The Linux Foundation Projects
Skip to main content

System Package Data Exchange (SPDX®)

An open standard capable of representing systems with software components in as SBOMs (Software Bill of Materials) and other AI, data and security references supporting a range of risk management use cases.

The SPDX specification is a freely available international open standard (ISO/IEC 5692:2021).

Learn More


Learn more about the structure of SPDX and how to participate.



Explore the ways that you can engage with SPDX.



SPDX workgroup tools and others you can use.


Areas of Interest

SPDX is organized in areas of interest or profiles focused on specific user needs.

Supported by These Foundations

Latest SPDX News

Jul 9, 2024

Linux Foundation announces SPDX 3.0

In case you missed it, the Linux Foundation excitedly announced the latest version of SPDX. It's a great summary of the cool new architecture, use cases and features.    

Nov 6, 2023

Capturing Software Vulnerability Data in SPDX 3.0

The flexibility of SPDX 3.0 allows users to either link SBOMs to external security vulnerability data or to embed security vulnerability information in the SPDX 3.0 data format, thanks to support for a security-specific profile. This is different from SPDX version 2, which enabled users to link an SBOM to…

SPDX Supporters