Project news

Common Security Advisory Framework Version 2.0 OASIS Standard is now published

The definitive reference for security advisories expressed in JSON is now published and available

OASIS is pleased to announce the publication of its newest OASIS Standard, approved by the members on 18 November 2022:

Common Security Advisory Framework Version 2.0
OASIS Standard
18 November 2022

This OASIS Standard is the definitive reference for the language elements of CSAF version 2.0. The Common Security Advisory Framework (CSAF) is a language to exchange Security Advisories formulated in JSON.

The term Security Advisory describes any notification of security issues in products to or from product vendors, Product Security Incident Response Teams (PSIRTs), product resellers and distributors, and others. The focus of the term is on the security aspect impacting specific product-platform-version combinations. Developers of security scanning tools in particular are likely to find CSAF files most useful.

The TC received 3 Statements of Use from Oracle Corporation, TIBCO Software Inc., and Federal Office for Information Security (BSI) Germany.


The components of the standard can be found at:

Editable source (Authoritative):



JSON schemas




For your convenience, OASIS provides a complete package of the specification document and any related files in ZIP distribution files. You can download the ZIP file at:

Our congratulations to the members of the CSAF TC on achieving this outstanding milestone.