Can security attestations be limited to specific manufacturers or can anyone use them if they exist?

[tobie]

Asked by @MathiasSchindler in the ORC mailing list:

Is an attestation issued as a voluntary security attestation under an article 25 system bound to the software alone or also to the recipient? For instance, if Manufacturer A gets an attestation for libfoo 0.9.6c, can Manufacturer B, who uses the exact same component, also use that attestation for their own due diligence (assuming for the purpose of this question that B learned of the existence of this attestation)? If the answer is 'no, it's recipient-bound,' could you help me understand what law or rule creates that restriction?

[gtewallace]

For the FreeBSD SSDF Attestation, we chose to bind the Attestation to both the SW Version and the recipient. At the time, it was felt that this was the best way to ensure fairness. The Foundation includes the Attestation with any Corporate Partnership (https://freebsdfoundation.org/our-donors/freebsd-foundation-partnership-program/).

Each attestation was marked with the company for which it was created and included a footer saying that it was only valid for the receiving company's compliance purposes.