Project news

CSAF Common Vulnerability Reporting Framework (#CVRF) V1.2 is now a Committee Specification

The language enabling machine-readable exchange of security advisories is now available for implementation.

We are pleased to announce the publication of CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2, the first approved specification from the members of the OASIS Common Security Advisory Framework (CSAF) TC.

CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2
Committee Specification 01
13 September 2017

CVRF is a language to exchange Security Advisories and provide for greater interoperability among products by ensuring that machine-readable security advisories can be produced and consumed much more broadly. The specification builds on the Common Vulnerability Reporting Framework (CVRF) 1.1 which was initiated by ICASI, the Industry Consortium for Advancement of Security on the Internet and contributed to OASIS.

For more information on CVRF and the CSAF TC, see the press release at

This is an OASIS deliverable, completed and approved by the TC and fully ready for testing and implementation.

The prose specifications and related files are available here:

PDF (Authoritative):


Editable source:

XML schemas:

Distribution ZIP file

For your convenience, OASIS provides a complete package of the prose specification and related files in a ZIP distribution file. You can download the ZIP file here:

Members of the CSAF TC [1] approved this specification by Special Majority Vote. The specification had been released for public review as required by the TC Process [2]. The vote to approve as a Committee Specification passed [3], and the document is now available online in the OASIS Library as referenced above.

Our congratulations to the TC on achieving this milestone and our thanks to the reviewers who provided feedback on the specification drafts to help improve the quality of the work.

========== Additional references:

[1] OASIS Common Security Advisory Framework (CSAF) TC

[2] Public reviews:
– 30-day public review, 21 June 2017:
– Comment resolution log:

[3] Approval ballot: