Invitation to comment on Common Security Advisory Framework v2.0
OASIS and the OASIS Common Security Advisory Framework (CSAF) TC are pleased to announce that Common Security Advisory Framework Version 2.0 is now available for public review and comment. This 15-day review is the second public review for this draft specification.
The Common Security Advisory Framework (CSAF) Version 2.0 is the definitive reference for the CSAF language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.
The OASIS CSAF Technical Committee is chartered to make a major revision to the widely-adopted Common Vulnerability Reporting Framework (CVRF) specification, originally developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI has contributed CVRF to the TC. The revision is being developed under the name Common Security Advisory Framework (CSAF). TC deliverables are designed to standardize existing practice in structured machine-readable vulnerability-related advisories and further refine those standards over time.
The documents and related files are available here:
Common Security Advisory Framework Version 2.0
Committee Specification Draft 02
30 March 2022
Editable source (Authoritative):
PDF marked with changes since previous publication:
Aggregator JSON schema:
CSAF JSON schema:
Provider JSON schema:
For your convenience, OASIS provides a complete package of the specification document and any related files in ZIP distribution files. You can download the ZIP file at:
A public review announcement metadata record  is published along with the specification files.
How to Provide Feedback
OASIS and the CSAF TC value your feedback. We solicit input from developers, users and others, whether OASIS members or not, for the sake of improving the interoperability and quality of our technical work.
The public review starts 15 April 2022 at 00:00 UTC and ends 29 April 2022 at 23:59 UTC.
Comments may be submitted to the TC by any person through the use of the OASIS TC Comment Facility which can be used by following the instructions on the TC’s “Send A Comment” page (https://www.oasis-open.org/committees/comments/index.php?wg_abbrev=csaf).
Comments submitted by TC non-members for this work and for other work of this TC are publicly archived and can be viewed at:
All comments submitted to OASIS are subject to the OASIS Feedback License, which ensures that the feedback you provide carries the same obligations at least as the obligations of the TC members. In connection with this public review, we call your attention to the OASIS IPR Policy  applicable especially  to the work of this technical committee. All members of the TC should be familiar with this document, which may create obligations regarding the disclosure and availability of a member’s patent, copyright, trademark and license rights that read on an approved OASIS specification.
OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC’s work.
Additional information about the specification and the CSAF TC can be found at the TC’s public home page:
 Public review announcement metadata: