This work addresses the lack of intermediate disclosure mechanisms in current Software Bill of Materials (SBOM) sharing practices, which leaves vendors vulnerable to SBOM-based attacks and consumers exposed to risks of tampered or falsified SBOMs. To overcome this limitation, the paper introduces zkSBOM, the first framework to apply zero-knowledge set techniques to SBOM sharing. By leveraging cryptographic commitments and inclusion/exclusion proofs, zkSBOM enables consumers to verify whether they are affected by specific vulnerabilities without accessing the full SBOM. This approach achieves fine-grained privacy preservation and verifiability, breaking away from the traditional all-or-nothing disclosure paradigm. Security analysis and real-world evaluations demonstrate that zkSBOM offers strong security guarantees and practical feasibility while protecting the privacy of both suppliers and consumers.

Software Bills of Materials (SBOMs) are increasingly mandated by regulators, yet existing sharing mechanisms impose a binary choice between full disclosure and full opacity. This exposes software suppliers to attacks that can be deduced from the SBOM only, such as the presence of a vulnerable dependency. Conversely, software consumers can be fooled by software suppliers who modify or misrepresent published SBOMs. We present zkSBOM, a privacy-preserving SBOM sharing mechanism designed to address these threats. zkSBOM uses zero-knowledge sets to cryptographically commit to the components within an SBOM. Software consumers can query for known vulnerabilities and receive a cryptographic proof confirming whether the artifact described by the SBOM is affected, without revealing any additional SBOM content. We conduct a security analysis of zkSBOM by quantifying expected leakage from inclusion and exclusion proofs. We demonstrate real-world feasibility by applying it to realistic scenarios and evaluating its operation requirements. Our evaluation demonstrates that zkSBOM is a strong, secure, and privacy-preserving mechanism for SBOM sharing, protecting software suppliers and software consumers from one another.