Glossary
Vendor Self-Attestation
What Is Vendor Self-Attestation?
Vendor self-attestation is a software supplier's own statement about what is inside their product — typically delivered through questionnaires, compliance certifications, or vendor-provided SBOMs — offered without independent verification.
Accepting vendor self-attestation is common practice in third-party risk management (TPRM) programs. Vendors complete questionnaires; auditors review certifications; SBOMs arrive from suppliers and are filed. The gap is that none of these reflect what is actually inside the compiled artifact the customer installs and runs. Build processes change dependencies. Manifests omit statically linked code. Configurations introduce risk no questionnaire captures.
NetRise Turbine replaces self-attestation with independent evidence. Binary composition analysis lets buyers verify what is actually in the software they receive — not just what the vendor said was in it.
Related Terms
Third-Party Risk Management · Software Bill of Materials · NetRise Turbine · Software Supply Chain Security


