Security Advisory

A security advisory is a formal communication from a manufacturer to its product users that describes a security vulnerability, communicates its severity and exploitability, and provides remediation guidance — typically a patch, workaround, or configuration change. Advisories serve three audiences simultaneously: users who need to know if they are affected and what to do; security professionals who need technical detail to assess risk; and regulators and CSIRTs who need structured data to coordinate response across affected organisations. Advisories may be published in human-readable formats (web pages, PDFs) but the CRA ecosystem increasingly expects machine-readable CSAF format.

Annex I Part II requires manufacturers to disclose vulnerability information to affected users when patches are released. A CRA-compliant security advisory must include:

• Product identification — name, affected versions, and platform.
• CVE identifier — the assigned CVE ID (or a request confirmation if pending).
• CVSS score and vector string — severity rating with the scoring version specified.
• Vulnerability description — a clear explanation of the vulnerability type (CWE classification recommended), attack scenario, and impact.
• Affected versions — precise version ranges; ideally using CPE or PURL identifiers.
• Remediation — the patched version(s) and/or workarounds.
• Acknowledgement — credit to the researcher or reporter (unless they request anonymity).

ENISA recommends that manufacturers publish security advisories in CSAF 2.0 (Common Security Advisory Framework) format to enable machine-readable processing by customers' security tools. A CSAF publication workflow requires:

1. Authoring the advisory as a CSAF JSON document (Security Advisory profile).
2. Validating with the open-source CSAF validator.
3. Signing the document and generating SHA-256/SHA-512 hash files.
4. Publishing to /.well-known/csaf/ with an updated provider-metadata.json index.
5. Optionally listing the advisory in public CSAF aggregators (e.g. BSI's CSAF aggregator).

Machine-readable advisories allow large customers to automatically correlate your advisory against their asset inventory and prioritise patching without manual research.

The timing of advisory publication is a critical CVD decision:

• Simultaneous release (patch + advisory at the same time) is the standard — users can immediately remediate upon learning of the vulnerability.
• Embargoed advisory — for complex vulnerabilities affecting many vendors, an advisory may be drafted under embargo and released simultaneously with a coordinated multi-vendor patch.
• Advisory before patch — publishing an advisory without a fix (to warn users of active exploitation) is sometimes necessary and appropriate; it must include any available mitigations.
• Post-fix delay — delaying advisory publication after a patch is available to give users time to patch (a 'silent patch') is controversial and increasingly discouraged; it leaves researchers unaware and may breach CRA obligations to inform users.

The advisory must reach all affected users — consider direct notification, mailing lists, and RSS feeds in addition to website publication.