I am pleased to announce that the OASIS CSAF Common Vulnerability Reporting Framework (CVRF) Version 1.2 committee specification is now available. As covered in our previous blog posts, the purpose of the OASIS Common Security Advisory Framework (CSAF) Technical Committee (TC) is to standardize the practices for structured machine-readable security vulnerability-related advisories. The CSAF TC is focusing all efforts to enhance the CVRF specification originally developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). The CVRF language supports the creation, update, and interoperable exchange of security advisories as structured machine-readable content.

The CVRF version 1.2 committee specification provides support for Common Vulnerability Scoring System version 3 (CVSSv3) scores, new namespaces, and enhanced documentation.

The prose specifications and related files are available at the following links:

You can also obtain additional information at the CSAF TC GitHub Repository: https://github.com/oasis-tcs/csaf


Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations