CSAF and VEX Management
Publish machine-readable security advisories and clarify vulnerability applicability for customers.
What is CSAF?
CSAF (Common Security Advisory Framework) is a standard format for security advisories. When a vulnerability affects your product, CSAF advisories tell customers:
- What vulnerability exists
- Which products and versions are affected
- What the impact is
- What remediation is available
What is VEX?
VEX (Vulnerability Exploitability eXchange) clarifies whether a vulnerability actually affects your product. Just because a component has a CVE doesn't mean your product is exploitable.
| VEX status | Meaning |
|---|---|
| Not Affected | Vulnerability doesn't impact your product (requires justification) |
| Affected | Vulnerability does impact your product |
| Fixed | Patched version available |
| Under Investigation | Still analysing impact |
Tip: VEX reduces alert fatigue by clarifying which CVEs customers need to act on.
Create a CSAF advisory
- Navigate to CSAF from the main menu.
- Click Create Advisory.
- Complete the form:
Basic information
| Field | Description |
|---|---|
| Title | Clear description (e.g., "Buffer Overflow in Network Module") |
| CVE ID | Links to official CVE record |
| Severity | CVSS rating: Critical, High, Medium, Low, or None |
| Affected Products | Select from your product inventory |
Content
| Field | Description |
|---|---|
| Description | Technical details of the vulnerability |
| Impact | What an attacker could achieve |
| Remediation | How customers protect themselves (update, workaround, etc.) |
Status
| Status | When to use |
|---|---|
| Draft | Work in progress |
| Interim | Published but still gathering information |
| Final | Complete advisory |
- Click Save.
Create VEX statements
VEX statements can be created from:
- A vulnerability detail page → Create VEX Statement
- A CSAF advisory → add statements for each product
- A version detail page → VEX tab
Select a status
Not Affected requires a justification:
| Justification | Meaning |
|---|---|
| Component not present | Vulnerable component isn't in your product |
| Vulnerable code not present | Specific vulnerable code path doesn't exist |
| Vulnerable code not in execute path | Code exists but is never executed |
| Cannot be controlled by adversary | Code can't be triggered by attacker |
| Inline mitigations exist | Product has defenses preventing exploitation |
Affected — Include remediation advice.
Fixed — Specify which version contains the fix.
Under Investigation — Update status once you have a conclusion.
Add content
| Field | Purpose |
|---|---|
| Statement | Free-text explanation of your reasoning |
| Action Statement | What customers should do (e.g., "Update to version X.Y.Z") |
View advisories and VEX
Navigate to CSAF to see all advisories. Filter by:
- Status (Draft, Interim, Final)
- Affected product
Each product version's detail page has a VEX tab showing all statements.
Compare advisory versions
When you update an advisory, CRA Evidence tracks changes.
- Open an advisory.
- Click Compare.
- Select two versions to see differences.
This provides an audit trail and helps communicate updates to customers.
Import CSAF
Import existing advisories from another system:
- Navigate to CSAF → Import.
- Upload a CSAF 2.0 JSON file.
- CRA Evidence validates and creates the advisory.
Export CSAF
- Open an advisory.
- Click Download JSON.
The export includes all VEX statements as embedded content. Advisories are also included in technical file exports.
Best practices
| Practice | Why it matters |
|---|---|
| Respond promptly | "Under Investigation" is better than silence |
| Be specific | "Component not present" beats unexplained "Not affected" |
| Update iteratively | Don't wait for perfect information |
| Use consistent naming | Match product names to what customers know |
| Enable supplier portal | Customers access latest advisories directly |
CRA requirements
CRA Article 11 requires vulnerability handling:
- Identifying and documenting vulnerabilities
- Providing security updates
- Informing affected parties
CSAF and VEX demonstrate your systematic vulnerability communication process.
Related documentation
- Vulnerability Workflow — Managing discovered vulnerabilities
- Incident Reporting — Severe security incidents
- Supplier Portal — Customer-facing documentation
- Technical File Export — Compliance bundles
Help us improve. What was missing or unclear?