Not sure if it’s relevant because you specifically mentioned about B2C.
For cyber security product, we took the open source route. We build our core technology in public as open source project.
https://github.com/safedep/vet
The commercial SaaS is for scaling and management. Our entire funnel is based on OSS. Folks who have already found value and is looking to scale their deployment.
This model works for us especially at our current stage where we are 100% engineering led.
We felt that OSV schema is designed with security tooling and automation as primary design goal. Specifically for our use-case, it captures the package name and versions using standardised schema. Also we saw adoption of OSV by package ecosystems like Python, Go etc.
While CVE is still the largest database of vulnerabilities, we felt OSV is good enough to identify most recent vulnerabilities
What's your approach with getting users for your OSS product?
Build in public really. Just talk about what we are building, get feedback, bug reports etc. from users. When major security issues happen related to our domain e.g. xz or tj-actions/changed-files, we either write about how our tool can mitigate the risk or research on how to enhance our tool to handle the risk and then talk about it publicly.
Kudos, this looks like a great product. I'm going to try it out today. Is there a reason why you only consume OSV and not CVE data?