← Back to Legal

Software Bill of Materials

Complete list of software components and dependencies in CycloneDX format

Last updated: January 2025

Buglify.ai maintains a comprehensive Software Bill of Materials (SBOM) to provide transparency about all software components and dependencies used in our platform. Our SBOM is available in the industry-standard CycloneDX format.

What is an SBOM?

A Software Bill of Materials (SBOM) is a detailed inventory of all the components, libraries, and dependencies that make up a software application. It provides transparency and helps organizations:

  • Identify and track software components and their versions
  • Assess security vulnerabilities in dependencies
  • Ensure license compliance
  • Respond quickly to supply chain security incidents
  • Meet regulatory and compliance requirements

CycloneDX Format

Our SBOM is provided in CycloneDX format, a lightweight software bill of materials standard designed for use in application security contexts and supply chain component analysis.

CycloneDX Resources

Our SBOM Components

Our SBOM includes detailed information about:

  • Frontend dependencies (Next.js, React, and related packages)
  • Backend dependencies (Node.js packages, Python libraries)
  • Infrastructure components (Docker images, system libraries)
  • Security tooling and scanning components
  • Development and build dependencies

Accessing the SBOM

Our SBOM is automatically generated and updated with each release. Enterprise customers can request access to our current SBOM for compliance and security auditing purposes.

To request the SBOM:

Email security@buglify.ai with your request. Please include your company name and the specific version or release you need the SBOM for.

SBOM Updates

We update our SBOM with every platform release and whenever dependencies are updated. We regularly monitor our dependencies for:

  • Known security vulnerabilities (CVEs)
  • License compliance issues
  • End-of-life or deprecated components
  • Available security patches and updates

Vulnerability Disclosure

If you discover a security vulnerability in any component listed in our SBOM, please report it responsibly to security@buglify.ai. We maintain an active vulnerability management program and will respond within 48 hours.

SBOM Generation and Verification

Our SBOM is automatically generated using industry-standard tools:

  • Frontend: npm sbom or cdxgen for JavaScript/TypeScript dependencies
  • Backend: CycloneDX Python tools for Python dependencies
  • Containers: Syft or trivy for Docker image components
  • Aggregation: All component SBOMs are merged into a comprehensive platform SBOM

Each SBOM is cryptographically signed to ensure integrity and authenticity.

License Compliance

We maintain strict license compliance for all dependencies:

  • All components use permissive open-source licenses (MIT, Apache 2.0, BSD, etc.)
  • We avoid copyleft licenses (GPL, AGPL) that could impose restrictions
  • License information is included in the SBOM metadata
  • Automated scanning ensures no incompatible licenses are introduced

Dependency Management Process

Our dependency management follows security best practices:

  • Automated Scanning: Continuous monitoring for vulnerabilities using Dependabot, Snyk, or similar tools
  • Patch Management: Critical vulnerabilities patched within 48 hours, high severity within 7 days
  • Version Pinning: All dependencies use exact versions to ensure reproducible builds
  • Regular Updates: Dependencies updated quarterly or when security patches are available
  • Testing: All dependency updates tested before deployment

SBOM Use Cases

Our SBOM supports various security and compliance use cases:

  • Vulnerability Management: Quickly identify if your deployment is affected by newly disclosed vulnerabilities
  • License Auditing: Verify compliance with your organization's open-source policies
  • Supply Chain Security: Assess risk from third-party components
  • Regulatory Compliance: Meet requirements from regulations like Executive Order 14028 (US), NIS2 Directive (EU)
  • Incident Response: Accelerate response to security incidents affecting dependencies

SBOM Format and Standards

Our SBOMs conform to the following standards:

  • CycloneDX 1.5 or later: Primary format with full support for vulnerabilities, licenses, and dependencies
  • SPDX 2.3 (available on request): Alternative format for organizations requiring SPDX
  • JSON and XML formats: Both available for maximum compatibility
  • NTIA Minimum Elements: Compliant with NTIA baseline requirements

Frequently Asked Questions

How often is the SBOM updated?

The SBOM is regenerated with every platform release and whenever dependencies change. Typically, this occurs at least monthly.

Can I automate SBOM retrieval?

Enterprise customers can request API access to automatically retrieve the latest SBOM. Contact security@buglify.ai for details.

Do you include transitive dependencies?

Yes, our SBOM includes all direct and transitive (indirect) dependencies with complete dependency graphs.

How do you handle vulnerability notifications?

When critical vulnerabilities are discovered in our dependencies, we notify affected customers within 24 hours and provide remediation timelines.

Contact Information

For SBOM requests, vulnerability reports, or questions:

PXL Security LTD
blvd Vasil Levski 12
Sofia, Bulgaria
Email: security@buglify.ai
SBOM Requests: sbom@buglify.ai