Casebook Case 01 · Medical device SBOMs
Frequently asked.
The questions practitioners ask most when they’re scoping an SBOM for FDA, EU, or UK submission.
Alan ParkinsonLast reviewed April 30, 20261 questionWon't an SBOM give away my IP or source code?
No. An SBOM lists the third-party and open-source components in your software, with their versions and suppliers. It doesn't contain your source code, your proprietary logic, your algorithms, or your architecture. It's an ingredients list, not the recipe: it names the off-the-shelf parts but says nothing about how you combined them into a working device. The IP that matters is almost never the list of common libraries you used (half the industry uses the same handful), it's what you built on top of them, and that isn't in the SBOM.
It's also worth remembering that sharing an SBOM isn't publishing it. It goes into your confidential FDA submission, not onto the open web, and IMDRF guidance (N73) recommends SBOMs be treated as sensitive information shared through protected channels; hospital customers typically receive one under an NDA. Anything an SBOM does reveal, the off-the-shelf components, is the easiest thing for anyone to recover from shipped software anyway, so producing one doesn't widen the exposure you already have.
Full blog post: Won't an SBOM give away my IP or source code?