SK Telecom Supply Chain Security Policy

Describes the supply chain security policy and principles that partners supplying software to SK Telecom must comply with.

NOTICE.
In accordance with internal security and document management policies, this document is a summary that excludes confidential content. Please note that it is written around high-level key points rather than the full content.

1. Purpose of the Policy

The purpose of this policy is to ensure the transparency of all software that SK Telecom adopts, and to identify and eliminate, in advance, the risks of known vulnerabilities and license violations.

2. Scope of Application

All suppliers that enter into a software supply contract with SK Telecom are subject to this policy.

3. Key Requirements

Suppliers must comply with the following three principles.

Principle 1: Mandatory SBOM Submission

For every software delivery, the supplier must submit an SBOM (Software Bill of Materials) corresponding to that version.
Accepted formats: CycloneDX (v1.3 or later) or SPDX (v2.2 or later)
Required information: supplier name, component name, version, dependency relationships, and Package URL (PURL)

Principle 2: Vulnerability Inspection and Remediation

Before delivery, the supplier must independently check for the latest security vulnerabilities (CVEs).
If Critical/High severity vulnerabilities are found, the supplier must patch them or apply mitigation measures before delivery.
If patching is not possible, the supplier must prove, through a “vulnerability justification statement,” that the vulnerability has no actual impact on the service.

Principle 3: Transparent Change Management

If the components of the software change during the contract period (updates, patches, etc.), the supplier must immediately submit an updated SBOM.
The supplier must warrant that it has complied with open source license obligations (notice obligations, source code disclosure obligations, etc.).

Supply Chain Security Overview: Concepts and notable cases of software supply chain attacks
Global Regulatory Trends: Domestic and international regulatory developments related to SBOM
Supplier Guide: Detailed guidance on how to generate and submit an SBOM
Submission Requirements: SBOM format and required data field definitions

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 2, 2026: docs(guide): 한국어 번역투 정비 및 영문 가이드 실제 번역 (302fd10b)