STP
SBOM Observer/

Suppliers

Supplier identification, attestation, and signing requirements

SBOM, VEX, and VDR documents must include clear and consistent identifiers for the organizations and individuals they describe. This page covers organization identity, individual contacts, actor information in SBOMs, and digital signature requirements.

Organizations

Organizations involved in the software supply chain include the Supplier delivering the software, original component manufacturers, open source foundations, and other third-party vendors. Consistent and traceable identification of these entities is crucial.

Organizations must be identified consistently across all SBOM, VEX, and VDR submissions. Key aspects include:

  • Persistent identifiers — once an organization identifier is established, it should remain consistent across all submissions
  • Strong identifiers — when available, additional identifiers (like LEI, EORI etc) should be provided to establish a unique and verifiable identity
  • Contact information — for organizations with direct responsibility for delivered software, current contact information must be provided
  • Digital signatures — when digital signatures are provided for an SBOM, the signatory's identifier should match the organization's identifier used inside the SBOM to ensure a verifiable identity

Unfortunately the current standards only provide a single name field to identify an organization. To provide additional identifiers add urls, digital signatures or additional metadata on the component level.

{
  "metadata": {
    "component": {
      "type": "application",
      "name": "example-application",
      "manufacturer": {
        "name": "Example AB",
        "url": [
          "https://www.example.com",
          "https://lei.info/549300MLH00Y3BN4HD49"
        ],
        "contact": [
          {
            "name": "Security Team",
            "email": "security@example.com"
          }
        ]
      }
    },
    "properties": [
      {
        "name": "observer:manufacturer:id:lei",
        "value": "549300MLH00Y3BN4HD49"
      },
      {
        "name": "observer:manufacturer:id:eori",
        "value": "SE529900T8BM49AURSDO55"
      }
    ]
  }
}

Individuals

Named persons responsible for specific aspects of the software, such as:

  • Security contacts for vulnerability reporting
  • Technical contacts for component-specific questions
  • Authors or maintainers of open source components

The primary identification of individuals are name and email.

Actor information

An SBOM must include information about the parties involved in both building the software and authoring the SBOM itself. This helps establish the origin of the software, define clear lines of responsibility, and enable follow-up when needed.

At a minimum, the SBOM must identify:

  • Software supplier — the organization delivering the software or system described by the SBOM
  • SBOM supplier — the individual or entity responsible for creating the SBOM

If different from the supplier, it is also recommended to include:

  • Software manufacturer — the party responsible for building or assembling the software

Including the author's contact information (such as name and email) is recommended when the SBOM is created by an individual rather than a company.

All actor information should use consistent naming and refer to identifiable individuals or organizations, not generic placeholders. If a company name is used, it must remain consistent across SBOMs and related artifacts.

{
  "metadata": {
    "authors": [
      {
        "name": "John Doe",
        "email": "john@example.com"
      }
    ],
    "supplier": {
      "name": "Example Inc"
    }
  }
}

Digital signatures

SBOM (including VEX and VDR) documents must be digitally signed to ensure integrity and provenance.

Documents must be at least signed by the supplier of the SBOM, and should be signed by the manufacturer and author if they are separate entities from the supplier.

Additional signatures by supplier and/or manufacturer of the subject of the SBOM (application), or any of the dependencies, may be included to indicate that the contents have been audited and verified to be correct.

Digital signatures must be delivered as separate files compliant with the accepted standards. Some of the supported standards allow for embedding digital signatures inside of the documents. These methods are not accepted signing methods in these requirements.

Edit on GitHub

Components

Identity, provenance, and field requirements for SBOM components

Vulnerabilities

Vulnerability identification, tracking, and disclosure in SBOMs and related artifacts

On this page

OrganizationsIndividualsActor informationDigital signatures