BlinkLab publishes the Software Bill of Materials (SBOM) for the BlinkLab Dx1 medical device on this page. The SBOM lists every software component shipped with the device — the BlinkLab-developed components, the third-party libraries, and the external service dependencies — with the version, license, supplier, and current vulnerability status of each. It is provided so that healthcare provider organisations, security researchers, and regulators can assess the software supply chain of Dx1 and monitor it against emerging vulnerabilities.
The SBOM is provided in machine-readable CycloneDX 1.5 JSON format for automated tooling, alongside a human-readable summary PDF for procurement and clinical cybersecurity review. It is regenerated on every Dx1 release and on every change to the dependency graph, and prior SBOM versions are retained on this page for the device’s supported lifetime.
Current SBOM downloads
The current SBOM release was generated on 2026-07-03 10:05 UTC. It enumerates 218 software components across four ecosystems (PHP / Composer, iOS / Swift Package Manager, JavaScript / AssetMapper importmap, Python / uv) plus three BlinkLab-developed components. 97% of components have a license field populated by the automated enrichment pass; license enrichment for the remaining components is ongoing.
Machine-readable SBOM. Download the current CycloneDX 1.5 JSON at https://cdn.blinklab.org/SBOM/BlinkLab-SBOM.cdx.json. The file is served with Content-Type application/vnd.cyclonedx+json and is intended for automated vulnerability-management tooling.
Human-readable summary. Download the summary PDF at https://cdn.blinklab.org/ SBOM/BlinkLab-SBOM-human-readable.pdf. The summary is the version intended for procurement teams, clinical-site cybersecurity leads, and regulator reviewers who need to read the inventory without a parser.
Cryptographic integrity. SHA-256 hashes for both artefacts are published at https://cdn.blinklab.org/SBOM/BlinkLab-SBOM.sha256 so a downloader can verify the file has not been tampered with in transit.
What is in the SBOM
For every third-party software component the SBOM records the component name, the pinned version, the ecosystem it comes from (Composer, npm, PyPI, Swift Package Manager, or the AssetMapper importmap), the supplier or publishing organisation, the license under which the component is distributed, the level of support provided by the upstream project (actively maintained, low activity, or potentially unmaintained, as inferred from registry-published release timestamps), and the end-of-support date where the upstream project has published one.
For every component the SBOM also records the currently known vulnerability status. Each release of the SBOM is cross-checked against the OSV database (https://osv.dev) and against the CISA Known Exploited Vulnerabilities Catalog. Any identified vulnerability is captured with its CVE identifier, its CVSS severity, and a link to the NIST NVD advisory. BlinkLab assesses each identified vulnerability for its impact on the device and records a risk-control decision; a summary of that assessment is available to customers and regulators on request. BlinkLab-developed components (the Dx1 Mobile Application, the Dx1 Clinician Dashboard backend, and the Dx1 Prediction Module) are also listed in the SBOM. These are BlinkLab proprietary and the license entry reflects that.
Update cadence
The SBOM is regenerated on every release of BlinkLab Dx1 and on every merged change to the dependency graph — a new component added, a component removed, or a component version bumped. Regeneration is automated through the BlinkLab release pipeline; the new SBOM is published to this page and the previous version is moved to the historical archive below without changing its URL. Out-of-cycle refreshes are also triggered when a critical vulnerability is disclosed against any of the components in the inventory.
Historical versions
Historical SBOM releases are retained at stable URLs for the supported lifetime of the BlinkLab Dx1 device, so a customer or auditor can inspect the software supply chain of any prior Dx1 release. Each historical entry lists the Dx1 release identifier, the SBOM generation date, and direct download links to the CycloneDX JSON and PDF summary of that release.
This is the initial publication of the Dx1 SBOM. Historical versions will be listed here, at stable URLs, as future releases are published.
Regulatory context
This SBOM is published in accordance with the U.S. Food and Drug Administration guidance Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions (February 2026), Section VI.A, and with Section 524B of the Federal Food, Drug, and Cosmetic Act, which impose on cyber device manufacturers an obligation to make the software inventory continuously available to customers, regulators, and the security research community.
The CycloneDX 1.5 machine-readable format follows the NTIA October 2021 minimum elements for an SBOM (Framing Software Component Transparency: Establishing a Common Software Bill of Materials). Alternative formats (SPDX, procurement-specific CSV) are available on request.
Contact
Questions about the SBOM contents, requests for the inventory in a different format, or reports of factual errors in the SBOM may be sent to security@blinklab.org. BlinkLab will acknowledge SBOM-related requests within two business days. Vulnerability reports affecting a component listed in the SBOM (or any BlinkLab product) use the same mailbox. Please refer to the BlinkLab coordinated vulnerability disclosure statement at https://blinklab.org/security for our reporting expectations, acknowledgement timelines, and safe harbor terms.