How a collaboration starts

You have decided to have your open source supply chain professionally secured. Here you learn what we need from you, how the process works, and what you receive and when.

What we need from you #

Two things:

Your current SBOM — the software bill of materials of your products and systems
A contact person — ideally tiered by criticality and communication channel (e.g. security contact for critical notifications, project lead for operational coordination)

Nothing more. We do not need access to your systems, your network, or your internal data. Open source projects exist outside your infrastructure — that is where we work.

SBOM submission #

In the simplest case, you send us your SBOM once. However, we recommend an API integration through which your current SBOM is transmitted continuously. This is optional but ensures we always monitor the actual and current supply chain — not the state from three months ago.

What happens after submitting the SBOM? #

Monitoring begins immediately. How quickly full coverage is achieved depends on whether the projects in your SBOM are already in our system:

Projects already in the OTTRIA system: Immediate coverage. All existing documentation, risk assessments, and remediation history are available instantly.
New projects (not yet in the OTTRIA system): Onboarding begins directly after receiving the SBOM. The duration depends on the size and history of the project — typically just a few hours.

There is no 30-day ramp-up phase. Coverage begins immediately.

What you receive and when #

Day 1 #

Initial analysis and risk overview: which projects are known, which are critical, where there are open vulnerabilities or known risks.

First weeks #

Complete risk assessment of all components, prioritised by criticality. First compliance documents for your records. Start of active work on critical vulnerabilities.

Ongoing #

Continuous monitoring of all components in your SBOM. In the event of security incidents, you receive immediate notifications with risk assessment and recommended actions. In addition, regular summaries with status overview, resolved vulnerabilities, and open items.

What stays with you #

OTTRIA takes over everything that happens in the open source world: monitoring, analysis, assessment, fixes, documentation. Your tasks:

Provide and keep the SBOM up to date (ideally via API integration)
Make decisions when action is needed (we provide decision templates with options and risk assessment)
Deploy patches in your system

The decision and deployment remain with you — this is also not possible any other way from a regulatory perspective (Art. 5(2) DORA, Section 38 NIS2UmsuCG).