diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
index bc357156b..0a539e0ca 100644
--- a/.github/workflows/nodejs.yml
+++ b/.github/workflows/nodejs.yml
@@ -455,6 +455,7 @@ jobs:
         run: npm run build
         working-directory: ${{ env.EXAMPLE_DIR }}
 
+
   api-doc:
     name: api-doc ${{ matrix.target }}
     runs-on: "ubuntu-latest"
@@ -487,3 +488,33 @@ jobs:
           echo "::endgroup::"
       - name: api-doc ${{ matrix.target }}
         run: npm run api-doc:${{ matrix.target }}
+
+
+  validate-VEX-VDR:
+    needs: [ 'build' ]
+    name: validate VEX/VDR
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_ACTIVE_LTS }}
+      - name: fetch build artifact 'node'
+        # see https://github.com/actions/download-artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: dist.node
+          path: dist.node
+      - name: setup library
+        run: npm i --ignore-scripts --omit=dev --include=optional --loglevel=silly
+      - name: setup tool
+        run: npm i --ignore-scripts --omit=dev --include=optional --loglevel=silly
+        working-directory: tools/cdx-json-schema-validator
+      - name: validate
+        run: node tools/cdx-json-schema-validator/validate.js SECURITY.cdx.json
+
diff --git a/SECURITY.cdx.json b/SECURITY.cdx.json
new file mode 100644
index 000000000..4409ac316
--- /dev/null
+++ b/SECURITY.cdx.json
@@ -0,0 +1,32 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:472bda2e-8d12-4ee5-af87-29b0bf1b348e",
+  "version": 1,
+  "metadata": {
+    "component": {
+      "bom-ref": "@cyclonedx/cyclonedx-library",
+      "type": "library",
+      "group": "cyclonedx",
+      "name": "cyclonedx-library",
+      "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
+      "externalReferences": [
+        {
+          "type": "vcs",
+          "url": "https://github.com/CycloneDX/cyclonedx-javascript-library"
+        },
+        {
+          "type": "issue-tracker",
+          "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues"
+        }
+      ]
+    },
+    "authors": [
+      {
+        "name": "Jan Kowalleck",
+        "email": "jan.kowalleck@owasp.org"
+      }
+    ]
+  }
+}
diff --git a/tools/cdx-json-schema-validator/.gitignore b/tools/cdx-json-schema-validator/.gitignore
new file mode 100644
index 000000000..f2279a53d
--- /dev/null
+++ b/tools/cdx-json-schema-validator/.gitignore
@@ -0,0 +1,6 @@
+*
+!/.gitignore
+!/package.json
+!/validate.js
+!/.npmrc
+!/eslint.config.mjs
diff --git a/tools/cdx-json-schema-validator/.npmrc b/tools/cdx-json-schema-validator/.npmrc
new file mode 100644
index 000000000..147970caf
--- /dev/null
+++ b/tools/cdx-json-schema-validator/.npmrc
@@ -0,0 +1,5 @@
+; see the docs: https://docs.npmjs.com/cli/v9/using-npm/config
+
+package-lock=false
+engine-strict=true
+omit=peer # don't install them automatically; we take cate of them!
diff --git a/tools/cdx-json-schema-validator/eslint.config.mjs b/tools/cdx-json-schema-validator/eslint.config.mjs
new file mode 100644
index 000000000..6483e71a7
--- /dev/null
+++ b/tools/cdx-json-schema-validator/eslint.config.mjs
@@ -0,0 +1,37 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import baseCfg, { globals } from '../code-style/eslint.config.mjs'
+
+/* eslint-disable jsdoc/valid-types */
+
+/**
+ * @type {import('@types/eslint').Linter.FlatConfig[]}
+ * @see {@link https://eslint.org/}
+ */
+export default [
+  ...baseCfg,
+  {
+    files: ['**/*.js'],
+    languageOptions: {
+      sourceType: 'module',
+      globals: globals.node,
+    }
+  },
+]
diff --git a/tools/cdx-json-schema-validator/package.json b/tools/cdx-json-schema-validator/package.json
new file mode 100644
index 000000000..77fc7ed1e
--- /dev/null
+++ b/tools/cdx-json-schema-validator/package.json
@@ -0,0 +1,17 @@
+{
+  "private": true,
+  "name": "@cyclonedx/cyclonedx-javascript-library/tools/cdx-json-schema-validator",
+  "license": "Apache-2.0",
+  "type": "module",
+  "main": "validate.js",
+  "dependencies": {
+    "@cyclonedx/cyclonedx-library": "file:../.."
+  },
+  "scripts": {
+    "download": "node download.js",
+    "cs-fix": "npm --prefix ../code-style exec -- eslint --fix ."
+  },
+  "engines": {
+    "node": ">=20.18"
+  }
+}
diff --git a/tools/cdx-json-schema-validator/validate.js b/tools/cdx-json-schema-validator/validate.js
new file mode 100644
index 000000000..ad32639cc
--- /dev/null
+++ b/tools/cdx-json-schema-validator/validate.js
@@ -0,0 +1,46 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import { readFile } from 'node:fs/promises'
+
+import CDX from '@cyclonedx/cyclonedx-library'
+
+const args = process.argv.slice(2)
+if (args.length < 1) {
+  console.error('missing args')
+  process.exit(1)
+}
+const [filePath,] = args
+console.debug('filePath', filePath)
+
+const json = await readFile(filePath, 'utf8')
+const data = JSON.parse(json)
+
+const CDX_JSON_SCHEMA_RE = /^http:\/\/cyclonedx\.org\/schema\/bom-(\d+\.\d+)\.schema\.json$/
+const specVersion = data['$schema'].match(CDX_JSON_SCHEMA_RE)[1]
+const validator = new CDX.Validation.JsonStrictValidator(specVersion)
+
+const validationError = await validator.validate(json)
+if (validationError !== null) {
+  console.error('validation error', validationError)
+  process.exit(2)
+}
+
+console.info('valid')
+process.exit(0)