OASIS Common Security Advisory Framework (CSAF) Technical Committee

The original Call For Participation for this TC may be found at https://lists.oasis-open.org/archives/csaf/201610/msg00000.html.

The Charter for this TC was clarified on 04 May 2021. See the ballot at https://www.oasis-open.org/committees/ballot.php?id=3615.

  1. Name of the TC

    OASIS Common Security Advisory Framework (CSAF) TC

  2. Statement of Purpose

    The current threat landscape combined with the emergence of the Internet of Things have profoundly changed how we protect our systems and people, driving us to think about a new approach to cybersecurity, especially around vendor advisories dealing with vulnerability disclosure issues. The purpose of the CSAF Technical Committee is to standardize existing practice in structured machine-readable security vulnerability-related advisories and further refine those standards over time.

    The TC will base its efforts on the Common Vulnerability Reporting Framework (CVRF) specification originally developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI intends to contribute CVRF to the TC. Prior to creation of the TC, the CVRF standard has been adopted by several technology vendors and MITRE, which produce information in the CVRF format. Additionally, a number of organizations are consuming information produced in the CVRF format. By building upon the existing CVRF standard, the TC can offer immediate value and quickly support future development to improve the interoperability and utility of the framework in support of providing structured machine-readable security advisories.

  3. Scope of Work

    The TC will use CSAF CVRF 1.2 as the basis for creating OASIS Standards Track Work Products. One important consideration will be to ensure that the specification provides for sufficient interoperability to allow any consuming application to reliably process vulnerability-related remediation advisories from multiple sources without special semantic handling for each source. This includes also the provisioning, distribution and retrieving process. Knowing that there are changes which have an influence on backwards compatibility with CSAF CVRF 1.2 (and the subsequent CSAF input specification for later major revisions), the TC will be attempting, where possible, to provide guidance on how to deal with these issues.

    The TC will develop format specifications for structured, machine-readable security vulnerability-related security advisories under the OASIS TC process, with the goal of submitting them at the appropriate time to the membership of the organization for consideration as an OASIS Standard. Other contributions will be accepted for consideration without any prejudice or restrictions and evaluated based on technical merit insofar as they conform to this charter.

    The TC emphasizes the importance of an actionable advisory culture and contributes to the end to end automation of the process. Besides including this into the specifications, the TC may produce and publish tooling. This includes but is not limited to tools to parse CSAF documents, validate, generate or consume them. The TC will encourage the community to provide missing tools.

  4. Deliverables

    The TC will make substantive additions and other changes to the CSAF CVRF 1.2 input specification to create and maintain the CSAF specification (Version 2.0 and later) to correct errors and evolve capabilities based on requirements and capabilities identified by OASIS TC members. The TC will rename the framework to more closely align to the primary use (e.g., Common Security Advisory Framework - CSAF). Deliverables will include a major revision of the framework. In addition to the specification deliverables, the TC may deliver supporting documentation and open source tooling on an ongoing basis in support of the TC's published standard(s). The TC aims to produce major revisions of the framework to support the advisory sharing communities.

  5. IPR Mode

    This TC will operate under the Non-Assertion IPR mode as defined in Section 10.3 of the OASIS IPR Policy document.

  6. Audience

    The anticipated audience includes providers of products and services that produce, consume, or process security vulnerability remediation information, along with their customers who consume this information.

  7. Language

    The TC business will be conducted in English. The output documents will be written in (US) English. Translations to other languages may be made based on interest and ability.