Guiding Principles

Guiding Principles

From the prescriptive nature of the CycloneDX object model, to the standardization process, the objective is to provide an easy path for adopting CycloneDX. Including community contributions or implementations, or participating in the evolution of the standard.

CycloneDX and official extensions are available under a permissive Apache 2.0 license. There are no opinionated license defaults or limitations for how CycloneDX SBOMs can be shared with others.

The CycloneDX project takes a risk-based approach to standards development. As a result, standard revisions are efficiently delivered to market allowing adopters to quickly benefit from improvements.

The CycloneDX project avoids obstacles that would delay the release of standards or extensions to adopters, without affecting quality.

Incremental and measurable improvement is a foundational principle of the CycloneDX project. Rather than spending years attempting to draft the perfect standard, the project focuses on core use cases and expands capabilities over time.

Innovation and experimentation is encouraged through the use of extensions to the CycloneDX standard. This allows for rapid prototyping, testing, and verification, without impacting the core standard.

All CycloneDX releases are production quality standards that do not change. When drafting revisions, backwards compatibility with prior versions is of upmost priority.

CycloneDX takes a facts-first approach to the core standard. Static facts, or other pieces of information that do not change over time, are accounted for in the core specification. Extensions support opinions and dynamic facts which are subject to change.

The CycloneDX project focuses on the efficiency at which BOMs are created. By creating implementations that are easily automatable and integrated into all major development platforms and ecosystems.

CycloneDX describes the entire stack for which software runs. Including operating systems, containers, firmware, applications, libraries, frameworks, files, services, and optionally, hardware.

CycloneDX Supporters

Apiiro
Bloomberg
Contrast Security
Ecma International
Fortress Information Security
IBM
IonChannel
Kondukto
Lockheed Martin
NowSecure
OWASP
Rezilion
ServiceNow
Sonatype