How does the vendor distribute updates? - What access does the vendor have to your environment? - How does the vendor handle your data? - What is the vendor's vulnerability disclosure and patching process? - Does the vendor provide SBOMs for their products?