(registered 2026-06-05, last updated 2026-06-05) Media type name: application Media subtype name: spdx3+json Required parameters: N/A Optional parameters: version The version parameter refers to the SPDX specification version in use. It follows a MAJOR.MINOR.PATCH structure, where the MINOR and PATCH fields are optional. version = 1*DIGIT [ "." 1*DIGIT [ "." 1*DIGIT ] ] Encoding considerations: binary This media type has all of the same encoding considerations of application/json as described in [RFC8259] Section 8.1. Security considerations: The format supports the ExternalRef and ExternalIdentifier classes, which provide links to external databases such as the National Vulnerability Database (NVD) and various security advisories. Users should be aware that following these links involves interacting with external systems. SPDX 3 JSON documents do not allow embedding executable content. Additionally, this media inherits the interoperability security considerations of application/json as described in [RFC8259] Section 12. Interoperability considerations: The application/spdx3+json media type can be distributed free of external systems or processors. Internet text-processing applications will likely consume these documents. This media type is not compatible with SPDX JSON, which uses a different data model and a different media type (application/spdx+json). The application/spdx3+json media type is a strict subset of JSON-LD 1.1 (https://www.w3.org/TR/json-ld11/). Additionally, this media type inherits the interoperability considerations of application/json as described in [RFC8259]. Published specification: Current versions of the specification are available at https://spdx.github.io/spdx-spec/. SPDX 3 JSON schema and serialization details can be found at https://spdx.github.io/spdx-spec/latest/serializations/. Applications which use this media: This media is intended to represent supply chain transparency data and system metadata. This includes, but is not limited to, software bills of materials (SBOMs), hardware bills of materials (HBOMs), vulnerability and security risk communications, and AI transparency and compliance documentation. It will be used by tools that produce, consume, or analyze these artifacts to facilitate trust, security, and compliance across the supply chain. Fragment identifier considerations: N/A Restrictions on usage: N/A Additional information: Deprecated alias names for this type: N/A Magic number(s): N/A File extension(s): .spdx3.json Macintosh file type code: N/A Object Identifiers: N/A Person to contact for further information: Name: Arthit Suriyawongkul Email: suriyawa&tcd.ie Intended usage: COMMON SPDX is an open standard. It is intended to be used to enable companies and organizations to share human-readable and machine-processable system package metadata to facilitate secure and compliant supply chain processes. An SPDX 3 JSON media type will be associated with a particular system package or set of packages and will contain information about it in the SPDX 3 JSON format. Author: Arthit Suriyawongkul Change controller: The Linux Foundation (contact: Kate Stewart )