Security

How to report a vulnerability and how we respond

E.S.L SOFTWARE LAB LTD treats the security of ESL SBOMator and its bundled open-source components as a first-class concern. This page is the public point of contact required by ISO/IEC 18974:2023 §3.4.1 as part of our OpenChain conformance program.

Reporting a Vulnerability

PGP Fingerprint

ESL SOFTWARE LAB LTD Security
daniel.l@eswlab.com

RSA 4096 — created 2026-05-25 — expires 2028-05-24

Fingerprint:
E850 2D58 0514 E72B 9006 5BB5 1C3D B1F8 0E19 9430

Download public key (pgp-key.asc)

✅ In scope

  • ESL SBOMator application code
  • Bundled scanner binaries (syft, grype, osv-scanner, cdxgen)
  • Python runtime dependencies shipped in our installer
  • Signed Windows / Linux / macOS installers and the code-signing chain

❌ Out of scope

  • Vulnerabilities in projects analysed by SBOMator → report to the upstream project
  • Non-security bugs or feature requests → use our support channel
  • Findings in third-party libraries already covered by an upstream CVE with a published fix (we’ll pick it up via our scanners)

Supported Versions

VersionSecurity fixes
1.3.x✅ Yes
≤ 1.2.x❌ End-of-life

Our Response Process

  1. Acknowledge — within 2 business days you’ll receive a confirmation from daniel.l@eswlab.com.
  2. Triage — we reproduce the issue and assign a CVSS v3.1 score.
  3. Fix — we develop a patch, request a CVE ID through GitHub or MITRE, and coordinate a release date with you.
  4. Credited researchers are listed in the SBOMator in-app, in the relevant GitHub Security Advisory, and in the release CHANGELOG (unless you ask to remain anonymous).

*Critical issues with public exploits are treated out-of-band and may ship within 7 calendar days.

Compliance Program

ESL SBOMator’s open-source compliance and security assurance program aligns with ISO/IEC 5230 (license compliance) and ISO/IEC 18974 (security assurance) — the two standards underpinning OpenChain conformance.