SBOM Submission Process

Explains the submission channels for the prepared SBOM file, the email template, and the post-submission process.

1. When to Submit

  • At initial delivery after concluding a software contract
  • When a major or minor version of the software is updated
  • When a regular submission schedule specified in the contract arrives

2. How to Submit

The SBOM file is submitted to SK Telecom’s business unit and security team representatives via email (or a channel designated by the representative).

  • Email subject: [SBOM Submission] SupplierName_ProjectName_Version
  • Attachment: The generated SBOM file (password-protected archive files are not allowed)

Required information in the body:

  1. Delivery contract number
  2. Representative information (name, department, contact)
  3. Project information (system name, detailed version)
  4. Tool used and its version (e.g., BomLens, cdxgen)

3. Post-Submission Validation and Actions

The submitted SBOM is registered in TOSCA, the internal open source and SBOM management system, and then validated according to the procedure below. TOSCA is an internal system, so suppliers do not need access to it.

StageDescriptionProcessing Deadline
Format validationCheck for missing required fields. Notify of rejection if not metWithin 3 days of receipt
Security vulnerability analysisAutomatically analyze whether Critical/High severity vulnerabilities are detected-
Action requestRequest a patch plan or a written justification when serious vulnerabilities are foundCritical: 7 days / High: 30 days

The validation results and action requests are communicated to the supplier and the security team representative through the business unit representative.