SBOM Submission Requirements
Defines in detail the standard SBOM format, required information, and PURL identifier rules under SK Telecom policy.
To strengthen the transparency and security of its software supply chain, SK Telecom asks suppliers to submit an SBOM (Software Bill of Materials) for all software components and dependencies they deliver. This guide explains how suppliers can generate and submit an SBOM in a format that meets SK Telecom’s security policy.
If you supply commercial software or a finished product made by a third party and have no access to the source code, skip steps 2–3 and follow Commercial Software to obtain the SBOM from the manufacturer and submit it. If your submission is rejected, check Common Rejection Reasons for the cause and how to fix it.
All suppliers (including developers and resellers) that deliver the following types of software are subject to these guidelines.
We ask suppliers to follow the procedure below, from the time of contract through final delivery.
flowchart TD
A[Contract Review] --> B["Software Development/Build"]
B --> C{Generate SBOM}
C -->|Use SKT-provided tool| D[Use BomLens]
C -->|Use your own tool| E["Use open source tools<br>(cdxgen, Syft, etc.)"]
C -->|Commercial finished product| K[Obtain the manufacturer's SBOM]
D --> F["Data Validation (PURL Check)"]
E --> F
K --> F
F --> G["Submit SBOM (Email/Designated channel)"]
G --> H[SKT Security Review]
H -->|Approved| I[Delivery Complete]
H -->|Rejected| J[Remediate and Resubmit]
J --> F
classDef start fill:#F2F2F2,stroke:#171717,color:#171717,stroke-width:1.5px
classDef proc fill:#ffffff,stroke:#c8c8c8,color:#171717,stroke-width:1px
classDef decision fill:#FFF3CD,stroke:#E0A800,color:#5A4100,stroke-width:1.5px
classDef good fill:#D9F0E4,stroke:#00A651,color:#0A5A32,stroke-width:1.5px
classDef danger fill:#FDE1E7,stroke:#EA002C,color:#8A0019,stroke-width:1.5px
classDef vendor fill:#FFF3CD,stroke:#E0A800,color:#5A4100,stroke-width:1.5px
class A start
class B,E,F,G proc
class C,H decision
class D,I good
class J danger
class K vendorDefines in detail the standard SBOM format, required information, and PURL identifier rules under SK Telecom policy.
Explains how to generate an SBOM for each environment using general-purpose open source tools.
Explains how to generate an SBOM that meets SK Telecom policy using BomLens.
How to build the SBOM for a delivered server — scan the OS and the application as two layers, cover statically linked libraries separately as a blind spot, then merge them into one BOM for submission.
How to obtain an SBOM from the manufacturer and submit it when you supply commercial software or a finished product made by a third party.
Check the essential items before submitting an SBOM to prevent rejection.
Explains the submission channels for the prepared SBOM file, the email template, and the post-submission process.
The typical reasons a submitted SBOM is rejected, their causes, and how to fix them.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.