Common Security Advisory Framework
CSAF is an OASIS standard for publishing security advisories in a structured, machine-readable JSON format instead of free-form web pages. It lets tools automatically match advisories against an organization's asset inventory and is the format that carries VEX statements. Adoption by major vendors and government agencies is making automated vulnerability triage practical at scale.