Project news

Invitation to comment on Common Security Advisory Framework v2.0 Errata 01

Public review of draft Errata ends January 4th

OASIS and the OASIS Common Security Advisory Framework (CSAF) TC are pleased to announce that Common Security Advisory Framework Version 2.0 Errata 01 is now available for public review and comment.

This document lists proposed errata for the OASIS Standard “Common Security Advisory Framework Version 2.0.” The specific changes are listed in section 1.1, at

The Common Security Advisory Framework (CSAF) Version 2.0 is the definitive reference for the CSAF language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.

The OASIS CSAF Technical Committee is chartered to make a major revision to the widely-adopted Common Vulnerability Reporting Framework (CVRF) specification, originally developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI has contributed CVRF to the TC. The revision is being developed under the name Common Security Advisory Framework (CSAF). TC deliverables are designed to standardize existing practice in structured machine-readable vulnerability-related advisories and further refine those standards over time.

The documents and related files are available here:

Common Security Advisory Framework Version 2.0 Errata 01
Committee Specification Draft 01
15 December 2023

Editable source (Authoritative):



JSON schemas:
Aggregator JSON schema:
CSAF JSON schema:
Provider JSON schema:

For your convenience, OASIS provides a complete package of the specification document and any related files in ZIP distribution files. You can download the ZIP file at:

A public review announcement metadata record [3] is published along with the specification files.

How to Provide Feedback

OASIS and the CSAF TC value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of our technical work.

The public review starts 21 December 2023 at 00:00 UTC and ends 04 January 2024 at 23:59 UTC.

Comments may be submitted to the TC by any person through the use of the OASIS TC Comment Facility which can be used by following the instructions on the TC’s “Send A Comment” page (

Comments submitted by TC non-members for this work and for other work of this TC are publicly archived and can be viewed at:

All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy [1] applicable especially [2] to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.

OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.

Additional information about the specification and the CSAF TC can be found at the TC’s public home page:

========== Additional references:



[3] Public review announcement metadata: