International Open Standard (ISO/IEC 5962:2021) - Software Package Data Exchange (SPDX)

The Software Package Data Exchange® (SPDX®)

An open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. SPDX reduces redundant work by providing a common format for companies and communities to share important data, thereby streamlining and improving compliance.

The SPDX specification is an international open standard (ISO/IEC 5962:2021).

Learn More

Learn

Learn more about the structure of SPDX and how to participate.

Use

Explore the ways that you can engage with SPDX.

Tools

SPDX workgroup tools and others you can use.

Latest SPDX News

August 9, 2023 in Blog

Deciphering VEX and SPDX: A Deep Dive into Software Vulnerability Analysis and Reporting

In an enlightening YouTube presentation, Adolfo delved into the fascinating world of VEX and SPDX, detailing the implications of software vulnerabilities and how these can be tracked, assessed, and communicated.…

August 2, 2023 in Blog

A Step-by-Step Guide to Signing an SPDX SBOM with Sigstore’s Cosign

This post was written with the inestimable help of Luke Hinds of the Sigstore community who heped review it and edit it. As software supply chain security becomes increasingly important, organizations…