1 of 73

Helm Docs

Helm help center home

Upload SBOM & match to known software

Prioritize and remediate risk

Get Started

Helm features

Introducing Helm by Medcrypt

What is Helm?

Helm is a comprehensive Software Bill of Materials (SBOM) and vulnerability management tool designed especially for medical device manufacturers (MDMs) to provide full visibility over your software supply chain and help you prioritize and remediate cybersecurity risks effectively. You can also track multiple software versions across devices, enabling you to easily handle the complex needs of medical devices with long lifespans and infrequent updates. Learn more about how Helm helps you meet FDA cybersecurity expectations.

Key features

FDA compliance

Supports NTIA and FDA cybersecurity requirements for SBOMs.
Provides tools for Secure Product Development Framework (SPDF).
Automated lifecycle management: Lifecycle rules automatically apply Level of Support and End-of-Life (EOL)/End-of-Support (EOS) information to components across your product portfolio, ensuring consistency and compliance with FDA cybersecurity requirements. EOL/EOS tracking enables you to identify and reduce risk due to outdated components that no longer receive security updates.

Broad ecosystem visibility

Tracks both open-source software (OSS) and commercial third-party software.
Supports real-time operating systems (RTOS) and other operating systems to give a comprehensive view of your software ecosystem.

SBOM management

Handles SBOMs from open source, commercial tools, and manual uploads.
.
Matches your software against the National Vulnerability Database (NVD) and package managers using advanced normalization techniques. For example, Helm will normalize values such as “windows10”, “windows_10”, and “win 10” to the official value, such as Windows 10.
. Import or manually add license information. Helm can also add missing license information when you upload a new SBOM or you can add them on-demand per component.

Vulnerability management

instantly during major vulnerabilities like Log4j or WannaCry on Helm's comprehensive dashboard. Helm's dashboard enables you to quickly remedy your most impacted products.
Zero in on critical vulnerabilities.
Track progress on unremediated vulnerabilities.
Prioritize and remediate quickly via continuously monitoring and updating of vulnerability , and more.

Regulatory reporting

.
.
Export or .

Understand your dashboard

Your dashboard provides an overview of your overall security posture. You can get to your dashboard by clicking the home icon on the sidebar.

Dashboard overview

This represents your total SBOMs and vulnerabilities across all time. The date range filter does not apply to these widgets.

Total products: This shows the total number of products that you have managed since you began using Helm.
Ratio of product versions with SBOMs: This percentage shows you the number of product versions that your team has created/uploaded SBOMs for.

Vulnerabilities over time

These widgets represent your vulnerabilities for a selected date range. You can view this for all versions within a product or for a particular product version.

Vulnerabilities: This shows the number of vulnerabilities that you have for the selected criteria.
Critical severity vulnerabilities: This shows the number of critical-level (CVSS score of 9-10) vulnerabilities that you have for the selected criteria.
Unremediated vulnerabilities: This shows the number of unremediated vulnerabilities that you have for the selected criteria.

Top 5 impacted products

Each donut chart represents the total number of vulnerabilities that have been detected in each of your products across all of their respective SBOM components, within the selected date range, products, and versions, as well as the percentage of vulnerabilities in each level of severity.

You can view these widgets across all of your products and versions, or filter down to view particular products and versions.

Severity:

Total vulns (in donut chart): This is the total number of vulnerabilities across this product within the selected date range.
Critical severity: This is the number of critical severity vulnerabilities that have been detected in each of your products across all of their respective SBOM components, within the selected date range, products, and versions.
High severity: This is the number of high severity vulnerabilities that have been detected in each of your products across all of their respective SBOM components, within the selected date range, products, and versions.
Medium severity: This is the number of medium severity vulnerabilities that have been detected in each of your products across all of their respective SBOM components, within the selected date range, products, and versions.

Get more details: Click the View details button to drill down into details for that product.

Top 5 vulnerable dependencies

This shows your top 5 most vulnerable components within the selected date range, products and versions.

Dependency name: This shows the name of the component that is contained within your selected products and versions.
Version: This shows the version for the component that is contained within your selected products and versions.
Supplier: This shows the supplier for the component that is contained within your selected products and versions.
Total vulnerabilities:

Add your first product:

In the product drop-down, click Create product.
Click this to specify the product name, then click Save.
To view your new product, click the Products option in the sidebar. Your new product will be selected in the products drop-down.
You’ll now need to add a version for this product. In the version drop-down

Helm terminology

Dependency: This is what may be referred to as a component in other systems. It is the firmware, software, patches, or operating system that is installed on the physical representations of your device (e.g., Windows, OpenSSL). In this help center, it is referred to as a component. Note: We are in the process of moving from using the term, dependency, to component in our UI (and therefore, docs), thus you will see these terms used interchangeably during this transition. Currently, both of these terms refer to the same thing.
Component: Currently this means the same as dependency. See note above.
Version: This is the component’s version (e.g., 10.1 for Windows).
Supplier: This is the component’s version (e.g., 10.1 for Windows).
Badges: These are used like tags. They may also be referred to as chips.
- In the editable state, they include an x to remove them.
- Depending on the use case, some chip states can only be removed by unchecking the drop-down options.
Panels: Panels refer to panels that slide-out from the right of the main page. You can close a panel to return to the main (or parent) page from which it was launched.

Don't have an SBOM?

Use Medcrypt's SBOM generation tool

You can now use Medcrypt's SBOM generation tool! Contact us to get access.

Use an open-source SBOM generation tool

Other ways to create your SBOM

Generate SPDX SBOM with open-source tools

for access to our SBOM generation tool

You can use several different open-source tools to generate your SBOM in SPDX format. We support SPDX 2.2 and 2.3 with JSON format.

SPDX Software Bill of Materials (SBOM) generator

Generate SBOM with Yocto on Linux

Generate your .zst file using Yocto on Linux

Although we try to ensure that 3rd-party information is still accurate, you should check to make sure there haven't been any changes since we last checked this.

Convert your SBOM from CSV to CycloneDX

Skip the conversion tools and scripts! You can now import CSV and Excel SBOMs directly to Helm.

Upload a CSV or Excel SBOM

Use an open-source tool

The one that we’ve used is . You will have to install and run this locally, so if this is outside your realm of expertise, so we can get your SBOM converted.

Install CycloneDX-CLI.
Add these metadata columns shown in this into your CSV file: Supplier, Type, Name, Version. You may already have these columns. They are required in order for Helm to be able to successfully identify matches for your components.
Add the metadata field to your CSV file. See the for more information.

Write a custom script

You can write a custom script in Python or your favorite language to convert the file from CSV to CycloneDX JSON.

Get expert Services help

Our expert Services team of former FDA reviewers and analysts can provide expert assessment, guidance, and design of anything from building cybersecurity and continuous improvement into your product development lifecycle to your Public Key Infrastructure cryptography to FDA letters and most anything in between. to see how we can help!

Upload or convert .zst SBOM files from Yocto on Linux

You can upload .zst SBOM files generated by Yocto on Linux. If you still prefer to convert your .zst files to a zipped format, follow the steps below.

Generate your .zst file using Yocto on Linux

Although we try to ensure that 3rd-party information is still accurate, you should check to make sure there haven't been any changes since we last checked this.

Inherit create-spdx class: Ensure that your Yocto configuration file inherits the create-spdx class by adding the following line:
Build the image: Proceed with building the image using the standard Yocto build process.
Locate the SBOM files: After the build process, you'll see three different outputs. All are provided here to guide you, but you must only use the third one (in bold). These items are copied directly from Yocto documentation.

SPDX output in JSON format as in IMAGE-MACHINE.spdx.json in tmp/deploy/images/MACHINE in your build directory.
This top-level file also has an IMAGE-MACHINE.spdx.index.json containing an index of SPDX files for individual recipes
The compressed archive IMAGE-MACHINE.spdx.tar.zst, which contains the index and files for the single recipes.

Convert your .zst file to a zipped format (.tar.gz or .zip)

Please note this step is now optional, Helm natively supports the .zst file format.

Navigate to the directory that has the .zst file.
Run this command to unzip this file, which contains your individual SBOM files. Replace filename with your actual file name (in the bullets above from Yocto's docs, this is their IMAGE-MACHINE).

tar --zstd -xvf filename.zst

Create a directory with the name of what you want to name your zip file.
Navigate into that directory, then create the subdirectory, packages, in this directory.
Copy the individual SBOM files into this directory.
Run this command to zip the parent directory. In this example, we've used zst_sbom

Create .tar.gz

Create .zip

When creating a .zip for Mac, use: -x '**/__MACOSX' in the command. This does not work for creating a .tar.gz.

Once you've converted the file to either .tar.gz or .zip, you can to Helm.

Automate and integrate

Automate SBOM management via MS Azure DevOps extension

Our Azure DevOps extension for Helm enables seamless integration of Helm into your CI/CD workflows, automating the creation of product versions and the uploading of SBOMs to Helm. This extension can be used independently or incorporated into your existing Azure DevOps pipelines, ensuring comprehensive and up-to-date documentation of your product's components, dependencies, and vulnerabilities with minimal effort.

Save time and effort manually maintaining SBOMs

Once configured, Helm will automatically add or update SBOMs for the appropriate product versions based on your event trigger when new or updated SBOMs are added to your connected Azure repository.

Match components

Understand match sources

Overview

When Helm has completed matching or attempting to match all of the components in your SBOM, you will see a along with the sources that were used to match the component.

Understanding Workspace Context for Match Sources

manage sboms

Find out what products contain a particular component

From any page in Helm, you can search on components (SBOM) across all products in your current workspace using the global search box in the top navigation bar. For example, you may want to find all products that are running the Windows 10 operating system.

In the global search box on any page, select SBOM from the search drop-down. Alternately, you can go directly to the Discover page to run searches. Either way, your last search results will display on this page, if you need to return to them.
Type in a component name, such as Windows 10, then press Enter to run the search.
From Actions > …, you can then jump to either viewing Components or Vulnerabilities.

View products and versions that contain a component

If you jump to this product, you’ll be able to see which product and product versions contain that component and version. From the Actions > … button, you can manage each component.

View vulnerabilities for a component

If you jump to vulnerabilities for this component, you can view the applicable vulnerabilities. From the Actions > … button, you can manage each vulnerability.

Create, edit, or merge SBOMs

You can add components to an existing SBOM or you can create an SBOM from scratch by adding each one manually. You can also merge SBOMs to combine all components for multiple systems into one.

Create components manually

Managing Products and Versions (Archive and Removal)

You can archive, unarchive, and permanently remove both products and product versions within the application.

Archiving and Unarchiving a Product

To Archive a Product:

In the Products page, open product drop-down list, hover over the product you wish to archive.

manage vulnerabilities

Check whether a particular vulnerability impacts your products

From any page in Helm, you can search on which products are impacted by a particular vulnerability across all products using the global search box in the top navigation bar. This enables you to quickly prioritize new threats.

In the global search box on any page, select Vuln ID from the search drop-down. Alternately, you can go directly to the Discover page to run searches. Either way, your last search results will display on this page, if you need to return to them.
Type in a vulnerability ID (e.g., CVE-123-4567), then press Enter to run the search.

Get email notifications for new vulnerabilities

Stay on top of the latest vulnerabilities to impact your sofware supply chain. You can choose to receive daily, weekly, and/or monthly digests. These alerts ensure that you stay updated on potential risks and can take prioritize and mitigate risk promptly.

Manage email preferences

Click on your user avatar located in the top navigation area of Helm.
Select My profile from the dropdown menu.
Toggle on the Send me vulnerability email digests switch if it's not already on.
Check one or more frequencies.
If you prefer not to receive email alerts, toggle off the Send me vulnerability email digests switch.
Click Save.

When to expect vulnerability emails

Daily: You’ll receive your first daily vulnerability email on the next business day.
Weekly: You’ll receive your first weekly vulnerability email on the next Monday.
Monthly: You’ll receive your first monthly vulnerability email on the 1st of every month.

Send email with vulnerability details for future prioritization

You can send the details of any vulnerability to your R&D team for future prioritization. To do so:

In Vulnerabilities, click Actions > ... > Email vulnerability. This will display an email with the vulnerability information.
Add any information you need to help your team assess and prioritize this vulnerability accordingly, then send it to your R&D team.

Understand issue severity level

Use the color-coded CVSS severity levels to focus on the most important vulnerabilities.

Level

CVSS score

Description

Critical (dark red)

9-10

This may allow attackers to access sensitive data and run code on your software.

High (red)

7-8

This may allow attackers to access sensitive data in your software.

Remediate vulnerabilities in bulk or individually

You can use our powerful bulk vulnerability remediation to remediate large groups of vulnerabilities within a product, across products, or target a particular component's vulnerabilities with the click of a button, enabling you to speed triage and ensure remediation consistency of particular vulnerabilities across your product portfolio.

To make the most of your time, you'll likely want to start with the most critical vulnerabilities first, so that you can assess their severity given your particular device, its environment and its use. The CVSS v3 column in shown by default in the Vulnerabilities table. You can click the Columns link above the table header row to customize your data display, including adding the CVSS v2 column.

Initially, all of your vulnerabilities will have a Status of blank. For CycloneDX status, you'll ultimately want to remediate each of these to either Exploitable or Not affected. For VEX status, you’ll ultimately want to remediate each of these to either Affected or Not affected. Some MDMs use CycloneDX for assigning internal statuses, while using the CycloneDX VEX profile to assign external statuses that will be communicated to customers and other external stakeholders.

Bulk remediate vulnerabilities

In the toolbar of the Vulnerabilities table, you'll see a Remediate N vulns link. If you have vulnerabilities selected in the table, this N indicates how many you have selected.
Click Remediate N vulns to display the Remediate panel.
If you're still investigating a vulnerability, choose the interim status for CycloneDX of In triage. If you have any information that will help triage these vulnerabilities, you will be able to add that to the Evidence field once you have chosen a status.

Remediate individual vulnerability

If you're not familiar with a particular vulnerability, click Actions > View details to get all vulnerability information. Close this panel when you're ready to remediate this vulnerability.
In the Vulnerabilities table, click Actions > ... > Remediate vulnerability for the vulnerability that you'd like to remediate. This will display the Remediate panel.
If you're still investigating a vulnerability, choose the interim status for CycloneDX of In triage. If you have any information about the vulnerability that will help triage it, you will be able to add that to the Evidence field once you have chosen a status.

Export vulnerabilities

In the Vulnerabilities page, you can export all vulnerabilities for a particular product, as well as all notes your team has made in identifying the risk each vulnerability poses to your organization.

There are two ways to export vulnerabilities, either from the Reports page or directly from the Vulnerabilities table.

Export vulnerabilities from Reports

Click the Reports item in the sidebar to display the Reports page.
Click the Export vulnerabilities button on the Vulnerabilities CSV card.

Export vulnerabilities from the Vulnerabilities page

In Vulnerabilities, select the product name and either all versions or a particular version.
Click Export vulnerabilities. This will export any vulnerabilities that you have not otherwise filtered out.

Ensure FDA readiness

Meet FDA requirements with your FDA SBOM report

Get the Medcrypt advantage with the only FDA expert-crafted SBOM that ensures you meet FDA SBOM requirements. We also provide a suite of other reports to enable you to export exactly what you need to meet auditor requirements. This will export your enriched FDA SBOM for all selected products in Excel format, including includes additional CPE/PURL, license, vulnerability remediation data, level of support and EOS/EOL data.

Export FDA SBOM

You can export your FDA SBOM from the Reports page.

From the reports page:

VEX and VDR reports

VEX report

After ingesting your SBOM, Helm will automatically match your components to known software in the NVD and package managers, which will bring forth potential vulnerabilities. Your VEX report contains all of your vulnerabilities that you have added a CycloneDX VEX status to, as well as any rescore information for your vulnerabilities.

Export your VEX report

Click the Reports item in the sidebar.
Click the product version drop-down. You can select one or multiple product versions.
In the Export VEX report card, click Export VEX report. This will export your VEX for all selected products in JSON format.

VDR report

Our VDR (Vulnerability Disclosure Reports) report offers comprehensive insights into identified vulnerabilities, these reports equip you with proactive mitigation strategies, bolstering your defense against emerging threats. Your VDR report contains all of your components, as well as all of your vulnerabilities, regardless of their remediation status.

Export your VDR report

Click the Reports item in the sidebar.
Click the product version drop-down. You can select one or multiple product versions.
In the Export VDR report card, click Export VDR report. This will export your VDR for all selected products in JSON format.

Cybersecurity best practices

Terminology

What is CPE?

Vulnerabilities can be identified through the use of three fields: CPE, PURL, and SWID. Helm supports CPE and PURL. CPE stands for Common Platform Enumeration.

What is CPE?

NIST defines CPE as a structured naming scheme for IT systems, software, and packages. It is based on the generic syntax for Uniform Resource Identifiers (URI) and includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. The CPE specification was designed for operating systems, applications, and hardware devices. It is maintained by the NVD.

How do I read a CPE string?

CPE format

CPE follows this format: cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>

cpe_version: This is the version of the CPE definition. As of this writing, the latest CPE definition version is 2.3.
part: This can be one of three values: a for Applications, h for Hardware, o for Operating systems. It is sometimes referred to as type.
vendor: This identifies the person or organization that manufactured or created this dependency component.
product: This is the name of the system/package/component.
version: This is the version of the system/package/component.
update: This shows any update or service pack information, also known as minor versions.
edition: This describes the build of the system/package/component beyond version.
sw_edition (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.
target_sw (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.
target_hw (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.
other (2.3 only): This indicates the language of the system/package/component, such as en-us for US English.

What does a wildcard in a CPE string mean?

Anything that is a wildcard (*) means that no particular value was provided for that section, so it will encompass any applicable value in that section.

Examples

Application: If the URI is cpe:/a:microsoft:office:2007:sp2:professional then the CPE string is: cpe:2.3:a:microsoft:office:2007:sp2:-:*:professional:*:*:*

Operating system: If the URI is cpe:/o:microsoft:windows_7:-:sp1:x64 then the CPE string is: cpe:2.3:o:microsoft:windows_7:-:sp1:-:*:*:*:x64:*

Hardware (not supported in an SBOM): If the URI is cpe:/h:3com:3c13612 then the CPE string is: cpe:2.3:h:3com:3c13612:-:*:*:*:*:*:*:*

What does a wildcard indicate? Anything that is a wildcard (*) means that no particular value was provided for that section, so it will encompass any applicable value in that section.

Administration

Modify your organization name

If you need your organization name modified to accommodate company name changes, mergers, or acquisitions, just !

what's new

Get started with Helm

Overview

The Get Started page in Helm serves as the primary onboarding hub for new and existing users. Whether you're just starting out or looking to enhance your cybersecurity efforts, this page guides you through the essential steps to begin managing your cybersecurity risks effectively.Whether you're just starting out or looking to enhance your cybersecurity efforts, we have the tools and expertise to help you succeed.

Take control of your cybersecurity risk today

Upload SBOM

Upload CycloneDX, SPDX, or Yocto SBOM to start managing your cybersecurity risks and proactively responding to threats.

How to get started

Navigate to the products page.
Click Upload SBOM.
Select your SBOM file (CycloneDX, SPDX, or Yocto format).
Follow the upload wizard to complete the process.

Generate SBOM

We are currently working on this tool and it should be available in a future release.

Create FDA-compliant SBOMs with our downloadable SBOM generator tool. Supports Windows 11 and Ubuntu 20.x.

Check FDA readiness

Take our FDA readiness survey to ensure SBOM and vulnerability management compliance and avoid delays.

Why this matters

Identify compliance gaps before submission.
Get tailored recommendations for improvement.
Avoid regulatory delays and rejections.

Expert consultation

Consult with our former FDA reviewers and cybersecurity analysts for specialized guidance on regulatory compliance.

What you get

Access to former FDA policy experts.
Customized guidance for your device type.
Support throughout the approval process.

Integrate into your CI/CD pipeline

Integrate with our Helm API

Leverage our powerful to automatically create product versions, upload SBOMs, retrieve vulnerabilities and unmatched components, as well as generate FDA-ready reports.

Key capabilities

Automated product and version management
Programmatic SBOM uploads
Vulnerability data retrieval
Report generation

Integrate with GitHub action

Use our to automatically create product versions, upload SBOMs, retrieve vulnerabilities and unmatched components, as well as generate FDA-ready reports. Requires API access.

Setup requirements

GitHub repository access
Helm API credentials
SBOM files in your repository

Integrate with Microsoft Azure DevOps

Use our to auto-create product versions, upload SBOMs, retrieve vulnerabilities and unmatched components, as well as generate FDA-ready reports.

Setup requirements

Azure DevOps project access
Helm API credentials
SBOM files in your pipeline

Integrate with AWS

We are currently working on this integration and it should be available in a future release.

to automate SBOM uploads from S3 buckets and incorporate vulnerability data into your existing AWS workflows.

Planned features

S3 bucket integration
Automated data export
AWS service compatibility
Trigger-based exports

Integrate with Jira

We are currently working on this integration and it should be available in a future release.

to auto create, track, and update tickets for critical vulnerabilities, streamlining your remediation workflow.

Planned features

Automatic ticket creation
Vulnerability tracking

Get help and get unstuck fast

Access comprehensive guidance to maximize your vulnerability management capabilities and ensure regulatory compliance.

Quickstart process

Follow step-by-step instructions to upload your first SBOM, analyze vulnerabilities, and implement remediation strategies.

What's covered

Account setup and security configuration
and options.
Component matching and status resolution
Vulnerability and .

Component matching

to auto-match components to known software, or select from match recommendations for a comprehensive risk view.

Vulnerability prioritization

by rescoring based on your device's context. Leverage threat intel from CISA KEV and exploit databases.
for short-term and upgrade recommendations to resolve vulnerabilities quickly.

Compliance reporting

Generate our proprietary , , and to ensure successful regulatory submissions.

Ready to get started?

Here are the recommended next steps:

to begin analyzing your vulnerabilities.
to understand your compliance status.
that fit your development workflow.
for detailed implementation steps.

Experience the Medcrypt difference

Our team of former FDA policy experts and cybersecurity analysts provide comprehensive services throughout the total product lifecycle—from development to post-market monitoring. Combined with Guardian for device provisioning and Helm for vulnerability management, we offer complete support to help you create secure-by-design products and enhance cybersecurity at any lifecycle stage.

Assess your cybersecurity maturity: Evaluate your current security posture, identify gaps, and receive a tailored improvement roadmap from our FDA experts to strengthen your medical device security.
: Secure your connected devices with hardware-backed cryptography. Guardian provides device provisioning and authenticated communication channels to protect IoT devices and ensure data integrity throughout their entire lifecycle.
: Our comprehensive services have helped clients reduce FDA approval time from 180 to 45-60 days with a 100% approval rate across over 200 projects and more than 60 clients.

Need help?

Our is available to guide you through any aspect of getting started!

Manage component

Overview

You can view details about a component, including its licenses, how it was matched, and any review information. In the Software Bill of Materials (Products) page, select Actions ... > Manage component to modify component details.

The Manage component panel includes information on the product the component is in, the component itself and how it was matched, as well as its lifecycle and license information, and any review details. components table, select Actions ... > Manage component to modify component details.

Product details

Product name: This is your product name.
Product version: This is your product version.

Component details

Component name: This is the component (dependency) name (e.g., firmware, software, framework, library, file, operating system, etc.) that is installed on the physical representations of your device (e.g., Windows, OpenSSL). This is the component name from your SBOM.
Version: This is the version for this component name (e.g., 10.1 for Windows) from your SBOM.
Supplier: This is the organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager (e.g., Microsoft for Windows). This is the component supplier from your SBOM.

Auto-enrichment of CPEs and PURLs

Helm will automatically update and enrich your component's CPE or PURL if we are able to detect or derive a more precise match. You can if you require exact matches to the CPEs or PURLs you provide.

Enriched CPE: If Helm's AI copilot locates a match or a more precise match for your component's CPE, it will automatically populate that information into the Enriched CPE field for that component. If you already had a CPE, that is still retained in the Original CPE field.
Incomplete CPE: Helm will interpret incomplete CPEs (with at least 5 of the possible 13 segments of a CPE), Helm will now fill in missing CPE segments with a wildcard (*).
Enriched PURL: If Helm's AI copilot locates a match or a more precise match for your component's PURL, it will automatically populate that information into the Enriched PURL field for that component. If you already had a PURL, that is still retained in the Original PURL field.

This information will be included see this information in the components table in now export this enriched info for any FDA reports that include SBOM components, including your enriched SBOM, FDA SBOM, or VDR report.

Match details

This is how Helm matched or attempted to match your component.

Match status: This shows the current , as well as what were matched on.
Vuln source: This is the source where we located this component. This is currently always NVD. If it was not in the NVD, it will show a badge.
Matched by:

Lifecycle details

When building a new device, you can ensure that your component is actively maintained or prioritize upgrading to a more stable version. When updating devices in the field, you can prioritize upgrades for components that are nearing end-of-support or end-of-life. This will help you ensure that the stability and security of your device throughout its lifecycle.

This information will also be populated into your or .

Level of support: Specify whether the component is actively maintained or not. You can specify a date or text value.
EOS/EOL: Provide an EOS or EOL date or other text value.

Ensure consistent lifecycle information across portfolio

to automatically update lifecycle information for particular component criteria across products in the Rules manager.

License details

The License details section displays comprehensive license information for each component. Helm supports ingestion of licensing information from CycloneDX and SPDX SBOMs and enriches this information via partnership integration with Tidelift. Refer to for more information.

License information fields

License type: This field is populated from the license information in your SBOM and can be one of the following:
License expression: For components combining multiple SPDX licenses with AND or OR, or using a SPDX license exception
Individual licenses: If your SBOM component contains multiple SPDX licenses that are not combined with AND or OR (or +) or if your component has custom licenses
No license (NONE in SPDX)

Automatic license enrichment

For components with "No license" or "Unknown" status, Helm automatically attempts to identify and add license information for open-source components that have unique PURLs, using data from Tidelift partnership integration.

Automatically add missing component license information

Helm will detect and automatically enrich missing licenses for any new SBOM components that do not have any license associated with them. You can also have Helm automatically add license information for your existing components.

For any component that you want to enrich with license information, click Actions > Reload component.
You'll be prompted to confirm this reload, as it will discard any metadata (e.g., review information, match status, associated vulnerabilities, etc.). This will then re-identify associated vulnerabilities, so you may see some discrepancy in your number of vulnerabilities for that component. This reduces your manual effort of tracking down licensing information, ensuring you have the latest license information available from our data sources.

Review details

This shows the last review added for this component. You can also add your own review or view all review information.

Review status: Shows whether the component has been reviewed or needs to be reviewed. You can click this badge to set a new status.
Last reviewed on: Shows the last time a user reviewed this component.
Last reviewed by: Shows who last reviewed this component.
Last review: This is the last review note made on this component to inform the team or progress, final status, or critical risk.

Edit individual component

This topic covers managing component details, but all other component actions are available from the Actions column of the components table.

On the component you want to edit, click Actions ... > Manage component.
Click Edit on the section you would like to edit. Note that you cannot edit the Match details section.
If you edit fields in the Component details section, then save your changes, you will be prompted to reload this component. Note that this will assess the component anew, which will lose any previous metadata, including matching, EOS/EOL, licensing, or review information that you have manually added.

Delete component

Click Actions > Remove (Delete) component. You will be prompted to confirm, as you cannot recover deleted components. This will only delete this component from this product version.

Manage vulnerabilities

Overview

After you’ve matched SBOM components to software components in the NVD, which could be one or more match sources, you’ll be able to see any reported vulnerabilities for those components.

IMPORTANT: If you have a Matched status that does not have an NVD badge, this has not been matched in the NVD, which means that it either does not have vulnerabilities or has a different name in the NVD. Refer to for more information. You must identify an exact match in the NVD in order to see vulnerabilities for that component.

View vulnerabilities

In the Vulnerabilities table, if you don't have a product and version selected, you'll see all vulnerabilities for all products across all versions. Select a product and version to filter down to just those vulnerabilities.

Vulnerability columns

You can to best meet your needs.

General info and patching

Vuln ID: This is the vulnerability ID. You can click on the vulnerability to open the vulnerability details, from which you can access this vulnerability in the NVD database. Currently, all of these are CVEs from the NVD, but we are working on adding more vulnerability types, including OSV.dev and private vulnerabilities, so if you need these or others!
- KB badge: For Windows vulnerabilities, if there is an available KB to patch this, you'll see a KB badge. . The top KB will generally have the most rollup patches.
- Shield icon:

Risk assessment

CVSS scores: If you have an older device, you may not have v3 scores. For newer devices, they may not have v2 scores. If you have both scores, it is recommended that you use the v3 score.
- v3: This indicates the CVSS v3 score for this vulnerability. You can filter to show just v3 scores if available.
- v2: This indicates the CVSS v2 score for this vulnerability. You can filter to show just v2 scores if available.

Remediation

CycloneDX status: Filter on CycloneDX remediation statuses, such as what's exploitable, in triage, or resolved.
VEX status: Filter on CycloneDX VEX statuses.

Available actions

Your next action on a vulnerability depends on the type of vulnerability and its current status.

Windows vulns: in bulk or individually.
Remediate: in bulk or individually.
Rescore: in bulk or individually. This ensures you stay focused on the most exploitable vulns according to your device's unique environment and usage.
Get AI guidance: Select one or more vulns to get upgrade and short-term mitigations, as well as sources referenced in these recommendations.

Remediation statuses

When remediating a vulnerability, you can specify either a CycloneDX or VEX status, or both.

CycloneDX:

This indicates whether your product is impacted by this vulnerability. Statuses include:

Not_affected: No dependency component is affected by the vulnerability. If you select this status, you need to include Justification.
False_positive: The vulnerability does not affect any dependency components and was falsely identified.
In_triage: You or someone on your team is investigating this vulnerability.
Exploitable: The vulnerability does affect one or more dependency components, and may be directly or indirectly exploitable.

CycloneDX VEX:

This indicates whether your product is impacted by this vulnerability. This is the VEX profile of CycloneDX, so the statuses are a little less robust than those of OpenVEX. if you would like us to offer OpenVEX in the near future.

Statuses include:

Affected: This vulnerability impacts one or more dependency components in this product version's SBOM. If you haven’t reviewed these yet, click Actions > Remediate.
Unknown: Your team does not currently have an answer as to whether this vulnerability impacts this product. Click Remediate to assess it further.
Not_affected: This vulnerability does not have a known impact to any of your dependency components in this product version's SBOM.

Vulnerability filters

Narrow down vulnerabilities by criteria such as severity, exploitability, and threat information.

Vulnerability details

Vuln ID: Search by vulnerability ID, such as a CVE ID.
Updated on: Select a date range to see all vulnerabilities updated in external sources during that timeframe. This does not include updates made by your team during security review and analysis.

Vulnerability vector info

Search by attack vector, attack complexity, and other CVSS metrics. Refer to for more information.

Severity details

Any CVSS score: If you're not interested in CVSS v2 scores, select the Any CVSS filter > CVSS 3 (if available). This will only return CVSS v2 scores if no CVSS v3 scores are available.
CVSS: Search for all CVSS scores greater than or equal to a particular number. For example, searching on 8 will give you 8-10.
- Critical scores: 9 to 10

Exploitability details

Any exploit source: Search all or selected exploitability and threat sources, including CISA KEV, ExploitDB, Top CWE, Metasploit, and NVD.
Any source: Filter down on vulnerabilities that are in the NVD or that are derived by our AI copilot from many data sources.

Remediation details

Any patch status: earch for all Windows vulnerabilities that have a patch available, are patched, or are not patched with a Windows KB.
Any CycloneDX status: Filter by CycloneDX aremediation status. To see which vulnerabilities do not have a CycloneDX remediation status, select Not set.
Any VEX status: Filter by CycloneDX VEX remediation status. To see which vulnerabilities don't have a VEX remediation status, select Not set.

Tech stack details

Affected tech stack: Check whether your tech stacks are at risk. If so, they will display in the Impacted tech stacks column with a high severity orange badge. You can click any tech stack badge to get AI-driven upgrade and short-term mitigation recommendations, as well as dig into sources provided.
Not affected tech stack: If a tech stack is explicitly determined to be not affected, they will display in the Impacted tech stacks column with a gray badge.

CVSS score persistence

The originally assigned CVSS v2 and v3 scores are retained in our database and continue to be displayed in the vulnerability information, even if they no longer appear in the latest NVD feed.

In cases where the NVD has assigned CVSS v2 or v3 severity scores to CVEs and later removed those scores, our system maintains the original scores for consistency. This approach provides several benefits:

Maintains consistent vulnerability severity ratings over time
Prevents vulnerability assessments from unexpectedly changing due to NVD data updates
Ensures historical vulnerability records remain intact with their original severity classifications
Provides more stable reporting for compliance and audit purposes

Manage licenses

Helm supports the ingestion of licensing information from CycloneDX and SPDX SBOMs, and enriches this information via our partnership integration with Tidelift. You can also manually enter or modify license details as needed.

For each component, you can view its details or manually modify it to add licensing information. All licensing information displays in the License details section of the component details panel.

Supported SPDX licenses

For active SPDX licenses, these will be automatically linked to the corresponding license URL from the .
If you have deprecated SPDX licenses in your SBOM, Helm will retain the URL.
Helm also handles .

Ingest licenses from CycloneDX SBOMs

Helm populates license information from the following sections in a CycloneDX SBOM:

components > licenses: The primary source for license information. Each component must include either a license ID, name, or SPDX expression.
components > pedigree > notes: This will be populated into the License comments field. Because this notes field applies to all components in a CycloneDX SBOM, the information in this field will be applied to all licenses for a particular component.

Helm does not support license information populated from other sections of a CycloneDX SBOM. Any such information will be retained in exports but ignored in the UI.

Ingest licenses from SPDX SBOMs

A SPDX SBOM contains packages, each of which could be a file or set of files, grouped by the SBOM author. These files could be one or more files of any type including but not limited to source, documents, binaries, etc. Helm processes each package as a component. A SPDX SBOM can contain licensing information at the package, file, or even code snippet level. For every package that contains licensing, Helm populates that license information into the dependency component's details in the Licenses section.

Helm processes each package as a component and populates license information from the following fields:

PackageLicenseConcluded: The primary field for populating the license name. If missing, Helm will use the PackageLicenseDeclared field.
ExtractedLicensingInfo: If present, this section provides license names and text for custom or non-SPDX licenses. When a custom license is added, you can manually enter the license name, but the URL will not display.

Helm does not currently handle file-level licensing. If you need this, ! If your SBOM includes file-level license information, it will be included in the export but not displayed in the UI.

SPDX spec version

Although Helm supports SPDX 2.2 and 2.3, this article uses the with license list 3.17. Helm supports SPDX license exceptions, deprecated SPDX license IDs, and all version lists.

If your SPDX version or license list version is different, SBOM section names or field names may differ, you should check your particular SPDX spec version.

Identify and automatically add missing licenses

Helm has partnered with Tidelift to enrich license information for open-source components that lack licensing details:

Component license is set to No license (NONE in SPDX): If a component in your SBOM lacks a license but has a unique PURL or Helm can generate the correct PURL, Helm will check with Tidelift to determine if any licenses are associated with that component. If so, Helm will add those licenses to provide you with a comprehensive view of licensing info and identify licensing risks across your supply chain.
Component license is set to Unknown (NOASSERTION in SPDX): If your SBOM component license is set to Unknown (NOASSERTION in SPDX), but Tidelift indicates that there is one or more licenses associated with that component, we will add those licenses for you.
Component has one or more licenses: If your SBOM component has at least one license, but Tidelift shows that it is inaccurate or that there are additional licenses associated with this component, we will not update this license information. If this is something that you would like us to add,

If you'd like us to consider adding the ability to prompt you with license replacement suggestions, .

Automatically generate a license for an existing component

For existing components, you can have Helm automatically add license information. In the components table, click Actions > Reload component. Note that reloading will discard any metadata you may have added to this component, such as review information, and will re-identify associated vulnerabilities, so you may see some discrepancy in your number of vulnerabilities for that component. This reduces your manual effort of tracking down licensing information, ensuring you have the latest license information available from our data sources.

View license information

The Licenses section of the component details panel displays the following fields:

License type: This field is populated from the license information in your SBOM.

License expression:
- For components combining multiple SPDX licenses with AND or OR, or using a SPDX license exception.
- Individual licenses: If your SBOM component contains multiple SPDX licenses that are not combined with AND or OR (or +) or if your component has custom licenses, choose this option.

License name:

SPDX SBOMs

For SPDX SBOMs, this field is populated from the SBOM’s PackageLicenseConcluded, PackageLicenseDeclared, or ExtractedLicensingInfo sections. PackageLicenseDeclared will only be used if PackageLicenseConcluded field in the SBOM is blank or omitted.

If the package-level licensing has a LicenseRef[idstring] and that LicenseRef[idstring] matches one in the ExtractedLicensingInfo section, the license name and full license text will be populated from that section into License name and License text, respectively. If the license name is missing, the term Custom license will be used as the license name.
Non-SPDX license in your SPDX SBOM: If your SPDX SBOM contained the ExtractedLicensingInfo section, the License name field will be populated with the corresponding license name from ExtractedLicensingInfo > name

CycloneDX SBOMs

This field is populated from the components > licenses > license > id field if the id field in used in the SBOM, or the components > licenses > license > name field if it exists.
CycloneDX SBOM does not contain licensing info or licensing info is empty: Since there is no corresponding defined term for missing CycloneDX licensing information, this will show as Not set.

License URL:

For SPDX licenses, this field is automatically populated from the SPDX license list and is uneditable.
The URL does not display for custom licenses. If this is something that you would like us to add, .
CycloneDX SBOM: This is populated from the components > licenses > license url field.

License text:

SPDX SBOM: For custom licenses, this will be populated from the ExtractedLicensingInfo > text section of SPDX SBOMs.
You can add or modify license text for both SPDX and custom licenses.

License comments:

SPDX SBOM: This is only populated from the package-level PackageLicenseComment field.
CycloneDX SBOM: There is at least one SPDX license ID in the components > pedigree > notes field. Some automatic scanning tools will automatically populate either the SPDX license full name or an AND/OR SPDX expression here. If the notes field exists in your SBOM file, it will be added as License comments for all of the licenses for that particular SBOM component.

License source:

SBOM: The license information was populated directly from your SBOM.
System: For open-source components that have unique PURLs but do not have license information, Helm checks Tidelift to determine if there are known licenses for those components. If so, Helm enriches the component with that information. Helm will only for components that do not have any license information; it will not add licenses to components that already have one or more licenses, nor will it replace existing licenses.
User: License was added or modified by a user.

What does it mean to have a unique PURL?

A component's unique PURL could be either the original PURL for that component that was in your SBOM file, or a PURL that Helm added or enriched during the component matching process.

Add component license

Click Add dependency component from the Add SBOM (Manage SBOMs) drop-down button.
Specify the required fields.
In the License details section, select a License type. Choose License expression if you have one or more SPDX licenses in an expression (e.g., connected with AND, OR, or WITH) or Individual licenses if you have one or more SPDX or custom licenses (not in an expression) that you want to add to a component. You can also select Unknown or No license.

Edit component license

Click Actions > Edit details to open the component details.
In the License details section, click Edit in the license section you want to edit.
If you just want to edit license type, license text or license comments, click the edit icon next to that field. Any edits you make to the license comments will be applied to all other licenses for this component.

Delete component license

Click Actions > Edit details to open the component details.
In the License details section, click Edit in the license section you want to edit. This will display a Delete action.
Click Delete, then confirm the deletion. You cannot recover a deleted license or its related data. If you are deleting the only license associated with this component, this will also delete any license comments.

Add or edit deprecated licenses

You can ingest or manually add or edit deprecated SPDX licenses. Deprecated SPDX licenses are available in the Deprecated licenses section of the License type drop-down.

Filter component licenses

You can filter licenses on the SBOM page to narrow down your view:

SPDX license ID
License name
No license (NONE for SPDX)
Unknown (NOASSERTION for SPDX)

Export SBOM with license information

You can export your SBOM with enriched license information in the following formats. Click Reports in the sidebar, then select your preferred format.

FDA SBOM: Excel format.
Vulnerability Disclosure Report (VDR): JSON format. Missing license information will be noted as Unknown (NOASSERTION in SPDX) in the export.
CycloneDX SBOM: JSON format. Missing license information will be noted as Unknown (NOASSERTION in SPDX) in the export.

Cybersecurity is everyone's responsibility

"Resilience is the capacity to recover quickly from difficulties. This should be the essence of your cybersecurity strategy"
-Stephane Nappo, 2018 CISO of the year

Today's cybersecurity challenges (2025)

Cybersecurity teams across all industries face mounting challenges, but medical device manufacturers face unique pressures that require organization-wide collaboration:

This list is not exhaustive and constantly evolving. No single team can address these challenges without organization-wide cooperation and shared accountability.

Technical challenges

Legacy and technical debt: Older devices that weren't designed with current security standards.
Complex dependency relationships: Understanding vulnerabilities across interconnected software components
AI/ML security concerns: New attack vectors targeting artificial intelligence in medical devices.
Supply chain vulnerabilities: Third-party software and hardware components introducing unknown risks.

Operational pressures

Resource constraints: Doing more with smaller budgets, fewer cybersecurity specialists, and limited tools
Regulatory complexity: Navigating FDA cybersecurity requirements, CISA reporting, and international standards
Last-minute priorities: Security often competing with feature delivery and time-to-market pressures
Remote work security: Securing development and support activities across distributed teams

Evolving threat landscape

Ransomware sophistication: Attackers specifically targeting healthcare infrastructure
Zero-day vulnerabilities: Unknown exploits requiring rapid response capabilities
Nation-state attacks: Advanced persistent threats targeting critical infrastructure
Social engineering evolution: Increasingly sophisticated phishing and manipulation tactics

Information and accountability gaps

Vendor transparency issues: Difficulty getting timely vulnerability information from suppliers
Audit and compliance burden: Demonstrating cybersecurity effectiveness to regulators and customers
Skills shortage: Limited cybersecurity expertise within medical device organizations
Paradigm shift requirements: Moving from customer-managed security to manufacturer-assured security

Medical device cybersecurity: Everyone's role

Executive leadership

Why it matters: FDA now requires "reasonable assurance of cybersecurity" - this is a business and legal responsibility

Your role:

Resource allocation: Ensure adequate budget and personnel for cybersecurity initiatives
Strategic integration: Make cybersecurity part of business strategy, not just IT function
Culture setting: Demonstrate that security is a core value through actions and decisions
Regulatory accountability: Understand that cybersecurity failures can result in FDA enforcement

Product development teams

Why it matters: "Security by design" is now required under 21 CFR Part 820

Your role:

Secure coding practices: Follow established secure development guidelines and training
Threat modeling participation: Contribute domain expertise to identify potential attack vectors
Security requirement implementation: Build security controls as primary features, not add-ons
Vulnerability reporting: Immediately escalate potential security issues discovered during development

Quality and regulatory affairs

Why it matters: Cybersecurity documentation is now mandatory for FDA submissions

Your role:

SPDF integration: Ensure Secure Product Development Framework is embedded in quality processes
Documentation management: Maintain comprehensive cybersecurity evidence for regulatory submissions
Risk assessment coordination: Integrate cybersecurity risk with traditional safety risk management
Compliance monitoring: Track evolving regulatory requirements and ensure organizational alignment

Manufacturing and operations

Why it matters: Compromised manufacturing systems can inject malware into medical devices

Your role:

Secure production environments: Implement and maintain cybersecurity controls in manufacturing systems
Supply chain verification: Validate security of components and materials from suppliers
Configuration management: Ensure devices are deployed with secure, validated configurations
Incident detection: Monitor for and report potential cybersecurity incidents in operations

Sales and support

Why it matters: You're often the first to learn about customer cybersecurity concerns

Your role:

Customer education: Help customers understand and implement device security requirements
Incident identification: Recognize and escalate potential cybersecurity issues reported by customers
Security communication: Provide accurate information about device security capabilities and limitations
Feedback collection:

All Employees

Why it matters: Social engineering attacks target everyone, and insider threats are a major concern

Your role:

Security awareness: Recognize and report phishing, suspicious activities, and potential threats
Policy compliance: Follow established cybersecurity policies and procedures consistently
Continuous learning: Stay informed about cybersecurity threats and best practices
Incident reporting: Immediately report suspected cybersecurity incidents without fear of blame

Building a cybersecurity culture

"Resilience is how we go on the offensive in Information Security." —Leigh McMullen, Gartner

Education and awareness

Regular training programs: Cybersecurity education tailored to different roles and responsibilities
Medical device-specific scenarios: Training that addresses healthcare cybersecurity challenges
Current threat briefings: Regular updates on evolving cybersecurity threats and attack methods
Hands-on exercises: Simulated phishing attacks and incident response drills

Organizational empowerment

Clear escalation paths: Everyone knows how to report cybersecurity concerns quickly
Blame-free reporting: Encourage reporting of mistakes and potential incidents without punishment
Security champions: Identify and empower cybersecurity advocates within each team
Cross-functional collaboration: Break down silos between cybersecurity, quality, engineering, and operations

Accountability and recognition

Defined responsibilities: Clear cybersecurity expectations for every role in the organization
Performance integration: Include cybersecurity responsibilities in job descriptions and reviews
Positive reinforcement: Recognize and reward good cybersecurity behaviors and incident reporting
Continuous improvement: Regular assessment and enhancement of cybersecurity culture

Systematic risk management

Integrated risk assessment: Combine cybersecurity risks with traditional safety and quality risks
Threat modeling participation: Include diverse perspectives in identifying potential attack vectors
Vulnerability management: Systematic processes for identifying, assessing, and addressing vulnerabilities
Incident preparedness: Regular testing and refinement of cybersecurity incident response procedures

Medical device-specific considerations

Patient safety integration

Clinical impact assessment: Understand how cybersecurity failures could affect patient care
Healthcare workflow security: Design security controls that work within clinical environments
Emergency access procedures: Ensure cybersecurity doesn't prevent critical patient care
Provider communication: Clear guidance on cybersecurity responsibilities for healthcare customers

Regulatory compliance

FDA guidance implementation: Systematic approach to meeting evolving cybersecurity requirements
Documentation culture: Everyone understands their role in creating regulatory evidence
CISA reporting preparedness: Organization-wide awareness of incident reporting requirements
International considerations: Cybersecurity compliance across global markets and regulations

Lifecycle management

Development to deployment: Security responsibilities across entire product lifecycle
Post-market monitoring: Everyone's role in identifying and addressing field cybersecurity issues
Legacy device management: Strategies for maintaining security of older devices
End-of-life planning: Secure decommissioning and data protection procedures

Practical implementation steps

Immediate actions

Assess current culture: Survey employees on cybersecurity awareness and responsibilities
Define role-specific expectations: Document cybersecurity responsibilities for each position
Establish communication channels: Clear, accessible paths for reporting cybersecurity concerns
Start training programs: Begin with basic cybersecurity awareness for all employees

Medium-term development

Integrate with business processes: Embed cybersecurity into existing workflows and procedures
Develop internal champions: Identify and train cybersecurity advocates within each team
Create feedback loops: Regular assessment of cybersecurity culture effectiveness
Enhance technical capabilities: Provide role-specific cybersecurity tools and training

Long-term culture building

Leadership modeling: Executives consistently demonstrate cybersecurity commitment
Performance integration: Cybersecurity becomes part of regular performance management
Continuous evolution: Culture adapts to changing threats and regulatory requirements
Industry engagement: Participate in cybersecurity information sharing and best practice development

Key takeaways

Bottom line: In today's threat environment, medical device cybersecurity cannot be delegated to a single team. Organizations that successfully integrate cybersecurity into their culture will be better positioned to protect patients, comply with regulations, and maintain business resilience in an increasingly complex digital healthcare ecosystem.

Cybersecurity is a business imperative: Not just an IT problem, but essential for regulatory compliance and patient safety
Everyone has a role: From executives setting strategy to employees recognizing phishing attempts, security is everyone's responsibility
Medical devices are special: Healthcare cybersecurity requires unique considerations for patient safety and clinical workflows
Culture enables technology:

Manage access

Access overview

Helm uses enterprise-grade access control designed for growing organizations managing vulnerability data across departments, business units, and teams while maintaining security and compliance.

Workspaces bring organizational structure to Helm with granular permissions, enabling you to control exactly who accesses which products and vulnerability data across your entire portfolio.

Three-level permission system

Helm uses a three-level permission system to control who can access your products and vulnerability data:

Org owner: Has complete access to everything in your organization. Creates workspaces and assigns Workspace admins and Users to workspaces.
Workspace admin: Has full control within assigned workspaces. Can create products, invite users, and set all permissions within their workspace(s).
User: Has specific permissions you assign. Gets access to particular products within a workspace, with separate permissions for SBOM and vulnerability data.

How workspaces organize access

Workspaces are organizational containers that separate different areas of your business - departments, teams, or business units. This ensures that only people in your workspace can access your products, SBOMs, and vulnerability data.

Each product belongs to exactly one workspace and cannot be moved between workspaces. This ensures clear organizational boundaries, prevents accidental data exposure, and maintains audit trail integrity.

Team members are assigned roles within each workspace they have access to. The same person might be a Workspace admin in Engineering but a User in the Marketing workspace.

Permission flow

Access control follows a specific sequence:

Team members are assigned a role within a workspace (Workspace admin or User)
1. Workspace admins automatically get full access to all products in their workspace
2. Team members with the User role get no access until you specifically assign them to products
For each User, you will add each user to the product, then set their SBOM permissions and vulnerability permissions (Modify, View, or None), respectively.

Key capabilities

Organize by department: Separate teams into distinct workspaces (Engineering, R&D, Marketing) ensuring teams only access their relevant products, SBOMs, and vulnerability data.
Flexible permission combinations: Assign any combination of SBOM and vulnerability permissions per product - modify both, view both, modify one and view the other, or grant access to only one area.
Centralized user management: Invite and manage users from a single location, assign them to multiple workspaces at once, and track pending invitations with automatic 7-day expiration for security.

Administration interface

If you have the role of Org owner or Workspace admin, you’ll see an Administration icon on the sidebar. You can manage your workspaces, users and products from here.

tab

Create and manage workspaces
Create products within workspaces
Invite users to workspaces

When you click into a specific workspace, you'll see Workspace users and Workspace products subtabs for that workspace.

Workspace users subtab: Invite users to a workspace and manage users and their roles in this workspace.
Workspace products subtab: Create products, rename products, set product access

tab

View all users across the organization
Org owners can invite users to multiple workspaces
Only org owners can remove users from the Users tab, which will remove the user from the organization
Workspace admins can view users across the organization, but will only see the workspace access of users in workspaces that the Workspace admin has control of.

Get started

As Org owner, you are the only one who can create workspaces, but your workspace admins can take care of everything else.

As the Org owner, you'll first need to .
During workspace creation, you can invite users to your workspace, and set their respective role in that workspace. You can also skip this step and invite them later.
1. Workspace admins automatically get full access to all products in their workspace, so you only need to set specific permissions for User-role members.

Users tab: Invite and manage users

In the Users tab, permission vary by role:

Org owner:
- Remove users from the Users tab - this will revoke all access and remove them from the organization. You can re-invite them, but cannot undo this change.
Both org owner and workspace admins can:

Invite users to a workspace

The Org owner can invite users to a workspace from the Users tab.

In the Users tab, click Invite users.
Enter the user's email.
1. When the user accepts the invite and signs in for the first time, they will be prompted to provide their full name.
Select the this user should have access to.

Manage users

In the Users tab, you will see a list of all users.

You can filter down to a particular workspace to see those assigned users.
You can manage user access to products within the workspace the product is assigned to.

Change user role

Team members with higher permissions can change the role or with lower permissions, thus:

Org owner can change the role or remove anyone from the user list
Workspace admins must go into a workspace to manage users (e.g., change role, remove, set product access)
Change user role or product access: When you change role or product access permissions for a team member, you will need to let them know about this change.

Remove users from organization list

Only org owners can remove users from the organization list.

On each user you want to remove, click the action overflow ... button > Remove from organization. This will display a confirmation modal.
Confirm the access revocation. You'll see a toast notification that the users were removed.
1. Removed users will not get an email notification of this change.
2. You can always re-invite a user that has been removed.

User roles

You can assign users full workspace privileges as Workspace admins, or you can assign them the User role, then configure their permissions to view and modify your SBOM and vulnerabilities.

Org owner role

There is only one Org owner. This user has full access to all workspaces within your organization, and can:

Manage all users across organization, including removing user access completely.
Invite new and add existing users to one or more workspaces, and set their roles within each workspace.
to automatically link software across all workspaces to known software in the NVD.
to automate population of level of support and EOS/EOL information.

Workspace admin role

This user has full admin permissions to a workspace and can:

Invite new or add existing users to a workspace, and set their roles within the workspace
and products and product versions in any workspace.
Change the role of team members with the User role or remove them from the workspace.
Be a Workspace admin in multiple workspaces, or have a lower role in another workspace. Their permissions must be set in each workspace they will have access to.

This role cannot:

Create workspaces
Create alias or lifecycle rules
Change the role of other workspace admins
Remove users from the organization

User role

Has to selected products only

Workspaces tab: Create and manage workspaces

Workspace overview

A workspace is a way of separating areas of a business, such as departments, teams, business units. This ensures that only people in your workspace can access your products, SBOMs, and vulnerability data.

From the Workspaces tab, you can:

Create and manage workspaces
Create products within a workspace
Invite new or add existing to each product in the workspace
Manage existing users and their product access for each workspace

Create a workspace

Org owner role

If you're the Org owner, you can view and manage all workspaces.

Click Administration in the sidebar, then click the Workspaces tab.
Click the Create workspace action link in the toolbar. This will display the Create workspace panel.
1. You can invite new or add existing users now or at a later time.

Workspace admin role

If you're a Workspace admin, you will need to contact your Org owner to create another workspace and assign you to it. You can see who your Org owner is in your user avatar drop-down in the main navigation.

Create a product to associate with a workspace

In the Workspaces tab, click the Manage products link on a workspace card.
- If you do not have products in this workspace yet, click the Go to products page button. You can add products and product versions from this page.
  - On the Products page, click the Upload SBOM button or Create product link to create your first product.

Set user access for products within a workspace

Users can be granted permissions to view or modify SBOMs and vulnerabilities within a workspace. Their permissions must be set in each workspace they will have access to. Users can be assigned SBOM and vulnerability modification or viewing permissions for each product they are assigned to.

Navigate to Administration > Workspaces tab.
1. This will display the card list of workspaces.
2. Workspaces are ordered alphabetically.
Click Manage products on the workspace card. This will display the Workspace products tab and the

Invite users to a workspace

As an Org owner or Workspace admin, you can invite new users into a particular workspace from the Workspace users tab within that workspace or can .

Navigate to Administration > Workspaces tab.
Click the Manage users link on the workspace card. This will display the Workspace products and Workspace users tabs, with the Workspace users tab selected.
In the Workspace users tab, click Invite new users. This will display the Invite users wizard.

User permission combinations

Modify SBOMs and vulnerabilities: This user has full access to that product. All workspace admins will be automatically set to this.
Modify SBOMs, view vulnerabilities: This user has the following permissions:
- Upload SBOMs
- Create and manage components, as well as apply suggested matches for components

Rename a workspace

In the Workspaces tab, click the actions overflow ... button > Rename workspace.
In the panel that displays, edit the workspace name, then click Rename workspace.
1. You'll see a toast notification that your workspace was updated.

Remove users from a workspace

To remove users from a workspace, go to the Workspaces tab.
1. If user only has access to one workspace, this will remove them from Users tab as well. You can always send them a new invite.
Click Manage users link on the workspace card. This will display the Users tab with all users in this workspace.

Transfer org ownership

If you need to transfer org ownership, so we can make this adjustment for you.

Changelog

Versioning schema

In order to get new features to you as quickly as possible, if you are tracking versions in QMS, note that we currently have a web UI version and a core infrastructure version. Versions are depicted with web UI version first, followed by core infrastructure version, e.g., v3.2.0 | 2.71.1

How can I see my Helm versioning?

Click Help > About in the sidebar to view version information.

v4.6.11 | 2.115.0

Dec 9, 2025

Enhancements:

API Key Generation: Removed special characters from the API key generation process for improved consistency and reliability.
FDA Spreadsheet Styling: Fixed header styling issues on the FDA spreadsheet.
SDK Update: Enhanced the VEX reporting functionality by adding the custom property medcrypt:exports:cdxVex:reportId to the SDK. This property allows for a unique ID to be included in the generated VEX report for enhanced tracking.

v4.6.10 | 2.114.1

Nov 20, 2025

Enhancements:

Refined Product Management: The workflow for archiving, unarchiving, and removing products and product versions has been streamlined for better clarity and usability.
Enhanced Global Search: Added the Workspace name column to the global SBOM and CVE search results. Users can now see which workspace an item belongs to in the global search page.
Cloud environment migration for MCAI enhanced features.

v4.6.4 | 2.113.10

Nov 6, 2025

Workspaces bug fixes

We've fixed several issues to improve your Workspaces experience:

Navigation & permissions

Fixed tab logic on the Administration page when workspace admins navigate between workspaces and the All Workspaces view
Workspace admins can now only invite users to workspaces they control (fixed workspace drop-down filtering in the Invite user panel)
Organization owners can no longer be removed from workspaces

Access management

Adding users to workspaces from the Add to workspace button no longer disrupts the Invite user panel's existing users section
Workspace admins can now create and remove products within their own workspace

UI improvements

You can now remove products and product versions from their respective drop-downs in the breadcrumb trail
Empty rows no longer appear in the Import remediations table

v4.6.2 | 2.113.10

Oct 31, 2025

Introducing workspaces

Scale your security operations with enterprise-grade access control designed for growing organizations managing vulnerability data across departments, business units, and teams.

Key benefits:

Three-tier permission system Assign roles at the organization, workspace, and product levels with granular SBOM and vulnerability permissions (None, View, Modify) for each product, ensuring team members have exactly the access they need.
Complete access control Create separate workspaces for departments, business units, or teams, ensuring users only see products and vulnerability data relevant to their role while maintaining clear organizational boundaries.
FDA submission readiness Control which team members can generate and access FDA-ready reports (VEX, VDR, SBOM exports) based on their permissions, ensuring proper oversight of regulatory documentation.

Find out more about workspaces:

v4.5.6 | 2.111.2

Oct 12, 2025

Enhanced GitHub action parameters for more granular control over product and version creation

We've improved our to give you more precise control when automating SBOM uploads. Admin users now have the ability to create products as well using below parameter.

create-product-if-not-found: Set to true to automatically create the product if it doesn't exist in Helm
create-version-if-not-found: Set to true to automatically create the product version if it doesn't exist in Helm

This enhancement allows you to independently control whether products and versions are created during your CI/CD workflow, providing more flexibility in managing your SBOM automation strategy. Both parameters default to false to prevent unintended product or version creation.

v4.5.6 | 2.111.2

Sept 25, 2025

Added ability to import CSV or Excel SBOM

You can now file to Helm and have it automatically converted to a CycloneDX SBOM. You can preview the data before uploading to Helm. This was one of our most requested features and eliminates the need to manually convert your CSV files. This feature is in beta, so let us know if you experience any issues or have ideas on how we could improve this process to better meet your needs.

v4.5.3 | 2.111.2

Sept 4, 2025

Summary

Enhanced CycloneDX SBOM processing with dependency data
UX improvements

Enhanced CycloneDX SBOM processing with dependency data

Helm now captures and preserves dependency relationships when processing CycloneDX SBOMs. When you upload a CycloneDX SBOM that contains dependency information, this data is now retained and included when you export back to CycloneDX format. This ensures fidelity and completeness when working with CycloneDX SBOMs that include component relationship data.

UX improvements

Enhanced CVSS scoring with third-party scores from the NVD 2.0 feed

v4.5.3 | 2.110.1

Sept 2, 2025

Summary

Added ability to skip/override auto-matching by CPE/PURL
Updated dashboard overview cards to represent total values
UX improvements & bug fixes

Added ability to skip/override auto-matching by CPE/PURL

There is now a Settings drop-down in the components table that allows you to skip/override Helm's auto-matching process if at least one CPE that was manually added by a user is present either before or after an SBOM is loaded. The new SBOM will be merged to whatever SBOM has already been created/uploaded.

Updated dashboard overview cards to represent total values

The Total products, Ratio of product versions with SBOMs, and Total dependencies cards in the Dashboard now represent total values over time. All active products that have not been archived are calculated in these totals.

UX improvements & bug fixes

Enhanced accuracy of the Ratio of product versions with SBOMs card on the Dashboard.
Fixed issue in Administration > Manage users where not all users were displaying in the list.

v4.5.2 | 2.109.5

Aug 27, 2025

Summary

Added ability to bulk rescore vulnerabilities across all or selected vulnerabilities in a product portfolio
Added ability to bulk rescore vulnerabilities across selected components in a product version
Added ability to bulk update components
Added custom license filtering

Added ability to bulk rescore vulnerabilities across all or selected vulnerabilities in a product portfolio

You can now select multiple vulnerabilities across products and versions, then click Rescore X vulns. As with rescoring vulnerabilities within a product version, you can set the Temporal score and Environmental score values, then click Save & apply. If you turn on Auto-update all vulnerabilities, all of these vulnerabilities will be automatically rescored whenever there are Temporal updates.

Added ability to bulk rescore vulnerabilities across selected components in a product version

You can now select multiple vulnerabilities across products and versions, then click Rescore all vulnerabilities. As with rescoring vulnerabilities within a product version or across product versions, you can set the Temporal score and Environmental score values, then click Save & apply. If you turn on Auto-update all vulnerabilities, all of these vulnerabilities will be automatically rescored whenever there are Temporal updates.

Added ability to bulk update components

You can now bulk update lifecycle details (level of support and EOS/EOL info) on components, as well as bulk update license info. Select multiple components in the components table, then click Update X dependencies (we are in the process of changing the term, dependencies, to components throughout our UI to handle the updated NTIA minimum requirements). Set the lifecycle details and license details as desired, then click Save.

Added custom license filtering

You can now filter on custom licenses. In the Filters drop-down of the components table, select Custom license for the License ID or name field in the License details section.

Bug fixes:

Fixed error where remediation imports would fail when the list was too large (200+ remediations)
Fixed license management white screen when license expressions were longer than 3 licenses
Fixed license expressions having incorrect or missing reference links
Fixed save button not showing when changing license types

v4.5.1 | 2.107.4

v4.6.2 | 2.113.10

Oct 30, 2025

Summary

Added Workspaces for enterprise-grade access control
Three-tier permission system with granular product-level access
Complete audit trails for compliance tracking

Introducing Workspaces

Scale your security operations with enterprise-grade access control designed for growing organizations managing vulnerability data across departments, business units, and teams while maintaining security and compliance.

Workspaces bring organizational structure to Helm with granular permissions, enabling you to control exactly who accesses which products and vulnerability data across your entire portfolio.

Key benefits:

Organize by department: Separate teams into distinct workspaces (Engineering, R&D, Marketing) ensuring teams only access their relevant products, SBOMs, and vulnerability data
Flexible role assignment: Assign team members as Org owners, Workspace admins, or Users with customized permissions - the same person can have different roles in different workspaces
Granular product-level control: Set SBOM and vulnerability permissions (Modify, View, or None) individually per product for each User

Workspaces represent a significant step toward supporting enterprise-scale medical device portfolios, designed based on requests from growing teams who needed better access control without compromising security or compliance.

v4.5.6 | 2.111.2

Sept 25, 2025

Added ability to import CSV or Excel SBOM

v4.5.3 | 2.111.2

Sept 4, 2025

Summary

Enhanced CycloneDX SBOM processing with dependency data
UX improvements

Enhanced CycloneDX SBOM processing with dependency data

UX improvements

Enhanced CVSS scoring with third-party scores from the NVD 2.0 feed

v4.5.3 | 2.110.1

Sept 2, 2025

Summary

Added ability to skip/override auto-matching by CPE/PURL
Updated dashboard overview cards to represent total values
UX improvements & bug fixes

Added ability to skip/override auto-matching by CPE/PURL

Updated dashboard overview cards to represent total values

UX improvements & bug fixes

Enhanced accuracy of the Ratio of product versions with SBOMs card on the Dashboard.
Fixed issue in Administration > Manage users where not all users were displaying in the list.

v4.5.2 | 2.109.5

Aug 27, 2025

Summary

Added ability to bulk rescore vulnerabilities across all or selected vulnerabilities in a product portfolio
Added ability to bulk rescore vulnerabilities across selected components in a product version
Added ability to bulk update components
Added custom license filtering

Added ability to bulk rescore vulnerabilities across all or selected vulnerabilities in a product portfolio

Added ability to bulk rescore vulnerabilities across selected components in a product version

Added ability to bulk update components

Added custom license filtering

You can now filter on custom licenses. In the Filters drop-down of the components table, select Custom license for the License ID or name field in the License details section.

Bug fixes:

Fixed error where remediation imports would fail when the list was too large (200+ remediations)
Fixed license management white screen when license expressions were longer than 3 licenses
Fixed license expressions having incorrect or missing reference links
Fixed save button not showing when changing license types

v4.5.1 | 2.107.4

Aug 3, 2025

Summary

Added ability to import remediations from another source
Vulnerability CSV reports now display in the new Report history
UX improvements and bug fix

Added Import Remediations feature

Accelerate your vulnerability remediation workflow with the new feature. Seamlessly transfer CycloneDX and VEX remediation statuses from a source product version to your target version, eliminating redundant remediation work and ensuring consistent vulnerability management practices across your product lifecycle.

Key benefits:

Reduce duplicate effort: Import remediations for specific vulnerabilities or carry forward all previously remediated statuses
Focus on new threats: Spend your security resources on newly discovered vulnerabilities rather than re-analyzing previously assessed ones
Maintain consistency: Ensure uniform vulnerability management practices across product versions
Seamless integration

Enhanced generation and export process of Vulnerability CSV report

Enhanced generation and export process of Vulnerability CSV reports. Newly-run reports will now display in the Report history view.

UX improvements and bug fixes

Enhanced user experience for managing alias rules
Fixed issue with Report history filtering when multiple products were selected

v4.4.0 | 2.102.4

July 21, 2025

Summary

Added Integrations page
Added Get started page
UX improvements and bug fixes

Added Integrations page

Helm provides many ways to ensure you have a comprehensive and accurate view of your overall risk that is tailored to your product's particular security posture, enabling you to spend your limited time on the vulnerabilities that matter most. The new page provides a centralized location to discover and configure all available integrations, including our , , and . You can also preview upcoming integrations that we are currently working on and that should be available in future releases.

Added Get started page

Whether you're just starting out or looking to enhance your cybersecurity efforts, we have the tools and expertise to help you succeed. The new provides comprehensive guidance for taking control of your cybersecurity risk, , and accessing help resources. This centralized hub includes everything from and to , making it easier than ever to get up and running with Helm.

UX improvements and bug fixes

Fixed sidebar icon display issue in dark mode
Improved frontend release process for more consistent version management, making it easier for customers to track versions in their QMS.

v4.3.66 | 2.102.4

July 3, 2025

Summary

Added ability to view and download previous reports via Report history
Automatic Ubuntu vulnerability patching based on official Ubuntu security databases
Bug fixes

View and download previous reports

When you go to run your next report, you'll now see a Report history tab. This feature enables users with appropriate permissions to retrieve an exact copy of any report from the moment it was originally generated. You can access historical versions of your FDA SBOM, VEX, VDR, and other reports, ensuring you have complete audit trails for compliance requirements.

Automatic Ubuntu vulnerability patching

Helm now automatically monitors official Ubuntu security databases (including OVAL feeds and CVE tracking) to identify when vulnerabilities have been officially marked as fixed for your specific Ubuntu version. When Ubuntu's security team confirms a CVE has been patched and the fix is available in your current Ubuntu version, Helm automatically marks the vulnerability as patched in your system (displaying the shield icon and graying out the vulnerability row). This eliminates manual tracking of Ubuntu security updates and ensures your vulnerability assessments accurately reflect the latest official Ubuntu security guidance.

Bug fixes

Modified export process to export your original SBOM component version string only, rather than the enriched version, to prevent loss of information during the export workflow.
Resolved issues with vulnerability exploit and source filters, which were not filtering results properly across the vulnerability dashboard.
Fixed vulnerability patch tooltip display issue when hovering over patch information in the Vuln ID column.
Corrected issue where escape characters were being interpreted in uploaded SBOMs. Helm now ingests the exact string content as provided.

The Vulnerabilities list now provides AI-powered guidance to fix or mitigate vulnerabilities. Select one or more vulnerabilities, then click the Get AI guidance action in the toolbar to display a comprehensive panel with short-term and long-term mitigation strategies, including specific upgrade recommendations for each selected vulnerability. Sources are also provided when viewing mitigation and upgrade recommendations for individual vulnerabilities, enabling further research and validation.

AI detection of impacted tech stacks

In the Vulnerabilities list, you can now see which tech stacks (e.g., Windows, Redhat, SQL, Git, GRPC, Wordpress, and many more) are impacted. Click each of these tags to open the vulnerability details modal, which has a new AI recommendations section. Scroll down to access detailed information about affected tech stacks, upgrade recommendations, and short-term mitigations, all backed by source documentation. This functionality is still in beta, so click the Columns link on the vulnerabilities table, then enable the tech stack tags column to view this information.

UX improvement

Simplified version validation to accept any version string length less than 1024 characters when creating or editing components

v4.2.59 | 2.100.0

June 19, 2025

Summary

Export multiple product versions in one report
Improvements & bug fix

Export multiple product versions in consolidated report

You can now select multiple product versions simultaneously from the version dropdown in the Reports page and export all selected versions into a single consolidated report. This feature supports all report formats including Medcrypt FDA SBOM, SBOMs in CycloneDX, SPDX and CSV format, as well as VDR and VEX reports. This significantly streamlines compliance workflows, reducing the time needed to generate comprehensive documentation across product lines.

Improvements & bug fix

Made numerous improvements to enhance the user experience

v4.2.57 | 2.98.11

June 12, 2025

Summary

Improvements & bug fix

Improvements & bug fix

Fixed infinite loop issue with dashboard continually loading
Made numerous improvements to enhance the user experience

v4.2.52 | 2.98.11

May 20, 2025

Summary

Global aliases to further automate component matching

Global aliases to further automate component matching

We've leveraged our deep medical component expertise to automatically match even more components, ensuring you have a comprehensive view of your overall risk. Components matched with a Global alias will show Matched with the relevant source badges. For any component, click Actions > Manage component to view component details. For any component that is matched with a global alias, you will see a System alias badge in the Matched by field of the Match details section. You can override these alias matches by either selecting another match or by creating your own alias. Any aliases you and your team create are known as Organizational aliases.

v4.2.47 | 2.97.2

May 3, 2025

Summary

Performance improvements & bug fix

Improvements & bug fix

Fixed issue with exporting complex license expressions to SPDX
Significantly improved performance and overall stability

v4.2.41 | 2.94.3

Apr 21, 2025

Summary

Aligned Lifecycle rules with Alias rules in Rules manager
Improvements & bug fixes

Aligned Lifecycle rules with Alias rules in Rules manager

We have aligned our Lifecycle rules look-and-feel with our new Alias rules in the Rules manager, so that you can more easily manage both matching and EOS/EOL rules. We've also made it easier to understand when components have been matched with alias and/or lifecycle rules, with informational banners at the component detail level, to ensure you understand the impact of modifying a matched component.

Improvements & bug fixes

Improved sorting for component licenses by treating the default Not set value as an empty string so that alphabetical sort works as expected.
Increased character limit for searching known software to create or edit alias rules
Streamlined version management by focusing on exact version matches for both types of rules
Enhanced component editing to prevent unnecessary table reloads

v4.2.38 | 2.93.7

Mar 31, 2025

Summary

Added CVSS score persistence for consistent vulnerability assessment
Bug fix

Added CVSS score persistence for consistent vulnerability assessment

We've implemented a system to maintain the original CVSS v2 and v3 severity scores assigned by the NVD, even when these scores are later removed from the NVD feed. This enhancement provides several benefits:

Maintains consistent vulnerability severity ratings over time
Prevents vulnerability assessments from unexpectedly changing due to NVD data updates
Ensures historical vulnerability records remain intact with their original severity classifications
Provides more stable reporting for compliance and audit purposes

Originally assigned CVSS v2 and v3 scores are retained in our database and continue to be displayed in the vulnerability information, even when they no longer appear in the latest NVD feed.

Bug fix

Fixed issue where vulnerabilities were not showing up for SBOM component that was matched to an alias via the Rules manager.

v4.2.38 | 2.93.5

Mar 24, 2025

Summary

Added new alias rules manager
Distribute SBOM processing across all organizations
Added automatic cancellation of SBOM processing when archiving product versions
Bug fixes

Added new alias rules manager

We’ve replaced our previous aliases feature with a comprehensive new alias rules manager that transforms how you match components to known software in the NVD. Key improvements:

Centralized rule management: Manage both alias rules and EOS/EOL rules from a single location.
Enhanced matching capabilities: Set robust matching conditions across Component name, Supplier, CPE, PURL, and Version.
Transparent matching process: Enhanced Manage match panel shows how components were matched and the impact of modifications.

Components must be matched to known software in the NVD to view vulnerabilities, making this enhancement critical for effective vulnerability management. Alias rules respect manual matches and won’t override user decisions. All current active aliases have been migrated to the new rules manager. This enhancement also lays the foundation for future global aliases functionality, which will simplify software matching across multiple organizations.

Distributed SBOM processing across all organizations

SBOM processing is now distributed across all user organizations. This improvement ensures that large customer SBOMs won’t block processing for other customers, resulting in faster and more reliable processing for everyone.

Bug fixes:

Fixed issue with FDA SBOM export where End of Support (EOS) and End of Life (EOL) data were incorrectly switched
Added automatic cancellation of SBOM processing when archiving product versions. This prevents potential bugs that could occur when unarchiving versions that had SBOM files that had not completed processing.
Fixed issue where product list was not displaying properly on initial page load.

v4.2.33 | 2.91.1

Mar 3, 2025

Summary

Added original SBOM file name column to Products page
Added columns for original component name and supplier to Products page
Support for importing and exporting Windows KB patch info to CycloneDX
Bug fixes

Added original SBOM file name column to Products page

Added Original file name column, showing the originating SBOM file name, to the Products page. This feature allows you to identify which SBOM a particular component was uploaded from, especially useful when consolidating multiple SBOMs for a product version. It enables teams to quickly prioritize and assign vulnerability remediation tasks to the appropriate team members. To show this column in your view, click the Columns link at the top of the table, then enable the Original file name column.

Displays original component data on Products page

The Component name, Version, and Supplier columns on the Products page now display the original values from your SBOM, rather than the enriched data Helm uses to enhance match accuracy. The enriched information remains accessible in the Manage component panel under Matched dependency name, Matched dependency version, and Matched dependency supplier. This update enhances transparency and precision in component identification.

Support for importing and exporting Windows KB patch info to CycloneDX

You can now import and export Microsoft Windows KB patching info data to your CycloneDX SBOM. This enhancement ensures consistency of patching information from one product version to the next. This reduces manual effort and streamlines your workflow, enabling you to import existing Windows KBs applied to an SBOM, to an SBOM, to quickly remediate vulnerabilities, and then export all of your existing and new patching efforts, ensuring an accurate view of your device's current security posture. Refer to for more details.

Bug fixes

Fixed customer issue wherein a component name and supplier matched two different known software components, which should have resulted in a Select match state, for the user to choose the correct match. In this example, Debian Linux was erroneously associated with Progeny and could not be modified.
Fixed a problem where previously matched components, when rematched to other known software, did not update their Enriched PURL and/or Enriched CPE fields accordingly.

v4.2.30 | 2.89.2

Feb 21, 2024

Summary

Added Microsoft Azure DevOps extension for Helm

Added Microsoft Azure DevOps extension for helm

We are excited to announce the release of our new for Helm, automating product version creation and SBOM ingestions into your CI/CD pipeline. To start using this extension, to get access to our , as you will need your Helm API client id and client secret to get started. These are the Helm email address that has access to our API and your API key, respectively.

v4.2.30 | 2.89.2

Feb 19, 2025

Summary

Support for exporting EOS/EOL data to CycloneDX
Support for processing non-compliant SPDX SBOMs
Enable reloading of components in any state
Bug fixes and performance improvements

Support for exporting EOS/EOL data to CycloneDX

You can now export Level of support and EOS/EOL data to your CycloneDX SBOM. This enhancement ensures consistency of lifecycle information from one product version to the next. You can also use our existing to set conditions for components, which will automatically add the specified level of support and EOS/EOL information to matching components. This feature streamlines your workflow by allowing you to import, manually or automatically modify, and export lifecycle data to your CycloneDX SBOM, ensuring consistency across product versions. Refer to for more information.

Support for processing non-compliant SPDX SBOMs

Our system now. processes SPDX SBOMs that do not fully adhere to the SPDX specification. This improvement increases compatibility with a wider range of SBOMs, ensuring more comprehensive analysis and integration.

Enable reloading of components in any match state

You can now reload components -- regardless of their match status — by selecting Actions > ... > Reload component. This functionality applies to components matched in the NVD or a package manager. Previously, reloading was limited to unmatched components or those in an error state.

Bug fixes and performance improvements

Improved load performance of the vulnerabilities list, resulting in faster data retrieval and display.
Enhanced AI-driven CVE identification for more accurate and timely vulnerability detection.
Fixed customer issue wherein modifying component metadata, such as version, that had either Level of support or EOS/EOL field already populated would not save updates correctly.

v4.2.30 | 2.88.2

Jan 28, 2025

Summary

Bug fixes and UI improvements

Bug fixes and UI improvements

Fixed the issue where the CSV export displayed an incorrect EOS time.
FIxed the issue where multiple vulnerability digest emails were sent erroneously.
Fixed the issue where EOL/EOS data was rejected during SBOM upload if it contained a single quote (').
Added filter persistence so that applied filters are retained when switching between products and product versions. To ensure users understand when filters are still applied, added a blue circle indicator next to Filters.

v4.2.23 | 2.87.0

Jan 9, 2025

Summary

Bug fixes and UI improvements

Bug fixes and UI improvements

Fixed issue where hovering on indicator that a Windows vulnerability had been patched would cause a 504 error. This was an RBAC issue that occurred if the user had edit access on SBOM and vulnerabilities, but not for users with view-only permissions for both.
Fixed issue in the Lifecycle details section of Add component detail where the Date/Text drop-down was not populating.
Removed "undefined" placeholder values from blank form fields in Add component panel.
Fixed issue where the component review status history was not displaying in the Manage component panel.

v4.2.22 | 2.87.0

Jan 7, 2025

Summary

Bug fixes and UI improvements

Bug fixes and UI improvements

Fixed issue where switching to view mode for Rule manager was prompting to save when there hadn't been any changes made.
Fine-tuned UI and user experience

v4.2.18 | 2.87.0

Dec 19, 2024

Summary

Identify and prioritize risk by Attack Vector (AV) and other CVSS metrics
Bug fixes and UI improvements

Bulk remediate vulnerabilities

You can use our powerful to remediate large groups of vulnerabilities within a product, across products, or target a particular component's vulnerabilities with the click of a button, enabling you to speed triage and ensure remediation consistency of particular vulnerabilities across your product portfolio. Select the vulnerabilities you want to bulk remediate, assign their CycloneDX and/or VEX statuses for that group of vulnerabilities and that’s it — you’re done! You can also ensure consistent remediation of a particular vulnerability or group of vulnerabilities across your products, smoothing your way to a FDA submission. This powerful new feature saves time, freeing your team to focus on clinical innovation.

Identify and prioritize risk by Attack Vector (AV) and other CVSS metrics

We’ve added Attack vector (AV) and other CVSS v3 metric columns to the vulnerabilities table, complete with color-coded badges to enable you to quickly identify and prioritize risk mitigation by attack vector and component criticality. Pair this new visibility with our powerful rescore feature to or , ensuring that you have a complete view of your device’s actual attack vector according to its unique security posture and environment.

Click the Columns link at the top of the Vulnerabilities table to enable the new Attack vector and other CVSS v3 metric columns.

Enhanced vulnerability filtering

We’re continuing to enhance our filtering mechanism and have added the oft-requested ability to drill down on component information and attack vector from the vulnerabilities table, as well as other CVSS v3 metrics. Stay tuned for more filtering updates soon!

Bug fixes and UI improvements

Fixed scrollbar issue for new filter drop-down panels for vulnerabilities and components
Adjusted lifecycle date filters to have past and future dates in months
Fixed saving logic for Manage component panel
Fixed toasts that display if Lifecycle details section is modified

v4.2.16 | 2.87.0

Dec 13, 2024

Summary

View and manage level of support and EOS/EOL data for all components
Specify lifecycle details for each component
to consistently apply lifecycle information across all components in your portfolio
Enhanced component filtering

Identify and prioritize components nearing EOS/EOL

We’ve added columns for Level of support and EOS/EOL to the components table, as well as providing color-coded badges to let you know what’s currently actively supported and what’s nearing or has passed its support or maintenance date. We’ve also begun ingesting lifecycle information from our partner, Tidelift, as well as the endoflife.date site, and will likely provide some automation for this in an upcoming release.

Specify lifecycle details for each component

You can specify Level of support and EOS/EOL information in a date or text format for each component in the new Lifecycle details section of the component details panel. You can then set component rules to apply this information across all products, so you only have to do this once!

Set rules to apply component lifecycle information across all products

You can now to set conditions for supplier name, component name, and version, then automatically apply the Level of support and EOS/EOL information across all of your products when conditions are met. With consistent EOS/EOL data, you minimize discrepancies across your portfolio, ensuring accurate reporting and compliance. Stay tuned for more rules-based workflow enhancements!

Export lifecycle information to FDA SBOM or CSV SBOM

After applying your Level of support and EOS/EOL information across your components, quickly to ensure you have everything you need for FDA submission! You can also export your with lifecycle data.

Enhanced component filtering

To enable you to quickly find what you need, we’ve enhanced our filtering mechanism and added lifecycle management filters. You can now filter components on Level of support and EOS/EOL information to ensure you understand which are supported and which are nearing end-of-life, enabling you to prioritize upgrades in critical areas. Stay tuned for more filtering updates soon!

Bug fixes and other improvements:

All CycloneDX remediation justification values should now be accurately exported in your FDA SBOM report.
All products should now display accurately on the components page.
Global search improvements
- Fixed issue wherein components from archived products were being returned in the global search.

Thank you!

A huge thank you to all of our customers who take the time to provide feedback on how we can continue to improve your SBOM vulnerability management experience! We’d love to on these features, as well as other features you’d like to see in the future!

v4.2.4 | 2.85.0

November 21, 2024

Summary

Automatically generate component license information
Encode pURLs with spaces during exports
Import and export component hashes
Filter on CISA KEV and remediation through our API

Automatically generate component license information

You can now have Helm automatically add license information for your components. For any component that you want to enrich with license information, click Actions > Reload component. Note that reloading will discard any metadata you may have added to this component, such as review information, and will re-identify associated vulnerabilities, so you may see some discrepancy in your number of vulnerabilities for that component. This reduces your manual effort of tracking down licensing information, ensuring you have the latest license information available from our data sources.

Encode pURLs with spaces during exports

If your SBOM has a Package URL (pURL) that contains spaces, we'll now automatically encode those when exporting. This ensures compatibility with third-party tools and eliminates issues caused by improperly formatted pURLs.

Import and export component hashes

You can now import and export component hashes in your SBOMs, and can export them in any SBOM format, as well as our FDA SBOM, improving validation and tracking of SBOM component integrity across products.

Filter on CISA KEV and remediation through our API

You can now filter vulnerabilities that are the CISA KEV list or based on their remediation via our Helm API, making it easier than ever for you to identify and prioritize high-impact vulnerabilities.

Updated terminology from Vendor to Supplier in SBOM CSV export

To align with industry standards, the SBOM CSV export now labels the Vendor column as Supplier. This terminology update improves consistency and clarity.

v4.2.4 | 2.83.0

November 7, 2024

Summary

Export EOS/EOL data to FDA SBOM report
Enhanced CPE parsing and matching
Added ability to filter components by licenses
Re-added match and review information to component details

Export EOS/EOL data to FDA SBOM report

If you have uploaded an SBOM that contains end-of-support (EOS) or end-of-life (EOL) data, this information will be automatically populated in your FDA SBOM report. We're in the process of adding the ability to manually add EOS/EOL info, so stay tuned!

Enhanced CPE parsing and matching

We've enhanced CPE parsing to enable the matching of incomplete CPEs to components. Although a CPE has 13 segments, not all CPEs contain all of those segments, thus Helm will now interpret CPEs that have at least 5 of the expected segments, filling in missing segments with a wildcard (*).
We've enhanced CPE enrichment to enable component matching even in scenarios where the components have the scenario wherein CPEs have multiple vendors.

Added ability to filter components by licenses

You can now filter your components by license, including those with specific licenses, no license, or unknown license status. This filtering capability helps quickly identify and mitigate license-related risks, such as copyleft licenses or unknown license statuses that may impact IP.

Re-added match and review information to component details

The match and review details have been re-added to the component details panel to help you quickly access key information.

Bug fixes and performance enhancements

Resolved intermittent failure of large CycloneDX and SPDX SBOMs due to timeouts.
Improved load time of vulnerability and component pages.
Fixed display issue with rescored CVSS vector strings, ensuring accurate low, high, and none values.

v4.1.4 | 2.82.0

October 4, 2024

Summary

Enhanced component panel
License management is now available!
Customize your FDA SBOM export
Bug fixes, UX enhancements, and help updates

Enhanced component panel

Manage your components more easily with our unified details panel, providing a comprehensive view of each component. You can now quickly scan information in view mode, then switch to edit mode if you need to make any modifications.

License management is now available!

Helm now supports the ingestion of licensing information from CycloneDX and SPDX SBOMs. Via our partnership integration with Tidelift, Helm will analyze your components to determine if you are missing license information, then will automatically fix that for you, ensuring you have a comprehensive view of your legal risk. We support both SPDX and custom licenses. You can also manually enter or modify license details as needed. Check out for complete information on our new licensing feature!

Customize your FDA SBOM export

We've just made our expert FDA SBOM even better! When exporting your FDA SBOM, you can now include CycloneDX and VEX vulnerability remediation analysis, as well as review information for components. These enhancements will help ensure you're ready for your FDA submission. Thank you to our customers for highlighting their need to include review statuses and notes! We very much appreciate your insights and expertise in continuing to enhance your SBOM vulnerability management and streamline your FDA submission process!

Bug fixes, UI enhancements, and help updates

Bug fixes:

Fixed the date filter on the Vulnerabilities page such that the start date is now midnight and end date is 11:59:59 pm. This fixes both the date range presets as well as the timeframes covered in the new vulnerability emails.

UI enhancements

Improved component matching to handle component names prepended with special characters, such as "@".
Updated component lists to show all components, even when they match the same NVD product and version. Your SBOM export will also include this higher level of specificity.

Help updates: To quickly get you up to speed on these new updates, we've added or extensively revised the following topics:

v4.1.3 | 2.81.1

September 24, 2024

Summary

Implemented human-readable URL parameters
Bug fixes and performance enhancements

Implemented human-readable URL parameters

We've implemented human-readable URL parameters across the entire UI, which now reference unique IDs of products, product versions, components, and vulnerabilities, as well as applied filters and searches, and more. You'll also see this improvement when you sign in to Helm from new vulnerability emails you receive. This deep linking enables you to more easily share information. These enhancements prepare Helm for upcoming features like breadcrumb navigation and expanded bulk actions, beginning with bulk remediation.

Bug fixes and performance enhancements

Resolved a performance issue to enable Helm to handle large volumes of vulnerabilities, minimizing timeouts and unexpected errors.
Fixed issue wherein some SPDX exports were failing under specific conditions, particularly with larger SBOMs.
Enhanced SBOM component rescanning and matching, improving reliability when the initial scanning process fails during an SBOM upload or when the component is manually added.

v4.0.46 | 2.80.4

September 9, 2024

Summary

Enhanced matching for Linux packages

Enhanced matching for Linux packages

We’re excited to announce a major improvement to our Linux package matching process, increasing efficiency by reducing manual work for users.

Previously, some Linux packages without identifiers in SBOMs were challenging to match. After collaborating with customers to address this issue, we’ve just released a solution that delivers a 29% improvement in matching accuracy.

As shown in the graph below, you can see a significant reduction in unmatched components and a clear increase in matched components after applying this enhancement. This means fewer manual interventions and more streamlined package management.

v4.0.46 | 2.79.2

August 30, 2024

Summary

Helm's new design system is live: Work smarter and stay focused
Multi-task and remediate risk faster across multiple Helm tabs
Help updates

Helm’s new design system is live: work smarter & stay focused

We’re thrilled to announce that Helm’s new design system is now live! 🎉

When you next sign in to Helm, you’ll notice a refreshed look-and-feel to enhance your experience and streamline your workflow. Here’s a quick overview of what you’ll see:

Light and dark themes: Choose between our newly updated dark theme or our brand-new light theme. To switch themes, click the sun/moon icon in the main navigation bar.
More intuitive badges and colors: We’ve standardized and enhanced our badges and color schemes for quicker component matching and vulnerability prioritization.
Enhanced UI elements: Enjoy a cleaner and more intuitive interface with refined controls, error handling, and new icons to improve navigation and usability.

Customizable data display

Our new design offers even more flexibility in how you view and manage your data:

Content refresh setting: Take charge of your data updates by setting auto-refresh intervals or turning it off entirely. You can also refresh manually refresh.
Pagination: Navigate large datasets with ease using our new pagination feature, ensuring you don’t lose your place.
Customizable columns: Tailor your tables to display exactly what you need. Use the Columns link to show or hide specific columns and hover over column headers to drag and drop them into your preferred order with the … icon.

Multi-task and remediate risk faster across multiple Helm tabs

If you’ve tried to have multiple Helm tabs open, you may have found yourself signed out. Great news! You can now work in Helm across multiple browser tabs.

Help updates

As part of our new design system, we've completely revised several related topics to help you match components and remediate vulnerabilities faster:

v3.6.34 | 2.79.2

August 13, 2024

Summary

Automated enrichment of missing CPEs and PURLs
Automated enrichment of missing licenses for open-source components

Automated enrichment of missing CPEs and PURLs

During the component matching process, if a component in your SBOM does not have a CPE or PURL (not ingested or manually added), Helm's AI copilot will now automatically generate and assign the appropriate enriched CPE or PURL to that component. You can view any Enriched CPE or Enriched PURL in the component details. This information will be included see this information in the components table in now export this enriched info for any FDA reports that include SBOM components, including your enriched SBOM, FDA SBOM, or VDR report.

Auto-enrich open-source components with missing licenses

For your open-source SBOM components that have PURLs, but do not have licenses identified yet, Helm will check whether those components have licenses. If so, Helm will automatically enrich those components with that license information. Helm will not change the license information for any components that already have one or more licenses identified. This information will be included in any FDA reports that include SBOM components, including your enriched SBOM, FDA SBOM, or VDR report. As mentioned in our last release, we are in the process of adding this functionality to the UI, and you will soon be able to view, edit, and track software licenses across your supply chain.

v3.6.34 | 2.78.0

July 15, 2024

Summary

Export license information in SBOM
Bug fixes

Export license information in FDA reports

You can now export license information for any FDA reports that include SBOM components, including your original or enriched SBOM, your FDA SBOM, or your VDR report. We are in the process of adding this functionality to the UI, and you will soon be able to view, edit, and track software licenses across your supply chain.

Bug fixes

Fixed issue where CPE or PURL information would not display in some instances

v3.6.34 | 2.77.0

June 21, 2024

Summary

Added remediation evidence to vuln export
Enhanced severity filtering
Ingest CycloneDX SBOM entries that have an empty or omitted Type field
Ignore vendors set to OpenEmbedded() in SPDX SBOMs generated with Yocto Linux

Added remediation evidence to vulnerability export

We've enhanced our vulnerability export functionality to include remediation evidence for each vulnerability. This provides a clearer picture of the actions taken to address vulnerabilities, enabling you to more easily demonstrate compliance and the remediation steps taken or planned to secure your products.

Enhanced severity filtering

We've refined vulnerability severity filtering to prioritize rescores over base scores. This ensures that you can better prioritize vulnerabilities based on their actual risk, helping you focus on the most exploitable issues first.

Ingest CycloneDX SBOM entries that have an empty or omitted Type field

We now support the ingestion of CycloneDX SBOM entries that have an empty or omitted Type field.

Ignore vendors set to OpenEmbedded() in SPDX SBOMs generated with Yocto Linux

If you are generating your SPDX SBOM using Yocto on Linux, it will often generate OpenEmbedded() as a vendor, which is not helpful for matching purposes. We will now ignore this value, maintaining a cleaner and more relevant database.

Bug fixes and UX improvements

Fixed exporting CVSS scores in VEX and VDR reports for SBOM entries that do not have a CVSS score. Our exports now reflect a blank score field instead of the previous default of -1.0 when a CVSS score is not available.
Enhanced new vulnerability email subject to handle edge cases, including ensuring that vulnerability emails are sent on the expected day, regardless of time zone.

v3.6.32 | 2.76.0

June 6, 2024

Summary

Automatic enrichment of CVE vulnerabilities with CPEs
Automatically create product versions and upload SBOMs with our GitHub action
Enhanced information in vulnerability emails
Fixes for SPDX SBOM upload failures

Automatic enrichment of CVE vulnerabilities with CPEs

Our advanced Large Language Model (LLM) now enriches vulnerability data from the National Vulnerability Database (NVD), which has not kept pace with CPE and other data enrichment for the past six months, leaving those of us in the cybersecurity space in a bit of a quandary.

To remedy this issue, we have fine-tuned an LLM to replicate and possibly enhance the data processing traditionally performed by the NVD. Below you can see how this interim approach can help you to deal with this gap. Refer to our for more details.

Our approach identifies vulnerabilities impacting your products and automatically enriches the information retrieved from the NVD with CPE data, aiding in more precise identification of vulnerabilities. This provides you with a more complete view of your overall risk, and ensures that you're focusing your time and effort on the most exploitable vulnerabilities that are affecting your product. Vulnerabilities that came from the NVD, and through our CPE enrichment, were identified as impacting your products will have an AI badge in the new Source column on the page.

Automatically create product versions and upload SBOMs with our GitHub action

You can easily integrate Helm into your CI/CD process to streamline and automate the process of creating product versions and uploading SBOMs to Helm. You can either use our GitHub action independently or integrate it into your existing GitHub action workflow, enabling you to maintain comprehensive and up-to-date documentation of your product's components, dependencies, and vulnerabilities with minimal effort.

Enhanced information in vulnerability emails

If you're one of the cybersecurity experts who doesn't have any new vulnerabilities for the day/week/month cycle, congratulations! These updates include handling the scenario of zero new vulnerabilities and providing clearer details on the period covered by each email.

Fixes for SPDX SBOM upload failures

We've made a number of back-end improvements to help ensure that your SPDX SBOMs upload successfully.

Support for SPDX SBOM files with supplier set to NOASSERTION

We now treat suppliers set to NOASSERTION in SPDX SBOM files as undefined when importing this information into Helm, thus the Supplier column for that vulnerability will show as a blank.

Added CycloneDX and VEX remediation status filters

You can now based on their CycloneDX and CycloneDX VEX remediation statuses, enabling more precise vulnerability management.

Added Source column for vulnerabilities

We've added a Source column to the Vulnerabilities page. This allows you to identify whether a vulnerability originated from an external data source (currently only NVD) or came from the NVD, but was enriched via our LLM AI. Vulnerabilities enriched with CPE data and identified as impacting your products will display an AI badge in this column on the page.

Support for .zst SBOMs

Helm now supports SPDX SBOMs that are in .zst compressed files, which are automatically created when using Yocto Linux native SBOM generation capabilities."

Bug fixes & UX/docs improvements

Fixed issues with multiple toast notifications for some SBOM uploads
New topic:

v3.6.17 | 2.75.2

May 13, 2024

Summary

Auto-update vulnerability temporal metrics across product version
Enhanced omponent matching for fewer unmatched components
Purl and cpe id’s now considered in sbom entry uniqueness
Enhanced CycloneDX SBOM and VDR reports with bom-refs for unmatched components

Auto-update vulnerability temporal metrics across product version

Let us take some of the load of managing vulnerabilities off of you! When you create or modify a rescoring profile for product version, you can set all V3 vulnerabilities for that version to automatically rescore with any changes to their temporal score metrics coming from the NVD. This enhancement streamlines your vulnerability management process, ensuring that temporal scores reflect the most up-to-date information, saving you time spent manually monitoring and updating this information, thereby reducing the risk of missing critical updates, so you can ensure you're focusing on the vulnerabilities that matter most.

Auto-update vulnerability temporal scores

You can also set individual vulnerabilities to automatically update their temporal scores based on NVD data refreshes. This timesaving feature ensures your vulnerability information stays current with minimal manual effort.

Enhanced component matching for fewer unmatched components

We've improved our component matching algorithm to better handle scenarios where a vendor of an unknown component doesn't directly match known software. We will now automatically match unknown components that have CPE and PURL matches, but have an incorrect supplier. Previously, these components were initially marked with a Not found in NVD status, but could actually be resolved to the correct component via our match suggestions. Helm now identifies the corresponding known software, which will either be uniquely identified or will have a Multiple matches status (if there are still multiple possibilities). Our enhanced matching process should result in fewer unmatched components, thus ensuring more accurate and efficient component resolution.

Enhanced determination of component uniqueness

We have added CPE and PURL IDs when determining if an SBOM component is unique or is a duplicate.

Enhanced CycloneDX SBOM and VDR reports with bom-refs for unmatched components

In response to feedback, we've added the CycloneDX bom-ref parameter to all components in your SBOM export, enabling you to point each vulnerability back to a component, regardless of whether it is matched to known software. Initially, the bom-ref only displayed for matched components. For any unknown (unmatched or not uniquely matched) software, this will be the unique ID that was generated for that SBOM component when it was added to Helm. This will now be in your SBOM or VDR report.

Performance improvements on SBOM page loading

We've made a number of coding and query improvements to load SBOMs more quickly, which may also improve load time for your vulnerabilities.

Enhanced CycloneDX VEX and VDR reports with vulnerability rescores

If you've rescored your vulnerabilities either across a product version or individually, your CycloneDX VEX and VDR reports will now include vulnerability rescore information. This will now align with the Vulnerabilities report. You will now see a ratings section in your JSON file that will include a rating for any rescore on that vulnerability. For vulnerabilities rescored both at the product version level and individually, all associated scores will be included. While CVSS v2 scores remain static, they are also included in the ratings section to provide a comprehensive view. The source for all score data is set to Medcrypt Helm.

We've replaced our initial sign in page with a new look-and-feel. After clicking Sign in, you'll be prompted to enter your username and password on our authentication page.

v3.6.10 | 2.74.2

April 30, 2024

Summary

Rename products and versions
Enhanced granularity for CVSS score filtering
UX improvements

Rename products and versions

In response to customer feedback, we've added the ability for you to rename products and versions right from the product and version drop-downs on each page of Helm. Simply hover over the product or version in the respective drop-down to display the edit icon, then edit the product name or version.

Enhanced granularity for CVSS score filtering

We've improved the CVSS score filtering functionality to support floating-point values, allowing you to pinpoint vulnerabilities with greater precision. Now you can filter vulnerabilities using specific scores like 7.9, which will return everything from 7.9 to 10. This will enable you to precisely target and remediate vulnerabilities that fall within a more granular threshold.

UX improvements

Enhanced API key generation from the UI
Improved loading performance

v3.6.8 | 2.73.0

April 11, 2024

Summary

Enhanced support for large SBOMs
CycloneDX 1.5 support
Daily and monthly digests for new vulnerabilities
Bug fixes, UX and doc improvements

Enhanced support for large SBOMs

Our platform now let you upload SBOMs of up to 50MB in size. This significant enhancement enables organizations with larger software inventories to efficiently manage and analyze their software bill of materials within our platform.

CycloneDX 1.5 support

You can now upload your CycloneDX 1.5 SBOM to Helm. Any information in your file that is not currently supported in Helm will still be retained if you want to export either your original or enhanced SBOM.

Daily and monthly digests for new vulnerabilities

In response to customer feedback on our new weekly that keep you informed of the latest new vulnerabilities impacting your products, we've expanded this offering to include daily and monthly digests. You can choose one or more email frequencies based on your needs, and can manage your email preferences in your user profile.

Bug fixes, UX, and doc improvements

Fixed issue where loading page status displayed on the Vulnerabilities table after sorting columns. The Vulnerabilities Detected/Updated field now sorts only by date detected and not by date updated.
Resolved caching issue where some components would not display when the SBOM page was filtered.
Adjusted permissions to allow non-admin users with SBOM and Vulnerability modification access to create rescore profiles for product versions.
Numerous UI improvements

v3.3.0 | 2.71.1

March 22, 2024

Summary

Processing modals
Bug fixes and UI improvements
New & updated docs

Processing modals

For larger SBOMs that can take longer to load, we've added a processing modal so you'll know when your upload is completed and whether it was successful. Similarly, we've added a processing modal for other operations that could take longer, including when you're rescoring a lot of vulnerabilities across an entire product version or if you've just added a component manually and we're attempting to automatically match it to known software in the NVD or package manager.

Bug fixes and UI improvements

We've improved performance when filtering your SBOM. We also fixed a bug where filters were not persisting if you copied a Helm URL that included a match status to another tab, or if you navigated from a filtered item from the global search results (Discover) page.

We've added and enhanced "empty state" pages to help you get started quickly, improved visibility of system status, enhanced our , and made other UI improvements.

New & updated help docs

Since we're continually adding and enhancing great new features, we want to make sure you can take advantage of all the new functionality, so we'll let you know any important doc updates in this section.

Enhanced docs:

: Added to help you manage user permissions
: Added new info on aliasing and removing an alias.

v3.2.0 | 2.71.1

March 14, 2024

Summary

Added VDR (Vulnerability Disclosure Report) report
Email notifications for new vulnerabilities
Support for CycloneDX XML SBOMs
Enhanced API documentation

VDR reports

As part of our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we've added VDR (Vulnerability Disclosure Reports) to our suite of reports. Offering comprehensive insights into identified vulnerabilities, these reports equip you with proactive mitigation strategies, bolstering your defense against emerging threats.

Stay on top of new vulnerabilities

Never miss a beat with our notification system. Stay ahead of the curve by receiving timely alerts for any new vulnerabilities impacting your software supply chain. Manage your preferences effortlessly through your user avatar > My profile in the top navigation area of Helm.

Support for CycloneDX XML SBOMs

You can now in XML format for improved compatibility and versatility.

Enhanced API documentation

Automate your calls to our Helm application using our . You can upload an SBOM for a new or existing product and version, get a list of all unmatched entries, and a list of all vulnerabilities.

Bug fixes and other improvements

We've made numerous enhancements to improve the UI and SBOM loading performance.

We'd love to hear your feedback!

Thank you for your continued support and feedback as we strive to deliver top-notch solutions to meet your evolving cybersecurity needs! if you have suggestions on how to improve your experience!

v3.0.1 | 2.70.0

February 15, 2024

Summary

VEX reports
Improved vulnerability query performance

VEX reports

Introducing (Vulnerability Exploitability eXchange) reports – the latest addition to your cybersecurity arsenal! These reports focus on vulnerability exploitability, ease of exploitation, and potential impact. Now, effortlessly communicate vulnerabilities with a VEX remediation status, empowering your customers to focus on fixing the vulnerabilities that matter most.

Stay tuned! As a part of our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we will be adding VDR (Vulnerability Disclosure Reports) to our suite of reports soon. Offering detailed insights into identified vulnerabilities, VDR reports equip you with comprehensive understanding and proactive mitigation strategies, ensuring robust security posture against emerging threats.

v2.68.0 | 2.69.1

January 29, 2024

Summary

FDA-ready reports
Export SDPX SBOM
New About modal

FDA-ready reports

Get the Medcrypt advantage with the only FDA expert-crafted SBOM that ensures you meet FDA SBOM requirements! In addition, you'll now get a to make meeting FDA cybersecurity requirements a breeze, including your enhanced SBOM in CycloneDX or CSV format, as well as your vulnerabilities in CSV format.

In our continuous commitment to fulfill your FDA SBOM and cybersecurity vulnerability needs, we will also be adding VDR (Vulnerability Disclosure Reports) and VEX (Vulnerability Exploitability eXchange) reports to our suite of reports soon. VDR reports provide detailed insights into identified vulnerabilities, providing a comprehensive understanding of vulnerability details, impact, and mitigation strategies to proactively respond to potential security threats. VEX reports focus on the exploitability of vulnerabilities, how easily they can be exploited, and their potential impact.

Export SPDX SBOM

You can now export your original or enhanced SPDX SBOM in JSON. For an enhanced SBOM, you can also include PURL and CPE info for any matches, as well as include all associated vulnerabilities.

You may have noticed that the bottom bar where your Helm version displays has been removed. Don’t worry, you can still get to your version from the sidebar > Help > About. This will launch an About modal, where you can see your current Helm version.

v2.66.1 | 2.66.1

January 4, 2024

Summary

Added ability to remediate vulnerabilities
Bug fixes, UI, and performance improvements

Remediate vulnerabilities

You can now remediate vulnerabilities to add granular status information, including tracking remediation changes and providing evidence for why changes were made. For each vulnerability, you can now set a CycloneDX 1.4 and/or CycloneDX 1.4 VEX status, or both. We're adding a more robust audit trail, and you can see the next step toward this in the Vulnerability details modal. You can see any interim statuses and notes you provided manually, as well as automatic tracking of any new remediation changes. If you set any interim statuses, the last one you set will now be reflected in that vulnerability's VEX status.

Bug fixes and other improvements

Fixed issue where a rescore profile would fail when rescoring large numbers of vulnerabilities
Several UI and experience improvements

v2.65.2 | 2.65.13

December 7, 2023

Summary

Rescore all vulnerabilities in a product version via rescore profiles
Rescore individual vulnerabilities
Support for SPDX SBOMs
Enhanced SBOM export now includes CPE and PURL data

Rescore all vulnerabilities in a product version via rescore profiles

You can create and apply rescore profiles to a product version based on your product's particular environment and usage, ensuring you're focusing on the most exploitable and impactful vulnerabilities. Any newly detected vulnerabilities for that product version will be automatically rescored with that profile.

Rescore individual vulnerabilities

You can now rescore the CVSS v3 score of any individual vulnerability associated with a particular product version so that it reflects your product's particular environment and usage. This will override any rescore profile already applied to the associated product version.

Support for SPDX SBOM format

You can now upload SPDX SBOM files, including those generated using Yocto on Linux. You can take all of your generated SPDX files, zip them using WinZip or gzip, then upload that zipped file to Helm. We'll do the rest!

Enhanced SBOM export now includes CPE and PURL data

When you upload your SBOM, we'll attempt to find exact matches in the NVD, as well as in supported package managers. If we find an exact CPE or PURL match in a package manager or if you manually specify the CPE and/or PURL for a component, you'll now be able to export an enhanced SBOM that includes CPE and PURL data.

Focus on the most exploitable vulnerabilities

You can now benefit from robust exploit and threat information from a variety of sources, including CISA KEV, ExploitDB, Metasploit, and Top 25 CWEs. You can also ensure that you're focusing on the most impactful and exploitable vulnerabilities via EPSS scores.

Bug fixes and other improvements

Improved performance when loading SBOM and vulnerability information
Improved onboarding to get you started or unstuck quickly. We now provide in-page guidance to help you upload an SBOM, view components for a particular product version, or expand your search criteria when there are no results. You'll see these in our SBOM, Vulnerabilities and Discover (Global search) pages.
Numerous user interface improvements

v2.62.6 | 2.62.6

November 2, 2023

Summary

Windows KB patch support
In-app status notifications
Performance and user experience improvements

Native support for Microsoft Windows KBs

Although a lot of medical devices run on Microsoft Windows operating systems, the NVD does not account for vulnerabilities having been patched by Windows KBs, making it very difficult to understand what vulnerabilities might still be impacting your device. You can now add KBs to your devices running a Windows OS, aligning your digital product version with your physical test device and thus ensuring that you have an accurate list of vulnerabilities that impact your Windows device.

In-app status notifications

You’ll now see in-app status notifications in the top-right corner to let you know that an action has been completed, such as uploading an SBOM or applying KBs to a product version.

Performance improvements and bug fixes

We’ve made significant performance improvements, as well as several enhancements to improve your user experience.

Let us know how we’re doing!

We on these new features, and would about other feature suggestions that would further enhance your experience.

Get a V&V report

If you would like a V&V report for your QMS, .

v2.60.1

November 2023

Summary

Allowing SBOMs that pass NTIA minimum requirements
Performance improvements and bug fixes

Allowing SBOMs that pass NTIA minimum requirements

We improved our capabilities to handle SBOMs that pass NTIA minimum requirements. If the SBOM you are uploading is an invalid CycloneDX SBOM, Helm will still accept it and process it for vulnerabilities.

Performance improvements and bug fixes

This release has improvements to performance and a few bug fixes on the dashboard page.

v2.59.2

November 2023

Summary

Performance improvements and bug fixes
Online help documentation added

Performance improvements and bug fixes

This release has a lot of improvements to performance and a few bug fixes. You should be having a faster, more responsive experience.

Online help documentation added

We’ve added a lot of great information to ensure you can get started, get your SBOM components matched quickly, and begin (or continue) to assess and mitigate your vulnerability risk across your software supply chain. Check it out on !

v2.57.3

November 2023

Summary

New Get started modal
Export SBOM with vulnerabilities
Combined Upload SBOM modal
Improved feedback when SBOM fails to upload

If you haven’t uploaded any SBOM yet or created one manually, you will see a new Get started modal pop up when you sign in to Helm. You’ll have four different options:

You need help with your FDA submission: You can request help from our expert Services team and leverage our best practices, templates, and checklists in improving your FDA submission.
You have a CycloneDX format. You can upload your SBOM file all in one step.
You have an SBOM in another format. You can contact us and we’ll get right back to you to get you moving.
You don’t know what an SBOM is or don’t have one yet. We’re here to help. Our expert Services team will help you create your SBOM, assess your current state, and help you identify and mitigate cybersecurity risks.

Export your SBOM with vulnerabilities

You can now choose to export your original SBOM or your enhanced SBOM with identified vulnerabilities. This will include the source name (currently always the NVD), a link to the vulnerability, both its v2 and v3 CVSS scores and vector strings, when the vulnerability was first detected, when it was updated, and more. Refer to for more information.

We’ve simplified your upload experience. If you’re uploading your first SBOM, you’ll see an Add SBOM drop-down button, from which you can select Upload SBOM. You can now browse to your SBOM file and specify your product name and product version in one step. Once you’ve uploaded at least one SBOM, this drop-down button changes to Manage SBOMs. In that case, you’ll be able to either select an existing product name and version, or create a new product name/version pair.

Improved feedback when an SBOM file fails to upload

If you upload an SBOM file, you can hover over the FAIL status to get more information on why the file failed to upload, including scenarios such as: missing required fields, additional fields present that are not defined in the JSON schema when the schema does not allow additional properties, and field values not matching expected data types.

v2.56.6

October 2023

Summary

Added match status tokens and enhanced status indicators
Added CPE and PURL package manager support
Enhanced details for components
Enhanced filters for SBOMs

Added NVD and NOT IN NVD tokens and enhanced status indicators

In response to customer feedback on the importance of knowing whether a component is or is not found in the NVD, we’ve added two tokens: NVD and NOT IN NVD. We’ve changed the NVD status column to Match status, and improved the status labels. You’ll now see:

Green checkmark next to Matched status when you have an exact match. You’ll also see the respective tokens that we used to make that match or that a user matched via selecting a match suggestion or creating an alias.
Yellow indicator next to Multiple matches status when you have multiple strong matches. You’ll be able to see the sources that the match suggestions are coming from, and will need to resolve this by selecting one of our suggestions or creating your own alias.

A red error indicator next to Not found status and NOT IN NVD token indicates that weren’t able to find a match in the NVD. This could mean that there are no known vulnerabilities or that your software has a different name in the NVD, so you’ll need to resolve these to make sure that you understand whether it is a risk or not.

Added CPE and PURL package manager support

Our valued customers asked for this and we delivered! We now support CPE and PURL (Package URL) matching. We support the following PURL package managers: Cargo, NPM, NuGet, and PyPI. If you upload an SBOM, you'll automatically find any matches in these package managers. You'll see a token, such as NPM, next to each component that matches a package manager. See for more information.

Note: This is not retroactive, so in order to take advantage of this cool new feature, you'll need to upload a new version of your SBOM.

Enhanced details for components

We’ve added a lot of information to your component details, so that you can tell exactly how it was matched as well as letting you know the last review note any of your team members added. You can hover over any token

Enhanced filters for SBOMs

You can now filter by match source, such as NVD, CPE, Alias, one of our supported package managers, user-selected matches, and NOT IN NVD. You can also filter on review status.

In-product help added

We’ve added help icons to many columns and fields throughout the UI to get you started and unstuck. If you need more clarification on the help or if you have a question on something that doesn’t currently have help, so that we can get it clarified or added.

Let us know if you see other areas we could improve!

If you run into issues or would like to request new features or feature enhancements, we'd love to ! Thank you so much for taking the time to help us improve your experience!

Interested in providing feedback on upcoming features?

We are working on adding some great new functionality, including:

Windows KB patching,
a customer-facing API to automatically ingest SBOMs as part of your CI/CD process,
the ability to copy/paste from a CSV or other file to create an SBOM,
more human-readable information,

We'd love to on these to make sure what we're creating will improve your management and mitigation of your software supply chain risk. It will also give you a great opportunity to let us know features and feature enhancements you'd like us to consider adding! Note that this link will create a support ticket that will let us know you're interested, then we'll contact you directly to set up some time to do some feature walkthroughs. Thank you so much for your insights and expertise!

v2.55.5

September 2023

Summary

Enhanced global search
Changed date first detected time
Added date dashboard was last updated
Removed character restrictions on input fields

New global search

Global search is now expanded to include searching across all your Product SBOMs for a particular component. You can still search for a specific CVE via CVE-ID, now you get a summary of the vulnerability as well as a list of any products that might be potentially impacted.

Changes to first detected time

The first detected date in Helm on the Vulnerabilities page now reflects the date when Helm detected the vulnerability for your component.

Last update timestamp

On the Metrics dashboard you can now see when the dashboard was last updated.

Character restrictions in input fields

Helm had strict character restrictions in input fields that have now been removed.

SSO support for PingID

Helm supports SSO for organizations on the enterprise plan. We now have a working integration with PingID.

v2.54.7

September 2023

Summary

Enhanced look-and-feel with new page layouts
Performance improvements and bug fixes

New page layouts

Both the Products page and the Vulnerabilities page now have a new look and feel as well as some new functionality for vulnerability filters.

Performance improvements and bug fixes

This release has a lot of improvements to performance and a few bug fixes. You should be having a faster, more responsive experience.