santosomar
commented
2 weeks ago You bring up an important point about potential confusion with the term. During the TC meeting on 2028-09-25, we discussed that it's important to note that CSAF documents are sometimes distributed in a non-public manner and may carry classifications such as TLP amber, red, etc. In these cases, the documents are shared with a restricted audience under specific confidentiality protocols (i.e., TLP).
Using the term public_date or date_public might imply that the information is always released publicly, which isn't always the case. The term 'release_date' is intentionally used to encompass both public and non-public releases of vulnerability information. It signifies the date and time the vulnerability was initially disclosed, regardless of the audience or distribution limitations.
tschmidtb51
zmanion
While the documentation is clear, the field name 'release_date' is confusing. Could it be changed to 'public_date' or 'date_public'?
I'd suggest a minor documentation update also: "...the date and time the vulnerability was originally publicly disclosed" (or "published" or "made public").
https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html
3.2.3.11 Vulnerabilities Property - Release Date Release date (release_date) with value type string of format date-time holds the date and time the vulnerability was originally released into the wild.
3.2.1.12.2 Document Property - Tracking - Current Release Date Current release date (current_release_date) with value type string with format date-time holds the date when the current revision of this document was released.
3.2.1.12.5 Document Property - Tracking - Initial Release Date Initial release date (initial_release_date) with value type string with format date-time holds the date when this document was first published.