← CRA Glossary
Security Standards & Frameworks

Common Security Advisory Framework (CSAF)

CSAF is an OASIS open standard for machine-readable security advisory documents, replacing the older CVRF format. ENISA recommends CSAF as the preferred format for security advisories published by manufacturers under the EU Cyber Resilience Act.

CSAF is an OASIS open standard for machine-readable security advisory documents, replacing the older CVRF format. ENISA recommends CSAF as the preferred format for security advisories published by manufacturers under the EU Cyber Resilience Act.

Security Standards & Frameworks
Free CVD portal →

What Is CSAF?

The Common Security Advisory Framework (CSAF) is an OASIS open standard (CSAF 2.0, published 2022) that defines a JSON-based format for machine-readable security advisories. CSAF advisories contain structured data about vulnerabilities — CVE IDs, CVSS scores, affected products (using CPE or PURL identifiers), remediation status, and fix availability — enabling downstream tools to automate vulnerability correlation and patch management. CSAF supersedes the older CVRF (Common Vulnerability Reporting Framework) XML format. CSAF also defines distribution requirements: advisories must be published at a standardised URL path and listed in a CSAF provider-metadata.json index.

CRA reference:Article 13(6), Article 14

CSAF Under the CRA

The CRA requires manufacturers to publish security advisories when releasing patches (Annex I Part II), but does not mandate CSAF by name. ENISA's published guidance strongly recommends CSAF as the format for CRA-compliant advisories. Key reasons:

  • Machine-readability — CSAF enables customers' vulnerability management tools to automatically ingest advisory data without manual parsing.
  • VEX support — CSAF supports VEX (Vulnerability Exploitability eXchange) documents, allowing manufacturers to assert which CVEs do and do not affect specific product versions.
  • CSIRT compatibility — national CSIRTs that manufacturers must notify under Article 14 are increasingly CSAF-native and expect structured data.
  • Regulatory auditing — a structured, versioned CSAF archive provides an audit trail of vulnerability handling activity.
CRA reference:Article 13(6), Article 14, Annex I Part II

Publishing CSAF Advisories

A CSAF advisory publication workflow for a CRA-obligated manufacturer:

  1. Draft — author the advisory in CSAF JSON format, including document metadata, product tree (affected products and versions), vulnerability records (CVE, CVSS, CWE), and remediation entries.
  2. Validate — use the CSAF validator tool (open-source, from BSI / OASIS) to check schema conformance and business rule compliance.
  3. Sign — sign the advisory document and its SHA-256/SHA-512 hash files.
  4. Publish — upload to /.well-known/csaf/ on your advisory distribution domain alongside an updated provider-metadata.json and aggregator-accessible index.
  5. Notify — reference the CSAF advisory URL in ENISA/CSIRT notifications required by Article 14.
CRA reference:Article 13(6), Article 14

CSAF Profile Selection

CSAF 2.0 defines six profiles for different advisory types:

  • CSAF Base — minimal required fields only.
  • Security Advisory — the standard profile for disclosing fixed vulnerabilities.
  • VEX — for asserting exploitability status without remediation information.
  • CSAF Informational Advisory — non-security product notices.

For CRA compliance, manufacturers will primarily use the Security Advisory and VEX profiles. VEX is particularly valuable for communicating which CVEs in shared upstream components do not affect your specific product build, reducing unnecessary customer patch workloads.

CVD Portal makes Common Security Advisory Framework (CSAF) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is CSAF required by the CRA, or is it just recommended?+

The CRA requires security advisories to be published but does not mandate a specific format. CSAF 2.0 is the format recommended by ENISA and expected by national CSIRTs. As CSAF adoption grows across the EU regulatory ecosystem, manufacturers who publish advisories in proprietary or PDF-only formats will face increasing pressure to migrate. Starting with CSAF from the outset is significantly easier than retrofitting it later.

Can we publish CSAF advisories without technical expertise?+

CSAF JSON authoring requires some technical familiarity, but tooling significantly reduces the barrier. Several open-source and commercial tools can generate CSAF documents from form-based inputs. The CSAF validator (free, from BSI) catches errors before publication. For manufacturers issuing fewer than ten advisories per year, a template-based approach with a technical reviewer is practical and cost-effective.

What is VEX and how does it relate to CSAF?+

VEX (Vulnerability Exploitability eXchange) is a document type that allows manufacturers to communicate the exploitability status of specific CVEs in specific product versions — particularly for CVEs in shared upstream components that may or may not be reachable in a given product configuration. VEX is defined as a CSAF profile and is increasingly important for SBOM-linked vulnerability management, allowing customers to suppress irrelevant CVE alerts without manual investigation.

Related terms

Security AdvisoryA security advisory is a public document published by a manufacturer to inform users of a security vulnerability in a product, the severity of the issue, and how to remediate it. Annex I Part II of the CRA requires manufacturers to publish security advisories when releasing vulnerability fixes.Common Vulnerability Scoring System (CVSS)CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities, producing a numerical score from 0 to 10. Manufacturers use CVSS scores to prioritise remediation and to communicate risk in security advisories required under the CRA.Common Vulnerabilities and Exposures (CVE)CVE is a public catalogue of known cybersecurity vulnerabilities, each assigned a unique identifier (e.g. CVE-2024-12345) maintained by MITRE. Under the CRA, manufacturers are expected to track CVEs affecting their products and report actively exploited vulnerabilities to ENISA.Vulnerability HandlingVulnerability handling is the complete lifecycle process through which a manufacturer identifies, evaluates, remediates, and discloses security vulnerabilities in its products. Annex I Part II of the CRA makes robust vulnerability handling a mandatory ongoing obligation for all manufacturers of products with digital elements.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how Common Security Advisory Framework (CSAF) fits into your complete CRA compliance programme.

View checklists →