Explorer Guide
New to software transparency? Start here.
SBOMs, VEX, VDR — there's a lot of terminology flying around, and it's not always clear where to start or what actually matters for your situation.
That's what this guide is for. It takes you through the framework at your own pace: what these documents are, what goes into them, and how they support real use cases like vulnerability management and procurement.
What are SBOMs, VEX, and VDR?
SBOM — an inventory of what's inside a piece of software, like an ingredient list. It lets you be transparent about what you ship or use.
VEX — tells you whether a known vulnerability actually affects a specific product, so you can focus on what matters.
VDR — discloses all known vulnerabilities in a product's components.
Get Started
Learn the concepts
Understand the key artifacts (SBOM, VEX, VDR), the standards behind them, and the roles of producers and consumers. Concepts →
Browse content requirements
See what information should be in transparency documents — and why each element matters. Content Requirements →
Explore the operational model
Learn how SBOMs fit into daily operations — what triggers new documents, how they're distributed, and how to act on them. Operational Model →
Assess your maturity
Use the self-assessment tool to measure where your organization stands and get pointers for improvement. Assessment Tool →
Already working with SBOMs?
Try the Assessment Tool to see where you stand and what to improve next.
Framework Overview
Content Requirements
What information belongs in SBOMs, VEX, and VDR — the specification for transparency document contents.
Operational Model
How to generate, distribute, and consume transparency documents in practice.
Assessment Tool
A self-assessment tool to measure SBOM maturity and identify improvement paths.