EN/DE Start free trial
CSAF / ts-mCTP

CSAF — Vulnerability Communication

Automated creation and distribution of Security Advisories in CSAF standard. Structures vulnerability communication between manufacturers, CERTs and users — machine-readable and CRA-compliant.

Start free trial →
CSAF — Vulnerability Communication

At a Glance

CRA & NIS2

Meets the requirements of the Cyber Resilience Act and the NIS2 Directive for vulnerability communication towards ENISA and users.

CSAF 2.0

Full support of the OASIS CSAF 2.0 standard. Machine-readable advisories for automated processing.

CVE Import

Automatic import of CVE information and references into your Security Advisories. No manual research needed.

VEX Support

Create VEX documents manually or automated — false positives in the SBOM are exported directly as VEX statements.

Multiple Advisory Types

Not just Security Advisories: create and publish Security Incidents and Informational Advisories as well.

Automatic Distribution

Advisories are automatically distributed to configured recipients, CSAF providers and aggregators.

Advisory Editor

Guided creation of Security Advisories with validation against the CSAF schema. From draft to publication.

CSAF Provider

Operate your own CSAF Provider according to the OASIS standard. Auto-discovery for aggregators.

The Challenge

The Cyber Resilience Act requires manufacturers to actively communicate vulnerabilities — to ENISA, to users, to CERTs. Without a standardised format and automated process, this quickly becomes overwhelming.

How CSAF Works

TrustSource guides you through the creation of Security Advisories in CSAF 2.0 format. The integrated editor validates against the schema, and the workflow ensures that advisories are reviewed and approved before publication.

Publication

For publishing your advisories, we offer two options:

Dedicated Trusted Provider
Your CSAF Provider under your own brand, e.g. escra.csaf.trustsource.io. Your own domain, your own branding.
Shared Provider
Use a stream on our provider at trustsource.csaf.trustsource.io. Ready to use immediately, no infrastructure needed.

CSAF Community Days 2025

Jan Thielscher presents at the CSAF Community Days 2025 how TrustSource implements the automated creation and distribution of Security Advisories in the CSAF standard.

Related articles

28 Jan 2025

TrustSource Security Information - TSSI250000 - empty Vulnerability

# TSSI-25:0000 - Security Information issued: 2025-01-28T22:30:00.000Zupdated: 2025-01-28T22:30:00.000Z ## Synopsis Informational: This document has been prepared and will be continuously updated to p...

 25 Jan 2026

Navigating PQC Threat

Understand the threats arising from quantum computing to today's cryptography and learn how to protect your applications.

 24 Sept 2025

Update ts-scan to v1.5.2

Based on the learnings from the Shai-Hulud attack, we decided to limit the default configuration of ts-scan to prevent the execution of scripts referred to in the package.json. To profit from this additional security, you will need to upgrade to the latest version of ts-scan.