An open standard, in development
Software Bill of Behavior
The runtime companion to the Software Bill of Materials. Vendor-neutral, machine-checkable, designed for EU Cyber Resilience Act and NIS 2 readiness.
- prescriptive behavior
- machine-verifyable
- made for CRA & NIS 2
The standard
What SBoB is
SBoMs describe what is in the software. The Bill of Behavior prescribes what the software is intended to do at runtime — expressing intent in the form of signed yaml profiles, suitable for detection engineering, supply-chain assurance, and emerging compliance regimes (EU Cyber Resilience Act, NIS 2).
The vendor declares the behavior in a prescriptive manner. The end user verifies it. Defenders get up-to-date detection rules with every release.
Where things live today
- github.com/billofbehavior — COMING SOON documentation
- github.com/k8sstormcenter/bob — reference CLI COMING SOON
- github.com/kubescape — reference implementation (official upstream) COMING SOON
- SBoB specification v0.0.1 — draft — preview only, password-gated, daily-changing
- v0.0.1 stack-profile extension — draft — behavioral / CPU-profile addon to the spec above
Stewardship
An open standard, stewarded — not sold.
Bill of Behavior is a free and open-source standard. It is not a product, not a paid tier, not a funnel into commercial services. fusioncore.ai stewards the standard's development under the OSS-steward regime defined in the EU Cyber Resilience Act (Article 24). Whether or not the stewardship will be transferred to a foundation or similar independent entity in the future is an open question and is actively being considered.
Contribute
Get involved
The standard is open and currently expressed as a pseudo spec. We will release the first draft of the specification soon. Contributors welcome via GitHub issues and pull requests.