In depth
The Common Security Advisory Framework (CSAF) is the OASIS-standardised replacement for the human-readable PDFs and HTML pages that vendors have traditionally used to announce vulnerabilities. CSAF 2.0 (approved as an OASIS standard in late 2022) defines a structured JSON schema for security advisories — vulnerability metadata, affected product trees, CVSS vectors, remediation actions, references, and the cryptographic signatures that let downstream consumers trust the document. The format is designed for automation: a security team's vulnerability-management pipeline can ingest a vendor's CSAF feed, match it against their SBOM, and automatically generate patch tickets for the affected systems.
The CSAF document model has three top-level objects: the document itself (publisher, tracking IDs, publication status, distribution rules), the product tree (a hierarchical model of vendor products, branches, versions and relationships including helper IDs that map to CPE and PURL identifiers), and the vulnerabilities (each with CVE ID, CVSS metrics, affected products, remediation steps, references and notes). A single CSAF document can describe multiple vulnerabilities across multiple products, which is how vendors typically ship monthly security bulletins.
CSAF supersedes the older CVRF format and is the format CISA expects from federal-software-supplier vendors under the US National Cybersecurity Strategy. Major vendors publishing CSAF feeds include Cisco, Red Hat, Siemens, Schneider Electric, Bosch, SUSE and many in the OT/ICS space (where the precision of CSAF's product trees is particularly valuable). The CSAF Trusted Provider programme certifies vendors who publish discoverable, validated, signed feeds.
The natural companion to CSAF is the VEX document, which uses the same JSON schema (CSAF's "vex" profile) to communicate exploitability status — "this CVE is in our product but does not affect customers because the vulnerable code path is unreachable." Together, CSAF and VEX let an enterprise security programme move from "every CVE in our SBOM is a ticket" to "only the CVEs that are actually exploitable in our usage are tickets." See supply chain attacks 2026.
The CSAF document model has three top-level objects: the document itself (publisher, tracking IDs, publication status, distribution rules), the product tree (a hierarchical model of vendor products, branches, versions and relationships including helper IDs that map to CPE and PURL identifiers), and the vulnerabilities (each with CVE ID, CVSS metrics, affected products, remediation steps, references and notes). A single CSAF document can describe multiple vulnerabilities across multiple products, which is how vendors typically ship monthly security bulletins.
CSAF supersedes the older CVRF format and is the format CISA expects from federal-software-supplier vendors under the US National Cybersecurity Strategy. Major vendors publishing CSAF feeds include Cisco, Red Hat, Siemens, Schneider Electric, Bosch, SUSE and many in the OT/ICS space (where the precision of CSAF's product trees is particularly valuable). The CSAF Trusted Provider programme certifies vendors who publish discoverable, validated, signed feeds.
The natural companion to CSAF is the VEX document, which uses the same JSON schema (CSAF's "vex" profile) to communicate exploitability status — "this CVE is in our product but does not affect customers because the vulnerable code path is unreachable." Together, CSAF and VEX let an enterprise security programme move from "every CVE in our SBOM is a ticket" to "only the CVEs that are actually exploitable in our usage are tickets." See supply chain attacks 2026.