The Common Security Advisory Framework (CSAF) is a standard used to disclosed security vulnerabilities in a machine-readable format that allows software and hardware producers (as well as their customers) to automate vulnerability assessment. CSAF supports automation of the production, distribution, and consumption of security advisories — reducing the time between when vulnerabilities are disclosed and when businesses remediate them. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed the widespread adoption of CSAF as one of “three critical steps to advance the vulnerability management ecosystem.”
Note: CSAF leverages the potential of SBOM and implements VEX.
CSAF is the replacement for the Common Vulnerability Reporting Framework (CVRF). It enhances the capabilities of CVRF including different profiles (e.g., CSAF Base, Informational Advisory, Incident Response, VEX, etc.). Each profile extends the base profile "CSAF Base" - directly or indirect through another profile from the standard - by making additional fields from the standard mandatory. A profile can always add, but never subtract nor overwrite requirements defined in the profile it extends. CSAF also provides several additional enhancements that were not supported in CVRF. In addition, CSAF uses JSON vs. XML (which was used in CVRF).
Cisco PSIRT supports both CSAF and CVRF. Cisco will continue to support CVRF until December 31, 2023.
You can obtain security advisories in CSAF format in different ways:
CSAF version 2.0 introduced the concept of provider metadata. As stated in the CSAF standard specification:
"The party MUST provide a valid provider-metadata.json according to the schema CSAF provider metadata for its own metadata. The publisher object SHOULD match the one used in the CSAF documents of the issuing party but can be set to whatever value a CSAF aggregator SHOULD display over any individual publisher values in the CSAF documents themselves.
This information is used to collect the data for CSAF aggregators, listers and end users. The CSAF provider metadata schema ensures the consistency of the metadata for a CSAF provider across the ecosystem. Other approaches, like extracting the publisher object from CSAF documents, are likely to fail if the object differs between CSAF documents.
Cisco's CSAF provider metadata can be accessed at: https://www.cisco.com/.well-known/csaf/provider-metadata.json
Cisco also supports the security.txt standard defined in RFC 9116. Cisco's security.txt is located at: https://www.cisco.com/.well-known/security.txt
I encourage customers to review the CSAF open-source tools listed at https://csaf.io
