The Linux Foundation Projects
Skip to main content

The Software Package Data Exchange (SPDX)

An open standard describing SBOMs (Software Bill of Materials), communicating a release: name, version, components, licenses, copyrights, and useful security references. As a common format, SPDX reduces redundant work related to sharing important release data, thereby streamlining distribution and compliance.

The SPDX specification is a freely available international open standard (ISO/IEC 5692:2021).

Learn More


Learn more about the structure of SPDX and how to participate.



Explore the ways that you can engage with SPDX.



SPDX workgroup tools and others you can use.


Areas of Interest

SPDX is organized in areas of interest or profiles focused on specific user needs.

Supported by These Foundations

Latest SPDX News

Aug 9, 2023

Deciphering VEX and SPDX: A Deep Dive into Software Vulnerability Analysis and Reporting

In an enlightening YouTube presentation, Adolfo delved into the fascinating world of VEX and SPDX, detailing the implications of software vulnerabilities and how these can be tracked, assessed, and communicated. Understanding this process is pivotal for tech enthusiasts, software developers, and cybersecurity professionals, as it aids in managing software vulnerabilities…

Aug 2, 2023

A Step-by-Step Guide to Signing an SPDX SBOM with Sigstore’s Cosign

This post was written with the inestimable help of Luke Hinds of the Sigstore community who heped review it and edit it. As software supply chain security becomes increasingly important, organizations are looking for robust methods to verify the integrity and authenticity of their software components. One such approach is the…

SPDX Supporters