This is an OPS-DIR review of "Discovering and Retrieving Software Transparency and Vulnerability Information" . This document outlines a model to help discover and retrieve Software and/or Vulnerability info from devices in an automated way. I don't have any real operational concerns but have a few comments and questions. - I realize the point about vulnerabilities info having a different change rate than software but why not include support to retrieve vulnerabilities from the endpoint? Part of this question is driven by that I find the document inconsistent and slightly confusing in the retrieval distinction - What is the reason for not having a well known endpoint for the vulnerability info? I can see that it sometimes is not as clear and useful as the SBOM, especially with the endpoint retrieval not supported, but wondering if there is more to it than that? - In the security section is firmware and software used somewhat interchangeably? Trying to understand if something specific is meant with the current wording that I'm not seeing. Also I'm not sure the skewing example makes sense. I would think it would be very common that a mfr updates the SBOM on it's server and hence you would often get this mismatch unless you query the device in question before applying anything to it /nco