Scale SBOM is an open framework that defines how organizations can operationally work with Software Bill of Materials (SBOM), VEX (Vulnerability Exploitability Exchange) and VDR (Vulnerability Disclosure Report) in digital supply chains.
- Content Requirements — defines what SBOM, VEX and VDR documents should contain, adapted to different use cases for both producers and consumers
- Operational Model — describes roles, responsibilities, frequency, storage, verification and automation
- Assessment Tool — self-assessment tool that provides a picture of the current state and suggestions for improvement regarding software transparency maturity
The framework is freely available and can be used by both public sector organizations and private companies, contributing to strengthened resilience in digital supply chains. It was developed by SBOM Observer with support from NCC-SE (Sweden's National Coordination Centre for Research and Innovation in Cybersecurity) and MCF (Swedish Civil Defence and Resilience Agency).
Why Scale SBOM?
Standards like SPDX and CycloneDX define how transparency documents are structured and exchanged. They don't, however, prescribe what to include for specific use cases or how to connect them to day-to-day operations.
Scale SBOM provides practical operational guidelines — bringing together content requirements, operational workflows, and maturity assessment so teams can implement SBOM, VEX, and VDR practices without reinventing the wheel.
The framework is published at scalesbom.org and is freely available.