tldr - powered by Generative AI

• Automating the matching of vulnerabilities and exploits with threat intelligence and blocking them is not feasible as customers may not trust the organization to do it.
• Not all customers know enough about their software to determine if it is safe to block something.
• Partial remediation and tracking the timeline of remediation can be challenging.
• Social graphs and tracing components may not be useful if customers do not know what to do with the information.
• Consumers in the middle of the supply chain need to decide the depth at which they can investigate something and owe answers to downstream customers and partners.
• The limits of S-BOMs and the knowledge that can be obtained from them should be considered.
• SAS providers may not provide S-BOMs for their products.