Community Days 2025

TLP:CLEAR

One Year of CSAF - Lessons, Statistics, and Impact

Speaker: Jacco Lighart (NCSC-NL)

Abstract: One year ago, we were surprised to learn that we had become the largest producer of CSAF (Common Security Advisory Framework) documents. That milestone sparked a focused effort to not just maintain volume, but to significantly improve the quality, consistency, and usefulness of the data we publish. Over the past year, we’ve refined our CSAF generation processes, improved adherence to the standard, and enhanced the structure and accuracy of our vulnerability data and advisories. In this presentation, I’ll share detailed statistics and graphs that illustrate how our approach has evolved. Beyond internal improvements, I’ll highlight several real-world stories of how others are consuming and integrating our CSAF data. This session is aimed at others who are producing or working with CSAF documents and are looking to scale, improve their processes, or simply learn from another organization’s journey. Whether you’re deep into CSAF adoption or just starting out, I hope our insights will help inform your path forward.

Bio: Jacco is the Product Owner of the Vulnerability Team at the National Cyber Security Centre of the Netherlands (NCSC-NL). With a career in IT security dating back to 2003, he has been involved with NCSC-NL for over a decade, including as one of the early contributors to its security efforts. For the past 2.5 years, he has led a focused team of four developers building tools for managing vulnerability data and creating security advisories.

TLP:CLEAR

An easy Way to become a CSAF Provider with GitHub Actions

Speaker: Bernhard Reiter (Intevation GmbH)

Abstract: A demonstration of how to use the csaf-tools GitHub Action to publish security advisories from a repository to the static web hosting of the platform.

This is the easiest way to become a CSAF trusted provider. Useful for software products that use GitHub Pages and want to store their CSAF documents in the repository.

The necessary signing can be done before uploading a document or with an OpenPGPv4 key saved as GitHub secret.

The GitHub Action is developed in autumn 2025 and uses the Free Software tool csaf_provider to build a directory of static contents. That can be served via HTTP.

Looking at the structure of this solution, you will learn the basic of how csaf_provider works and what principal steps are necessary to do a similar integration for a different continuous deployment system.

Bio: Team lead for CSAF at Intevation - a company based in Osnabrueck. Intevation is contracted by the German Federal Office of Information Security (BSI) to help with CSAF standard and tools development. Among those are the csaf_downloader and ISDuBA, a CSAF Management System for large teams.

With a professional career in IT over more than 25 years, Reiter is also a Free Software activist with the FSFE and on the advisory board of Greenbone AG.

More details on Bernhard’s homepage: https://intevation.de/~bernhard/index.en.html

Lessons Learned from Automating the CSAF Publication Flow

Speaker: Jan Thielscher (EACG)

Abstract: Jan will dive into the challenge of automating the publication flow of CSAF documents and how to overcome them. Based on the idea to automatically create CSAF documents - whether VEX, Security Advisory or Informational Advisory - initiated from the vulnerability notification, this speech will outline the information required to achieve this goal. The talk will present and briefly discuss solution designs and describe the finally implemented solution. A short demonstration will show, how the result looks like and report from user reactions. Finally, remaining challenges and thoughts on further improvements concerning publication and collection of CSAF documents will be presented. This comprises thoughts on reducing the data load required to be shared/processed in the given design approach.

Bio: Jan is founder and managing director of EACG. He founded EACG over 20 years ago as a pure Enterprise Architecture Consultancy. Taking his customers from brick and mortar businesses into the era of e-Commerce and digital businesses, digitally driven transformations are his passion. Last year he understood the impact AI will have on the consulting industry and started the transformation into a PSIRT service. TrustSource, the supply chain security and compliance automation platform is at the heart of this transformation.

TLP:CLEAR

Challenge your Checker with Contravider: Better Testing for CSAF Distribution Tools

Speaker: Sascha L. Teichmann (Intevation GmbH)

Abstract: The CSAF standard defines rules for the automated distribution of advisories and VEX documents. Meeting these rules is complex, as unattended discovery and retrieval require strict conformance. To prepare for version 2.1, we have developed a test suite called contravider. It acts as a deliberately faulty provider. By breaking selected requirements, it can produce negative test cases that help validate implementations under error conditions. We present the design and use of this tool. Our approach builds test configurations with Git change sets applied to a compliant reference data set. This enables reproducible and extensible testing.

Bio: Sascha Teichmann is the technical lead of the CSAF team at Intevation where he is a senior engineer and consultant. He is responsible for the main design of the Open Source gocsaf-tools and the CSAF Management System ISDuBA.

TLP:CLEAR

BOMnipotent - Server and Client for SBOMs and CSAF Docs

Speaker: Simon Heidrich (Weichwerke Heidrich Software)

Abstract: BOMnipotent is a server-client application pair for managing supply chain security documents, specifically SBOMs and CSAF documents. It contains an access management system based on roles and TLP labels, and acts as a CSAF Trusted Provider. The development focus is on security, reliability and ease of use. The client is free to use, but fully operating the server requires a paid subscription for commercial entities. For non-commercial entities, BOMnipotent is completely free in all its facets.

Bio: I, Simon Heidrich, am a long time developer with a passion for Rust and Cybersecurity. Born 1992 in Duisburg, my background includes a study of theoretical physics in Heidelberg. In 2022, a while after my PhD, I became employed at AUNOVIS GmbH as a software engineer. There, I later took on the role and responsibilities of the Cybersecurity Officer. In 2024 I founded the sole proprietorship Weichwerke Heidrich Software to develop BOMnipotent.

TLP:CLEAR

Implementing a CSAF SBOM Matching System - Standard vs. Reality

Speaker: Christian Banse (Fraunhofer AISEC)

Abstract: This walk will give insights into implementing a CSAF SBOM matching system and the challenges encountered when trying to implement the standard in the real world. Contracted by the German BSI, Fraunhofer AISEC has implemented CSAF support in the popular dependency management system, DependencyTrack. CSAF’s SBOM matching model aims to precisely map advisory scope to actual products and versions in an environment, using structured product identifiers and matching rules. In practice, successful implementation requires reliable canonical identifiers (CPE, PURL, etc.), consistent versioning, and normalized product naming across toolchains. Fraunhofer AISEC’s work in DependencyTrack shows how automation can ingest CSAF feeds and apply matching logic to a project’s bill-of-materials, surfacing relevant advisories automatically.

Bio: Christian Banse holds a Master of Science in Business Informatics with a focus on IT security from the University of Regensburg. Since 2011 he has been a staff member at Fraunhofer AISEC. Since mid-2018 Christian Banse has also been head of the Service and Application Security department and is, among other things, responsible for the topic of Cloud assurance His team also develops and integrates vulnerability advisories and automation workflows based on the OASIS Common Security Advisory Framework (CSAF) to support standardized, machine-readable security notifications and continuous certification.

TLP:CLEAR

Bringing together SBOMs and Advisories, with GUAC Trustify

Speaker: Jens Reimann (Red Hat)

Abstract: If you already have sources for SBOMs and advisories, great. You are creating them yourself or have them available from other sources, awesome. But now what? Let’s bring them together and get an overview on the status of your SBOM. This talk will give a quick introduction on GUAC Trustify, explain how data gets into the system, and how you can leverage it to gain some insight. We will see what the system has to offer when it comes to bringing ready-made SBOMs and advisories together. How you can inspect the information, and see the correlation between content and of SBOMs and mapped to advisory information. Additionally, we will also take a brief look at how we, at Red Hat, use this system in the whole software creation process. And of course, there will be some room to talk about the bad and the ugly, and what we can do to improve the situation.

Bio: Jens Reimann is a Senior Principal Software Engineer at Red Hat, working on the Trustify project and other software supply chain security initiatives. Jens began using open source years ago (time flies when you’re having fun), gradually becoming an active contributor — and now works full time on open source projects. Herder of kids and cats. Occasional builder of blocks.

TLP:CLEAR

CSAF Extension - The best worst idea?

Speaker: Thomas Schmidt (BSI)

Abstract: This session given an overview of the concept of CSAF extensions. It will cover the history, challenges and perspectives from different use cases. It will lay down the intended scope and rules for CSAF extensions and provide examples.

Bio: Thomas Schmidt works in the ‘Industrial Automation and Control Systems’ section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Mr. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM and CERT/CC SSVC work. Prior to this, Schmidt was BSI’s lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric’s TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).

TLP:CLEAR

Lightning Talks

Speaker: various from the CSAF Community

Abstract: This session provides the opportunity for on-site participants to share their knowledge in a short presentation. Sign-up at the event only.

TLP:CLEAR

Security Advisories - Facts, Fashions, and Fiction

Speaker: Stefan Hagen (CSAF TC)

Abstract: The talk presents and applies observations from two decades of unpaid standardization and software development to promote future interoperability in information exchange. A brief overview of the journey through the eras of XML and JSON monoculture offers a retrospective assessment of perceived gains and losses. Short visits are made to projects that offer models of general information in addition to specific data format recipes, thus staying closer to the actual needs, similar to a domain-driven design method. The reality of voluntary efforts in collaboration with paid partners, as well as old and new trends — from passivity to interpolating hallucinations — are illustrated in the resulting travel images. Small excursions into neighboring problem areas — such as behavioral or provenance analysis — are undertaken to explore how the merging and adaptation of related concerns can be promoted without dissolving the core positions of the security recommendations. The assumed position of current standardization is presented in dystopian colors, yet some of the foreseeable future paths promise less misleading fiction and more exciting facts for the common good.

Bio: Stefan Hagen studied physics at the University of Bonn. He is a Senior Member of the ACM and was named an OASIS Distinguished Contributor in 2019. Stefan is a co-author of the GeoJSON RFC format and is passionate about developing actionable standards. He has contributed to various specifications and international standards, including CSAF, CVRF, DPS, DSS, JSON, JSON Path, LVCSP, MQTT, MQTT-SN, OData, SAM, and SARIF (some of which are ISO-IEC JTC-1 certified). Stefan works as a software developer for ground-based training systems at a Swiss aircraft manufacturer .

TLP:CLEAR

Bringing Trusted Vulnerability Reporting to Every Organization with DevGuard

Speaker: Patrick Rissmann (l3montree)

Abstract: DevGuard is an open-source tool developed by L3montree GmbH that enhances the security of the software development process by helping organizations manage dependency vulnerabilities, first-party code weaknesses, and license compliance issues. Until recently, DevGuard relied on basic VEX files to exchange vulnerability information — an effective yet limited approach in terms of flexibility and expressiveness. To address this, we introduced CSAF (Common Security Advisory Framework) support into DevGuard. The goal: enable every organization and project using DevGuard to automatically generate and directly publish CSAF-conformant reports based on their stored vulnerability data. In this model, each organization effectively becomes a trusted CSAF provider, able to communicate vulnerability assessments in a standardized and interoperable way. This presentation outlines the full journey — from analyzing the CSAF specification to designing and implementing the feature in Go. It will cover technical and conceptual challenges. A live example will be presented using the openCode platform of ZenDiS, where DevGuard operates as a platform service. Here, every openCode project can automatically publish CSAF and VEX documents, backed by enterprise-grade functionality such as SBOM import, integration with ticket management systems, and vulnerability assessment workflows. The session will conclude with a roadmap and vision for collaborative vulnerability management — leveraging CSAF and VEX to enable crowdsourcing of vulnerability assessments, sharing results within and across organizations, and strengthening the open-source ecosystem through transparency and automation. By bridging DevGuard’s open-source foundations with CSAF’s trusted reporting capabilities, this work demonstrates how standardized vulnerability communication can become a natural part of modern, scalable software security management.

Bio: Patrick Rissmann is 21 years old and currently in his seventh semester of a Bachelor’s degree in Cybersecurity at the University of Bonn. Since February 2025, he has been working as a Software Developer at L3montree GmbH, where his main focus is on the backend development of DevGuard.

TLP:CLEAR

An Architecture for Matching CSAF Documents on Industrial Asset Inventories

Speaker: Daniel Ritterhofer (Fraunhofer IOSB)

Abstract: We present BSI’s project 625 on CSAF matching in industrial environments. The aim of the project is to match an industrial asset inventory with a CSAF document database so that operators can efficiently identify relevant security advisories for the assets contained in their plants. We present our system architecture and implementation as well as our approach to matching CSAF documents to device and software asset information. The open-source asset inventory NetBox serves as our asset inventory. We integrate the interaction with the CSAF matching system as well as the processing and tracking of the processing status of matches into NetBox as a plugin. By this means we facilitate the use of advisories for the operator’s operational security staff. We present initial results and discuss challenges we have encountered, e.g., different sources of asset information for the same asset, inconsistent or incomplete information in assets and/or CSAF documents, weighting of attributes during matching, and scalability of the approach.

Bio:

TLP:CLEAR

Behind the Curtains of the Common Security Advisory Framework: A Critical OT Perspective

Speaker: Christian Schroeder and Alex Steg (Siemens)

Abstract: After three years of building a service for vulnerability management in operational technology environments (OT) that consumes CSAFs, it is time to reflect on the journey. On the surface, CSAF promises standardization, automation, and improved transparency. But what happens when we look behind the curtains? Our presentation offers a critical examination of CSAF from an OT standpoint, highlighting the gaps between its promise and its practical implementation by publishers. While CSAF streamlines security operations in standardized IT environments, its adoption in OT landscapes reveals challenges that go beyond the current scope of CSAF: contextual relevance, vendor alignment, and discoverability. Let’s have a look at the real-world applicability of structured advisories in complex industrial ecosystems. We invite you to join us as we share field insights and explore what needs to change for OT Vulnerability Management to fully leverage CSAF not just in theory, but in practice. The session will feature practical examples based on real-world CSAF advisories from industrial vendors and will reflect on how these advisories are consumed by one of the first OT cybersecurity tools to actively leverage CSAF for vulnerability management and asset risk assessment.

Bio: Alex is the Lead Software Architect for Siemens’ cybersecurity software portfolio, where he has been driving the development of SINEC Security Guard for the last two years. His work focuses on vulnerability management and intrusion detection in industrial environments, with a strong background in cloud development for regulated industries.

Bio: Christian is a Chief Product Owner (CPO) at Siemens AG, leading the SaaS offering SINEC Security Guard. In this role, Christian defines and executes the product vision and R&D strategy, aligning it with Siemens’ overarching cybersecurity objectives. With extensive experience in product management, including roles as Senior Product Manager and Systems Engineer, Christian has driven innovation in software licensing, cloud solutions, and digital transformation across Siemens' portfolio.

TLP:GREEN

CSAF & AI

Speaker: Sonny van Lingen (Huawei)

Abstract: will be provided shortly

Bio: will be provided shortly

TLP:CLEAR

CSAF for Cloud Native? Challenges and a Proposal

Speaker: Christoph Plutte (Ericsson)

Abstract: A modern, cloud native microservice based application typically consists of multiple microservices where each microservice consists of other services and multiple container images which again contain multiple components or software libraries. Given a software vulnerability in a library present in several different container images of the application, how best to describe this situation in CSAF? CSAF provides concepts to describe complex products containing multiple sub-components and each of these sub-components can be linked separately to a vulnerability. However, we argue that the support in CSAF for describing relationships between products and components is limited and not ideal for modern cloud-native microservice based applications leading to suboptimal readability and ambiguities. To make CSAF fit for cloud native applications, we propose to introduce a third core concept besides products and vulnerabilities that we call “occurrence”. We describe key features of the occurrence concept and give detailed examples. We believe that introducing a separate concept for occurrences of vulnerabilities in products not only greatly improves the applicability of CSAF for cloud native applications, but also opens up new use cases such as describing scan reports from vulnerability analysis scanners in CSAF as a common standard across various vendors.

Bio: will be provided shortly

TLP:CLEAR

CSAF beyond Security

Speaker: Florian Gilcher (Ferrous Sytemes)

Abstract: As the name implies, CSAF comes out of the security space. However, it has usefulness beyond just those environments. In this talk, we’re going to present how we plan to adopt and deploy CSAF for so-called “management of known issues”, a manual and non-automated practice in safety critical environments. In this talk, we argue that CSAF is a already great tool for all kinds of high-assurance software and an important connecting piece. We also argue that CSAF has potential for future open-source businesses adressing high assurance needs

Bio: Florian Gilcher is one of the managing directors of Ferrous Systems, a fully open source tools company. It ships Ferrocene, the first Rust compiler qualified to be used in industries where lives are at stake - such as Automotive, Industrial Machinery and Avionics.