SIGNED SOFTWARE PRODUCT VULNERABILITY INFORMATION

System and Computer-implemented method for trusted disclosure of vulnerability information to a software SW product, comprisinga) receiving (S1), by the SW vendor unit (12), a proof request from a user unit (11) to provide information on vulnerabilities of the SW product,b1) requesting (S2), by the SW vendor unit (12), an evaluation of the SW product with respect to the requested information on vulnerabilities of all SW components indicated in a Software bill of materials data structure (SBOM) by sending the Software bill of material data structure (SBOM) comprising an indicator for each SW component contained in the SW product to a certification unit (13),c1) receiving (S3), by the SW vendor unit (12), a verifiable credential comprising a result of the evaluation and a cryptographic proof issued from the certification unit (13), or b2) retrieve (S2'), by the SW vendor unit (12), a previously received and stored verifiable credential issued from the certification unit (13) comprising the result of the evaluation and a cryptographic proof,d) forwarding (S4), by the SW vendor unit (12), the cryptographical proof to the user unit (11),e) requesting (S5), by the user unit (11), a public information to validate the cryptographic proof received from the SW vendor unit, from a distributed database (14), andf) validating (S6), by the user unit (11), the cryptographic proof request from the SW vendor unit (12) about vulnerabilities in the software product using the public information from the distributed database (14).