Operational Model
How to integrate software transparency into your organization's operations
The Operational Model provides practical guidance for implementing Software Bills of Materials (SBOMs), Vulnerability Exploitability eXchange (VEX), and Vulnerability Disclosure Reports (VDRs) within your organization. This guide focuses on workflows, processes, and integration strategies rather than content specifications.
While Content Requirements defines what information should be in your transparency artifacts, the Operational Model explains how to produce, distribute, and use those artifacts effectively.
What This Guide Covers
This guide helps you assess organizational readiness, choose appropriate workflows based on your role and maturity level, understand when to update SBOMs versus VEX documents, integrate transparency practices into existing development and security processes, and progress from manual processes to automated, policy-driven operations.
Whether you're a software producer generating and distributing SBOMs and VEX documents, a software consumer requesting and using transparency artifacts, or part of security, procurement, development, or operations teams integrating SBOM data into your workflows. This guide provides the operational context you need.
How to Navigate This Guide
If you're just starting, begin with Getting Started to assess readiness, identify whether you're acting as a producer or consumer, and choose a practical next step. Understanding Core Concepts like SBOM, VEX and Vulnerabilities prevents common mistakes.
For software producers, explore Workflows covering generation, disclosure, release coordination, and ongoing transparency operations. Start with Generate SBOMs and progress through the workflow stages.
For software consumers, review Workflows and the Supplier Transparency use case to cover supplier requests, ingestion, quality validation, tool integration, and monitoring.
For specific problems, jump directly to Use Cases covering vulnerability management, supplier evaluation and license management.
For improving existing practices, use Maturity Levels and the Maturity Assessment to identify the next operational improvements to prioritize.
For deeper context, combine Core Concepts with the relevant Use Cases to understand how lifecycle, disclosure, and operational trade-offs apply in practice.
Relationship to Other Resources
This Operational Model complements the Content Requirements which defines required fields and data quality standards, and the Assessment Tool which measures your organization's transparency maturity.
The framework provides an integrated approach connecting content requirements, operational workflows, and maturity assessment with consistent leveling. It emphasizes practical "how" and "when" guidance over repeating standard specifications, supports progressive pathways from manual processes to full automation, addresses critical gaps like SBOM/VEX lifecycle synchronization, and includes real-world scenarios with edge cases and troubleshooting.
Getting Started
If you're new to SBOM operations, start with Getting Started to assess whether your organization is ready to begin implementation.
If you understand the basics but need specific workflow guidance, jump to Workflows and follow the paths most relevant to your role.