OWASP CycloneDX is an open, consensus-based community project, which aims to be inclusive of all contributions and contributors. Anyone with an interest in the project can join the community, contribute to the project design and participate in the development of the standard and supporting ecosystem of libraries, tools, and documentation.
CycloneDX consists of multiple working groups. They are:
| Workgroup | Description | |
|---|---|---|
Ecma |
Ecma TC54 | Technical committee of Ecma International responsible for final technical reviews of CycloneDX features and specification versions. Ecma members are encouraged to participate in the work of OWASP and vice versa. |
OWASP |
Core (CWG) | The Core Working Group are OWASP members that are responsible for the entirety of the CycloneDX project, including the specification, all tools and libraries, onboarding and offboarding maintainers, and community outreach. The Core Working Group ensures that CycloneDX maintains project continuity. OWASP classifies these individuals as “Leaders” and are documented at https://owasp.org/cyclonedx. |
| Industry (IWG) | This is an invite only working group of vendors that use the specification in some way, typically through implementation in one or more products. The IWG is similar to an “on-site customer” in the extreme programming methodology. They provide insight into real-world usage, challenges, and opportunities. | |
| Feature (FWG) | For large features, Feature Working Groups are initiated and tasked with developing the core functionality of that specific feature. Once complete, the feature proceeds through the normal standardization process. Meetings are recorded and publicly accessible on YouTube. | |
| Community | OWASP projects are vendor neutral, allowing any organization or individual to contribute and have an equal seat at the table. The community may consist of OWASP members and non-members, adopters, and SBOM enthusiasts. |
The CycloneDX specification is developed in the open, with complete transparency, using a lightweight, risk-based standardization process. Everyone is welcome to participate in the advancement of the core standard and extensions.
Ecma TC54 primarily communicates via Slack and utilizes the same Slack instance as CycloneDX. Individual channels exist for the specification, for working groups, and for each official implementation. Everyone interested in Ecma TC54, CycloneDX, and SBOMs in general, is encouraged to participate. Slack invites can be obtained here.