CycloneDX is a software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis. It's developed in the open and widely implemented in open source tooling. As well as quick introduction to CycloneDX, this talk will look in particular at the vulnerability extension. Modelling vulnerabilities in software is surprisingly complex. In this talk we'll look at some of the current issues in the CycloneDX vulnerability extension, summarise some of the ongoing discussions in this area, and get people's input on proposals for improvements. No prior knowledge of CycloneDX will be required for this session. The basics of the specification are simple enough for folks interested in Software Composition Analysis to grok quickly. The main aim of the session is to raise awareness of the open specification and the process around it, and get more eyes on future improvements. The audience should come away with some insight into why CycloneDX is useful, why open standards are important and how to get involved in the project.