The most surprising shift: buyers are now setting patch deadlines
For most of the past decade, vulnerability response timelines were set by vendors. That is changing. Enterprise procurement teams—particularly in financial services, healthcare, and critical infrastructure—are inserting patch-response service-level agreements (SLAs) directly into software contracts, requiring vendors to issue fixes for critical Common Vulnerabilities and Exposures (CVEs) within 14 days or fewer.
A CVE is a standardized identifier assigned to a publicly disclosed security flaw. Critical CVEs carry a CVSS (Common Vulnerability Scoring System) score of 9.0 or above, indicating high exploitability and potential impact.
This buyer-driven pressure is a structural response to a documented pattern: attackers are increasingly targeting the software supply chain—the libraries, build pipelines, and third-party components that ship inside products—rather than attacking end organizations directly.
What the supply-chain threat model actually looks like
A software supply-chain attack works by compromising something upstream. The attacker may inject malicious code into an open-source library, compromise a vendor's build system, or exploit a vulnerability in a widely used component before the vendor patches it. Every organization that ships or runs software containing that component becomes a potential victim.
The 2020 SolarWinds breach, in which attackers inserted a backdoor into a network-monitoring software update, demonstrated the scale of this vector: roughly 18,000 organizations downloaded the compromised update. The 2024 XZ Utils incident showed the same logic applied to open-source infrastructure: a malicious contributor spent nearly two years gaining trust in a compression library used across Linux distributions before inserting a backdoor.
Neither attack required breaking into the ultimate targets directly.
SBOMs: the inventory requirement gaining traction
A software bill of materials (SBOM) is a machine-readable list of every component, library, and dependency included in a software product, along with version numbers and known vulnerabilities. The concept is analogous to an ingredient list on packaged food.
U.S. Executive Order 14028, signed in May 2021, directed federal agencies to require SBOMs from software vendors as a condition of procurement. The Cybersecurity and Infrastructure Security Agency (CISA) subsequently published minimum SBOM elements and has tracked voluntary adoption across sectors.
Private-sector adoption is uneven. Large enterprises with dedicated security teams are beginning to require SBOMs in vendor contracts. Smaller buyers often lack the tooling to ingest and act on SBOM data even when they receive it—a gap that limits the practical value of the requirement.
The patch-gap problem
Faster disclosure is not straightforwardly safer. Security researchers use the term 'patch gap' to describe the window between public disclosure of a vulnerability and the availability of a working fix. If a vendor discloses a critical CVE before a patch exists—whether due to regulatory pressure, coordinated disclosure timelines, or a leak—attackers can begin exploiting it immediately.
The tension is real: the 90-day coordinated disclosure standard popularized by Google Project Zero was designed to pressure vendors into patching while giving them time to do so before details became public. Compressing that window further, as some buyers now demand, may accelerate exploitation of vulnerabilities that vendors have not yet fixed.
What is not yet established in published research is whether organizations that achieve shorter MTTP targets experience statistically fewer successful breaches, or whether the relationship is confounded by attacker behavior—specifically, a shift toward zero-day exploits for which no patch exists at the time of attack.
What vendors are changing
Several large software vendors have published updated vulnerability disclosure policies in the past two years, shortening their internal triage-to-patch targets and expanding their bug bounty programs to cover supply-chain components. Some have begun publishing SBOMs for major products voluntarily, ahead of regulatory requirements.
Smaller vendors, particularly those supplying specialized enterprise software, face a harder tradeoff: faster patch cycles require engineering resources that may not be available, and contractual patch SLAs can create legal liability if timelines slip.
What remains unknown
Several important questions do not yet have clear answers in the public record:
- Whether SBOM requirements at scale reduce breach rates, or primarily shift liability. - Whether compressed patch windows reduce attacker success or accelerate exploitation of disclosed-but-unpatched vulnerabilities. - How open-source maintainers—often unpaid volunteers—are expected to meet commercial patch-response SLAs imposed by downstream buyers. - Whether the XZ Utils-style long-term infiltration of open-source projects can be detected systematically, or whether it represents a threat model that SBOM and patch-window requirements do not address.
The structural shift in how buyers and vendors negotiate vulnerability response is real and documented. Whether it produces measurable security improvement is a question the industry has not yet answered.