Operational SBOM Framework
From SBOM and VEX standards to operational execution
Scale SBOM turns SBOM and VEX standards into practical guidance for engineering, security, and procurement teams. It covers what transparency artifacts should contain, how to produce and consume them and where to start improving. The framework is free, open source, and welcomes contributions.
Three ways in
Content Requirements
What good SBOM and VEX artifacts need to contain.
Operational Model
How to produce, share, and consume transparency artifacts in practice.
Assessment Tool
Measure your current maturity and see what to improve next.
Why software transparency
Software transparency helps producers answer what is in a product and helps consumers decide whether they can trust and operate it safely. SBOM and VEX artifacts make component inventory, vulnerability status, and supplier communication machine-readable and easier to manage at scale.
The EU Cyber Resilience Act (CRA), NIS2, and DORA now require producers to deliver transparency artifacts as part of their supply obligations.
Scale SBOM provides the operational guidance to get there, whether your team is starting from scratch or tightening existing practices.
Get started
- New here? Start with the Explorer guide.
- Build and ship software? Use the Producer guide.
- Buy and operate software? Use the Consumer guide.