October 2025
OWASP CycloneDX v1.7
First specification supporting citations that improve traceability, attribution, and auditability, and comprehensive support for patents and patent families to address intellectual property transparency.
June 2024
International Standardization
April 2024
OWASP CycloneDX v1.6
First specification to support cryptographic assets for Post-Quantum Cryptography (PQC) readiness and first general-purpose attestation specification to digitally transform audit and attestation workflows.
December 2023
Ecma TC54 Established
First working group chartered with holistic supply chain goals of standardizing core data formats, APIs, and algorithms that advance software and system transparency.
June 2023
OWASP CycloneDX v1.5
First specification to support AI Transparency, configuration and data components, and formulation describing how components were created, tested, trained, evaluated, and deployed.
January 2022
OWASP CycloneDX v1.4
First specification to introduce vulnerability sharing and transparency, including Vulnerability Disclosure Reports (VDR) and Vulnerability Exploitability eXchange (VEX).
May 2021
OWASP CycloneDX v1.3
First specification to incorporate support for composition completeness surpassing NTIA's framing of "known unknowns".
May 2020
OWASP CycloneDX v1.2
First specification to incorporate SWID (
ISO/IEC 19770-2:2015) and services into inventory including data classifications, providers, and relationships between services and components.
March 2019
OWASP CycloneDX v1.1
First specification with complete pedigree support describing component lineage and the commits, patches, and diffs which make a forked version unique.
March 2018
OWASP CycloneDX v1.0
First general-purpose, security-focused Bill of Materials standard supporting software and hardware components. Introduced the world to Package URL for use with software security use cases.