What is SBOM?

We publish SBOMs because transparency and security are core to Defguard. Making our dependency information public lets customers and auditors independently verify what we ship, continuously assess risk against public CVE databases, and integrate our artifacts into their own security tooling and compliance workflows. SBOMs also help us respond faster to newly disclosed issues: we track and scan dependencies after each release, prioritize remediation, and communicate status openly. This practice aligns with ISO 27001 controls and demonstrates our commitment to a secure software supply chain.

SBOM file list with vulnerability status

Separate SBOMs are available for mobile apps (Android, iOS), the desktop app (Windows, macOS, Linux), and server components (Core, Proxy, Gateway). Alongside each SBOM, advisories files are also published to summarize known vulnerabilities in detail.

We use Trivy to generate SBOM files and scan for vulnerabilities in our dependencies. Each SBOM is updated every day in our CI/CD pipeline and provided in the standard SPDX format.