OWASP Incubator license

Project Logo

The SBOM Forum identifies and tries to find solutions to problems that are preventing widespread distribution and use of software bills of materials (SBOMs) by organizations whose primary business is not software development.

Weekly Meetings

We meet every Friday at 1:00 PM ET for general meetings. At these meetings, we discuss issues that are currently inhibiting use of SBOMs by private and public sector organizations in general. All are welcome to join. Email [email protected] to be added to the mailing list and to receive the meeting invitations. Running meeting notes are here.

We are currently working on these documents. Anyone is welcome to comment or suggest changes to them:


VEX Playbooks

The purpose of this subgroup is to address the problem that there is no complete VEX specification for either of the two major VEX formats: CycloneDX and CSAF. Lacking this, there can be no VEX consumer tools that are guaranteed to read documents produced by VEX supplier tools, and vice versa. This group will produce VEX specs in both formats (starting with CSAF) and then develop playbooks that describe how to create and ingest documents in both formats (we also may develop prototype tools in both formats).

At least initially, the only VEX use case addressed will be the one developed by the NTIA Software Component Transparency Initiative, which is described in this NTIA document; Tom’s opinion is that the fact that this VEX use case isn’t being addressed is the biggest inhibitor to the widespread distribution to and use of SBOMs by organizations whose primary business is not software development.

This group meets every other Friday morning at 11AM Eastern Time. Running meeting notes are here. To join the mailing list and receive the meeting invitations, email [email protected].

The document we are currently working on is below. All are welcome to comment and suggest changes:

Primary use case for VEX documents

Other areas of effort

  1. We have provided advice to the NIST National Vulnerability Database team as they decide how to fix software identification problems in the NVD, based on our “Proposal to Operationalize…” document listed below.
  2. We will be working with the European Network and Information Security Agency (ENISA) to help them understand SBOMs.
  3. We will also provide recommendations to ENISA as they design the “greenfield” EU vulnerability database mandated by the NIS 2 cybersecurity regulation. NIS 2 came into effect in 2022.

Documents Produced by SBOM Forum

Proposal to Operationalize Component Identification for Vulnerability Management


Did you write a blog post, magazine article or do a podcast about or mentioning SBOM Forum? Or maybe you held or joined a conference talk or meetup session, a hacking workshop or public training where this project was mentioned?

Please get in touch with the team and let us know!



This program is free software: you can redistribute it and/or modify it under the terms of the CC-BY-SA 4.0. SBOM Forum and any contributions are Copyright © by Tom Alrich, Tony Turner and Jeff Williams 2023.


Held on Zoom

Email Tom Alrich to be added

  • General Meeting - Every Friday at 1:00 PM ET
  • VEX Playbooks - Every Friday at 11:00 AM ET

Contributing Guidelines

Thank you for your interest in contributing to SBOM Forum. We welcome all contributions and appreciate your efforts to improve the global SBOM ecosystem.

Have a new topic for us to explore? New ideas that will advance SBOM adoption or new use cases? Want to work on a tool or key feature?

Feel free to create an issue wee below for details on how to get involved.

Weekly Meetings

We meet every Friday at 1:00 PM ET for the general meetings, all are welcome to join. In addition, we host a separate subgroup on the following topic also on Fridays:

  • VEX Playbooks

Getting Started

To get started with contributing please email [email protected] to be added to the mailing lists we use for coordinating activities. This project has just transitioned to OWASP and we are just getting started with systems, so these guidelines may change.

Code of Conduct

We ask that all contributors to SBOM Forum abide by our Code of Conduct. This code outlines our expectations for behavior within the project community and helps us maintain a welcoming and inclusive environment for all contributors.

Thank you for your interest in contributing. We appreciate your efforts to help us improve and grow SBOM!

The SBOM Forum is the result of a global community of SBOM Advocates.

But we have also been helped by many organizations, either financially or by encouraging their employees to work on SBOM Forum Initiatives:

Financial Supporters

Gold Supporters

Fortress Information Security

Supporting the SBOM Forum

There are three ways you can support our work. All three are appreciated!

  1. You can participate in our meetings and help create documents with us. See above.
  2. You can donate to the OWASP Foundation (minimum $10), to help them carry out their great work promoting software security. Click the “Donate” button in the top right corner. The OWASP Foundation is a 501(c)(3) organization. Therefore, in some cases your gift may be tax-deductible. You should consult with a tax professional for more details. Note that your gift will support the general work of the OWASP Foundation.
  3. You can make a “restricted” donation to the OWASP Foundation, which is restricted to supporting the SBOM Forum. The minimum restricted donation is $1,000. The OWASP Foundation charges the SBOM Forum a 10% administrative fee to cover their costs in administering this type of donation, which we believe is justified by the strong level of support they have provided to our group. Your logo will appear on our page if your organization is able to donate at one of these three levels: Silver ($5,000+), Gold ($10,000+) or Platinum ($25,000+). However, any donation is greatly appreciated!

If you would like to make a restricted donation, you can simply click on the “Donate” button in the upper right corner of the main SBOM Forum web page. On the next page, you should choose “Other” when asked to choose an amount for a donation. You will be prompted to enter an amount and asked to enter your email address and name (of course, if you’re donating on behalf of a company, you should enter the company name, although you can enter your email).

If you enter an amount over $1,000 (the minimum for a restricted donation), a checkbox will appear which reads “Please restrict this gift for OWASP SBOM Forum…” Please check that box.

Please email [email protected] if you would like to discuss donations and what they will be used for.