What's New in CSAF and OpenEoX
CVE/FIRST VulnCon 2025 · Main Stage
In this VulnCon session, Omar Santos from Cisco provided a comprehensive update on the advancements in two critical standards for cybersecurity: the **Common Security Advisory Framework (CSAF)** and the emerging **Open End-of-Life Exchange (OpenEoX)**. Santos, a board member at Oasis Open and a co-leader for both standards, highlighted the ongoing evolution of CSAF towards its 2.1 iteration and introduced the nascent but vital efforts behind OpenEoX. The talk underscored a fundamental shift in vulnerability and product lifecycle management: moving beyond human-readable documents to fully machine-consumable data, essential for automation and integration into modern security operations.
AI review
A competent standards update from someone who is genuinely close to the work — Santos co-leads both CSAF and OpenEoX under Oasis Open, so the credibility is real. This is a VulnCon slot doing exactly what a VulnCon slot should: keeping practitioners current on evolving vulnerability management infrastructure. The problem is the talk never breaks out of 'changelog recitation' mode. If you work in vuln management tooling or are building CSAF consumers, this is worth your time. If you're not, you'll get the same value from reading the draft spec over lunch.