAGE

Did the fix actually land?

After the update is pushed, every device writes its result into the DAR. Total affected, total remediated, current coverage — read directly from device state, not assumed from delivery logs.
Three-Level Traceability

From a CVE to the device's current state — one query, one answer.

Each binding happens at the moment the data is created. The device asset record reflects the device's current state — patched devices drop off the exposure map without manual reconciliation.

L1 · PRODUCTION VERSION

Which versions are affected.

Each firmware release SBOM — dependencies, chip-vendor packages, and build/runtime components — is bound to the Production Version at build time. OTA updates preserve the same SBOM, extending traceability from factory to field.
L2 · PRODUCTION BATCH

Which factory runs.

Production authorization links each Batch to its Production Version. EdgeHSM signatures on the provisioning records make the association tamper-evident.
L3 · DEVICE ASSET RECORD

Which devices are still exposed.

Per-device record has two layers: an append-only event stream of production, updates, and rollbacks, and a current state view of firmware, certificates, and keys on the device. The exposure map is derived from current state, not history.
Triage & Disposition

Every CVE gets a decision. Every decision gets a record.

When OBIS matches a new CVE to a Production Version, it creates an assessment workflow. The security analyst evaluates the impact and records one of four VEX dispositions.

Affected

The vulnerable code path is reachable under normal operating conditions. Triggers a remediation workflow tracked to closure.

Not Affected

The vulnerable component is present but the code path is not reachable in this Production Version, or compensating controls — boundary hardening, privilege isolation, network policy — render the vulnerability non-exploitable in this device context. Justifications are recorded per CSA FVEX, with the rationale auditable back to the originating advisory.

Under Investigation

The CVE has matched a Production Version but the analyst has not yet committed a disposition. Held as an interim state during triage so every CVE has an explicit position from first match through resolution.

Fixed

A remediated build has been signed and released — either as a new Production Version for future manufacturing or as an Update Job for deployed devices. Deployment coverage is tracked until the exposure map clears.
Get Started

See vulnerability response on one trust chain.

Bring a recent CVE. A 30-minute walkthrough covers the exposure map, the VEX disposition flow, and remediation coverage data against a representative fleet.

Book a Demo
Contact Us
Digital trust infrastructure for connected devices and credentials. Built on 13 years in digital credentials and cryptographic infrastructure.
IoT Security
OverviewSecure Build & ReleaseFactory ProvisioningSBOM & VulnerabilitySecure Update & OTACompliance & DisclosureGoogle CastMatter
Mobile Credentials
OverviewTransitAccessDigital Car Key
Resources
OverviewBlogWhitepapersCase Study
Company
About UsPartners
Privacy PolicyTerms Of ServiceCookie Policy
© 2026 Snowball Technology. All rights reserved.
EN
|
ZH