March 2018
OWASP CycloneDX v1.0
First general-purpose, security-focused Bill of Materials standard supporting software and hardware components. Introduced the world to Package URL for use with software security use cases.
March 2019
OWASP CycloneDX v1.1
First specification with complete pedigree support describing component lineage and the commits, patches, and diffs which make a forked version unique.
May 2020
OWASP CycloneDX v1.2
First specification to incorporate SWID (
ISO/IEC 19770-2:2015) and services into inventory including data classifications, providers, and relationships between services and components.
May 2021
OWASP CycloneDX v1.3
First specification to incorporate support for composition completeness surpassing NTIA's framing of "known unknowns".
January 2022
OWASP CycloneDX v1.4
First specification to introduce vulnerability sharing and transparency, including Vulnerability Disclosure Reports (VDR) and Vulnerability Exploitability eXchange (VEX).
June 2023
OWASP CycloneDX v1.5
First specification to support AI Transparency, configuration and data components, and formulation describing how components were created, tested, trained, evaluated, and deployed.
December 2023
Ecma TC54 Established
First working group chartered with holistic supply chain goals of standardizing core data formats, APIs, and algorithms that advance software and system transparency.
April 2024
OWASP CycloneDX v1.6
First specification to support cryptographic assets for Post-Quantum Cryptography (PQC) readiness and first general-purpose attestation specification to digitally transform audit and attestation workflows.
June 2024
International Standardization