STP
SBOM Observer/

Operational Framework

Complete framework for implementing SBOM, VEX, and VDR standards

Framework Overview

The SBOM Operational Framework provides practical, actionable guidance for implementing software transparency through SBOM (Software Bill of Materials), VEX (Vulnerability Exploitability eXchange), and VDR (Vulnerability Disclosure Report) standards in enterprise organizations.

This framework is organized into three core pillars:

Content Requirements for SBOMs, VEX and VDR

Understand what information needs to be included in transparency documents, data requirements, and how to structure them using SPDX and CycloneDX standards.

Operational Model

Learn how to implement and operationalize these standards in your organization, including processes, workflows, and best practices.

Assessment Tool

Evaluate your organization's transparency capabilities and identify improvement opportunities with our self-assessment tool.

Additional Resources

  • For Producers: Build confidence in sharing transparency documents with customers
  • For Consumers: Learn how to request, interpret, and use transparency information effectively
  • For Everyone: Understand how these standards support regulatory compliance (NIS2, DORA, CRA, and more)
Edit on GitHub

Content Requirements

What information belongs in your transparency documents

On this page

Framework OverviewAdditional Resources