Call to vote on Common Security Advisory Framework (CSAF), the definitive language to exchange Security Advisories formulated in JSON
The Common Security Advisory Framework (CSAF) TC members  have approved submitting the following Committee Specification 03 to the OASIS Membership in a call for consent for OASIS Standard:
Common Security Advisory Framework Version 2.0
Committee Specification 03
01 August 2022
This is a call to the primary or alternate representatives of OASIS Organizational Members to consent or object to this approval. You are welcome to register your consent explicitly on the ballot; however, your consent is assumed unless you register an objection . To register an objection, you must:
- Indicate your objection on this ballot, and
- Provide a reason for your objection and/or a proposed remedy to the project.
You may provide the reason in the comment box or by email to the CSAF TC on its comment mailing list . If you provide your reason by email, please indicate in the subject line that this is in regard to the Call for Consent. Note that failing to provide a reason and/or remedy may result in an objection being deemed invalid.
The Call for Consent opens at 05 November 2022 at 00:00 UTC and closes on 18 November 2022 at 23:59 pm UTC. You can access the ballot at:
Internal link for voting members: https://www.oasis-open.org/apps/org/workgroup/voting/ballot.php?id=3732
Publicly visible link: https://www.oasis-open.org/committees/ballot.php?id=3732
OASIS members should ensure that their organization’s voting representative responds according to the organization’s wishes. If you do not know the name of your organization’s voting representative is, go to the My Account page at
then click the link for your Company (at the top of the page) and review the list of users for the name designated as “Primary”.
Information about the candidate OASIS Standard
This document is the definitive reference for the language elements of CSAF version 2.0. The Common Security Advisory Framework (CSAF) is a language to exchange Security Advisories formulated in JSON.
The term Security Advisory describes any notification of security issues in products to or from product vendors, Product Security Incident Response Teams (PSIRTs), product resellers and distributors, and others. The focus of the term is on the security aspect impacting specific product-platform-version combinations.
The TC received 3 Statements of Use from Oracle Corporation, TIBCO Software Inc., and Federal Office for Information Security (BSI) Germany..
The prose specification document and related files are available here:
Editable source (Authoritative):
Distribution ZIP files
For your convenience, OASIS provides a complete package of the specification document and related files in a ZIP distribution file. You can download the ZIP file at:
 Common Security Advisory Framework (CSAF) TC
Project IPR page
 Comments may be submitted to the TC through the use of the OASIS TC Comment Facility as explained in the instructions located at https://www.oasis-open.org/committees/comments/index.php?wg_abbrev=csaf
Comments submitted to the TC are publicly archived and can be viewed at https://lists.oasis-open.org/archives/csaf-comment/
Members of the TC should send comments directly to firstname.lastname@example.org.
All emails to the OP are publicly archived and can be viewed at https://lists.oasis-open-projects.org/g/csaf/topics
 Timeline Summary:
- Committee Specification 03 (CS03) approved 01 August 2022: https://www.oasis-open.org/committees/ballot.php?id=3721. — Publication announcement: https://lists.oasis-open.org/archives/members/202208/msg00000.html.
— 60-day public review as a candidate for OASIS Standard to be opened on 31 August 2022 and closed on 29 October 2022.
— Public review announcement to be archived at: https://lists.oasis-open.org/archives/members/202208/maillist.html.
— The changes between CS02 and CS03 are marked in: https://docs.oasis-open.org/csaf/csaf/v2.0/cs03/csaf-v2.0-cs03-DIFF.pdf and are based on the comments listed in https://docs.oasis-open.org/csaf/csaf/v2.0/cs02/csaf-v2.0-cs02-comment-resolution-log.pdf. The TC judged these changes to be Non-Material Changes.
- Committee Specification 02 (CS02) approved 29 June 2022: https://www.oasis-open.org/committees/ballot.php?id=3711.
— Publication announcement: https://lists.oasis-open.org/archives/members/202207/msg00001.html
— The changes between CSD02 and CS02 are marked in: https://docs.oasis-open.org/csaf/csaf/v2.0/cs02/csaf-v2.0-cs02-DIFF.pdf. The TC judged these changes to be Non-Material Changes.
- Committee Specification Draft 02 (CSD02) with 15-day public review approved 30 March 2022: https://github.com/oasis-tcs/csaf/blob/master/meeting_minutes/2022-03-30.md#meeting-notes.
— 15-day public review 02 opened on 15 April 2022 and closed on 29 April 2022: https://lists.oasis-open.org/archives/members/202204/msg00002.html.
— The changes between CS01 and CSD02 are marked in: https://docs.oasis-open.org/csaf/csaf/v2.0/csd02/csaf-v2.0-csd02-DIFF.pdf
— Comment resolution log: https://docs.oasis-open.org/csaf/csaf/v2.0/csd02/csaf-v2.0-csd02-comment-resolution-log.pdf.
- Committee Specification 01 (CS01) approved 12 November 2021: https://www.oasis-open.org/committees/ballot.php?id=3666.
— Publication announcement: https://lists.oasis-open.org/archives/members/202111/msg00008.html
— The changes between CSD01 and CS01 are marked in: https://github.com/oasis-tcs/csaf/releases/download/cs-01-20211027-rc2/log_from_csprd01.md. The TC judged these changes to be Non-Material Changes.
- Committee Specification Draft 01 (CSD01) with 30-day public review approved 05 August 2021: https://lists.oasis-open.org/archives/csaf/202108/msg00000.html.
— 30-day public review 01 opened on 14 August 2021 and closed on 12 September 2021: https://lists.oasis-open.org/archives/members/202108/msg00006.html.
— Comment resolution log: https://docs.oasis-open.org/csaf/csaf/v2.0/csd01/csaf-v2.0-csd01-comment-resolution-log.md.
 Statements of Use:
- Oracle Corporation:
- TIBCO Software Inc.:
- Federal Office for Information Security (BSI) Germany: