What is CSAF?

The Common Security Advisory Format (CSAF) is a industry standard format for publishing security advisories in machine readable form.

It is the descendant of the CVRF format and standardized by the OASIS foundation.

It is different to the OVAL format, which goal is to be able to machine verify state of a system in regards to security, while the CVRF and CSAF formats are targeted for machine based import into ticket systems and bug trackers for vulnerability response.


SUSE currently offers:

  • CSAF data indexed by Security Advisory in CSAF 2.0 format.
  • CSAF VEX data indexed by CVE in CSAF 2.0 VEX format.

SUSE has started generating CSAF data February 2023 for SUSE security update notices and CVEs, including for all past advisories and CVEs.


  • The CSAF 2.0 security advisory data can be downloaded from the SUSE ftp site.
  • The CSAF 2.0 VEX data indexed by CVE can be downloaded from the SUSE ftp site.

The data is available under the Creative Commons license, with attribution, CC-BY-4.0.

How to use

The CSAF format is a verbose and simple JSON format, so it can be hooked into other tools pretty easily even without additional libraries.

A list of reference tools is also provided by OASIS.