Boston, MA, USA, 21 November, 2022 – OASIS Open, the international open source and standards consortium, announced the approval of the Common Security Advisory Framework (CSAF) 2.0 as a full OASIS standard, a status that signifies the highest level of ratification. This new version of CSAF includes support for the Vulnerability Exploitability Exchange (VEX) profile, which is especially helpful in efficiently consuming SBOM data.
The current threat landscape has profoundly changed how systems and people are protected, driving new approaches to cybersecurity, especially around vendor advisories dealing with vulnerability disclosure issues. The OASIS CSAF Technical Committee’s work developing machine readable security advisories makes it possible for cyber defenders to quickly and automatically assess the impact of vulnerabilities and respond in an automated way.
“Security advisories play a crucial role in securing on-premises and cloud-based assets as they contain critical information about how to remediate vulnerabilities,” said OASIS CSAF chair, Omar Santos, of Cisco. “CSAF v2.0 brings more than machine readable advisories in JSON format; it specifies the distribution mechanism and how new CSAF documents can be discovered and disclosed. It’s the result of an international, industry-wide effort to standardize the reporting of security issues. CSAF enables software producers and consumers to modernize their vulnerability management and response programs.”
Participation in the OASIS CSAF TC is open to all through membership in OASIS. Providers of products and services that produce, consume, or process security vulnerability remediation information, along with their customers who consume this information, and all other interested parties, are invited to join the group.
