From 0943cfd9d0940c316791b7e8dbf4bd3e812afacb Mon Sep 17 00:00:00 2001
From: Stefan Hagen <stefan@hagen.link>
Date: Sun, 3 Nov 2024 16:37:10 +0100
Subject: [PATCH] Fixed sec ref, updated maps, and rendered md/html

- nit: fixed reference to new/reborn date and time section
- updated the mappings for sections and examples
- rendered the user facing delivery items: single file markdown and html

Signed-off-by: Stefan Hagen <stefan@hagen.link>
---
 .../edit/etc/example-global-to-local.json     |  252 ++--
 .../edit/etc/example-local-to-global.json     |  251 ++--
 .../edit/etc/section-display-to-label.json    |    6 +
 .../edit/etc/section-label-to-display.json    |    6 +
 csaf_2.1/prose/edit/src/conformance.md        |    3 +-
 csaf_2.1/prose/share/csaf-v2.1-draft.html     | 1205 ++++++++++++++---
 csaf_2.1/prose/share/csaf-v2.1-draft.md       |  782 ++++++++---
 7 files changed, 1897 insertions(+), 608 deletions(-)

diff --git a/csaf_2.1/prose/edit/etc/example-global-to-local.json b/csaf_2.1/prose/edit/etc/example-global-to-local.json
index e35f3418..e56dbae9 100644
--- a/csaf_2.1/prose/edit/etc/example-global-to-local.json
+++ b/csaf_2.1/prose/edit/etc/example-global-to-local.json
@@ -28,127 +28,133 @@
   "26": "version-type-semantic-versioning-eg-3",
   "27": "version-type-semantic-versioning-eg-4",
   "28": "version-type-semantic-versioning-eg-5",
-  "29": "document-property-aggregate-severity-eg-1",
-  "30": "document-property-category-eg-1",
-  "31": "document-property-distribution-text-eg-1",
-  "32": "document-property-distribution-tlp-eg-1",
-  "33": "document-property-publisher-contact-details-eg-1",
-  "34": "document-property-publisher-name-eg-1",
-  "35": "document-property-publisher-namespace-eg-1",
-  "36": "document-property-title-eg-1",
-  "37": "document-property-tracking-aliases-eg-1",
-  "38": "document-property-tracking-generator-eg-1",
-  "39": "document-property-tracking-generator-eg-2",
-  "40": "document-property-tracking-id-eg-1",
-  "41": "product-tree-property-product-groups-eg-1",
-  "42": "product-tree-property-relationships-eg-1",
-  "43": "vulnerabilities-property-cwes-eg-1",
-  "44": "vulnerabilities-property-cwes-eg-2",
-  "45": "vulnerabilities-property-cwes-eg-3",
-  "46": "vulnerabilities-property-ids-eg-1",
-  "47": "vulnerabilities-property-ids-eg-2",
-  "48": "filename-eg-1",
-  "49": "filename-eg-2",
-  "50": "missing-definition-of-product-id-eg-1",
-  "51": "multiple-definition-of-product-id-eg-1",
-  "52": "circular-definition-of-product-id-eg-1",
-  "53": "missing-definition-of-product-group-id-eg-1",
-  "54": "multiple-definition-of-product-group-id-eg-1",
-  "55": "contradicting-product-status-eg-1",
-  "56": "multiple-scores-with-same-version-per-product-eg-1",
-  "57": "invalid-cvss-eg-1",
-  "58": "invalid-cvss-computation-eg-1",
-  "59": "inconsistent-cvss-eg-1",
-  "60": "cwe-eg-1",
-  "61": "language-eg-1",
-  "62": "purl-eg-1",
-  "63": "sorted-revision-history-eg-1",
-  "64": "translator-eg-1",
-  "65": "latest-document-version-eg-1",
-  "66": "document-status-draft-eg-1",
-  "67": "released-revision-history-eg-1",
-  "68": "revision-history-entries-for-pre-release-versions-eg-1",
-  "69": "non-draft-document-version-eg-1",
-  "70": "missing-item-in-revision-history-eg-1",
-  "71": "multiple-definition-in-revision-history-eg-1",
-  "72": "multiple-use-of-same-cve-eg-1",
-  "73": "multiple-definition-in-involvements-eg-1",
-  "74": "multiple-use-of-same-hash-algorithm-eg-1",
-  "75": "prohibited-document-category-name-eg-1",
-  "76": "prohibited-document-category-name-eg-2",
-  "77": "document-notes-eg-1",
-  "78": "document-references-eg-1",
-  "79": "vulnerabilities-for-informational-advisory-eg-1",
-  "80": "product-tree-eg-1",
-  "81": "vulnerability-notes-eg-1",
-  "82": "product-status-eg-1",
-  "83": "vex-product-status-eg-1",
-  "84": "vulnerability-id-eg-1",
-  "85": "impact-statement-eg-1",
-  "86": "action-statement-eg-1",
-  "87": "vulnerabilities-for-security-advisory-or-vex-eg-1",
-  "88": "translation-eg-1",
-  "89": "remediation-without-product-reference-eg-1",
-  "90": "mixed-integer-and-semantic-versioning-eg-1",
-  "91": "version-range-in-product-version-eg-1",
-  "92": "flag-without-product-reference-eg-1",
-  "93": "multiple-flags-with-vex-justification-codes-per-product-eg-1",
-  "94": "unused-definition-of-product-id-eg-1",
-  "95": "missing-remediation-eg-1",
-  "96": "missing-metric-eg-1",
-  "97": "build-metadata-in-revision-history-eg-1",
-  "98": "older-initial-release-date-than-revision-history-eg-1",
-  "99": "older-current-release-date-than-revision-history-eg-1",
-  "100": "missing-date-in-involvements-eg-1",
-  "101": "use-of-md5-as-the-only-hash-algorithm-eg-1",
-  "102": "use-of-sha-1-as-the-only-hash-algorithm-eg-1",
-  "103": "missing-tlp-label-eg-1",
-  "104": "missing-canonical-url-eg-1",
-  "105": "missing-document-language-eg-1",
-  "106": "optional-tests--sorting-eg-1",
-  "107": "use-of-private-language-eg-1",
-  "108": "use-of-default-language-eg-1",
-  "109": "missing-product-identification-helper-eg-1",
-  "110": "cve-in-field-ids-eg-1",
-  "111": "product-version-range-without-vers-eg-1",
-  "112": "cvss-for-fixed-products-eg-1",
-  "113": "additional-properties-eg-1",
-  "114": "same-timestamps-in-revision-history-eg-1",
-  "115": "document-tracking-id-in-title-eg-1",
-  "116": "usage-of-deprecated-cwe-eg-1",
-  "117": "usage-of-non-latest-cwe-version-eg-1",
-  "118": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1",
-  "119": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1",
-  "120": "use-of-cvss-v2-as-the-only-scoring-system-eg-1",
-  "121": "use-of-cvss-v3-0-eg-1",
-  "122": "missing-cve-eg-1",
-  "123": "missing-cwe-eg-1",
-  "124": "use-of-short-hash-eg-1",
-  "125": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1",
-  "126": "use-of-self-referencing-urls-failing-to-resolve-eg-1",
-  "127": "spell-check-eg-1",
-  "128": "branch-categories-eg-1",
-  "129": "usage-of-product-version-range-eg-1",
-  "130": "usage-of-v-as-version-indicator-eg-1",
-  "131": "missing-cvss-v4-0-eg-1",
-  "132": "requirement-7-provider-metadata-json-eg-1",
-  "133": "requirement-8-security-txt-eg-1",
-  "134": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
-  "135": "requirement-11-one-folder-per-year-eg-1",
-  "136": "requirement-12-index-txt-eg-1",
-  "137": "requirement-13-changes-csv-eg-1",
-  "138": "requirement-15-rolie-feed-eg-1",
-  "139": "requirement-16-rolie-service-document-eg-1",
-  "140": "requirement-17-rolie-category-document-eg-1",
-  "141": "requirement-17-rolie-category-document-eg-2",
-  "142": "requirement-17-rolie-category-document-eg-3",
-  "143": "requirement-18-integrity-eg-1",
-  "144": "requirement-18-integrity-eg-2",
-  "145": "requirement-19-signatures-eg-1",
-  "146": "requirement-21-list-of-csaf-providers-eg-1",
-  "147": "requirement-23-mirror-eg-1",
-  "148": "conformance-clause-5-cvrf-csaf-converter-eg-1",
-  "149": "conformance-clause-5-cvrf-csaf-converter-eg-2",
-  "150": "conformance-clause-5-cvrf-csaf-converter-eg-3",
-  "151": "conformance-clause-5-cvrf-csaf-converter-eg-4"
+  "29": "version-type-semantic-versioning-eg-6",
+  "30": "document-property-aggregate-severity-eg-1",
+  "31": "document-property-category-eg-1",
+  "32": "document-property-distribution-text-eg-1",
+  "33": "document-property-distribution-tlp-eg-1",
+  "34": "document-property-publisher-contact-details-eg-1",
+  "35": "document-property-publisher-name-eg-1",
+  "36": "document-property-publisher-namespace-eg-1",
+  "37": "document-property-title-eg-1",
+  "38": "document-property-tracking-aliases-eg-1",
+  "39": "document-property-tracking-generator-eg-1",
+  "40": "document-property-tracking-generator-eg-2",
+  "41": "document-property-tracking-id-eg-1",
+  "42": "product-tree-property-product-groups-eg-1",
+  "43": "product-tree-property-relationships-eg-1",
+  "44": "vulnerabilities-property-cwes-eg-1",
+  "45": "vulnerabilities-property-cwes-eg-2",
+  "46": "vulnerabilities-property-cwes-eg-3",
+  "47": "vulnerabilities-property-ids-eg-1",
+  "48": "vulnerabilities-property-ids-eg-2",
+  "49": "filename-eg-1",
+  "50": "filename-eg-2",
+  "51": "missing-definition-of-product-id-eg-1",
+  "52": "multiple-definition-of-product-id-eg-1",
+  "53": "circular-definition-of-product-id-eg-1",
+  "54": "missing-definition-of-product-group-id-eg-1",
+  "55": "multiple-definition-of-product-group-id-eg-1",
+  "56": "contradicting-product-status-eg-1",
+  "57": "multiple-scores-with-same-version-per-product-eg-1",
+  "58": "invalid-cvss-eg-1",
+  "59": "invalid-cvss-computation-eg-1",
+  "60": "inconsistent-cvss-eg-1",
+  "61": "cwe-eg-1",
+  "62": "language-eg-1",
+  "63": "purl-eg-1",
+  "64": "sorted-revision-history-eg-1",
+  "65": "translator-eg-1",
+  "66": "latest-document-version-eg-1",
+  "67": "document-status-draft-eg-1",
+  "68": "released-revision-history-eg-1",
+  "69": "revision-history-entries-for-pre-release-versions-eg-1",
+  "70": "non-draft-document-version-eg-1",
+  "71": "missing-item-in-revision-history-eg-1",
+  "72": "multiple-definition-in-revision-history-eg-1",
+  "73": "multiple-use-of-same-cve-eg-1",
+  "74": "multiple-definition-in-involvements-eg-1",
+  "75": "multiple-use-of-same-hash-algorithm-eg-1",
+  "76": "prohibited-document-category-name-eg-1",
+  "77": "prohibited-document-category-name-eg-2",
+  "78": "document-notes-eg-1",
+  "79": "document-references-eg-1",
+  "80": "vulnerabilities-for-informational-advisory-eg-1",
+  "81": "product-tree-eg-1",
+  "82": "vulnerability-notes-eg-1",
+  "83": "product-status-eg-1",
+  "84": "vex-product-status-eg-1",
+  "85": "vulnerability-id-eg-1",
+  "86": "impact-statement-eg-1",
+  "87": "action-statement-eg-1",
+  "88": "vulnerabilities-for-security-advisory-or-vex-eg-1",
+  "89": "translation-eg-1",
+  "90": "remediation-without-product-reference-eg-1",
+  "91": "mixed-integer-and-semantic-versioning-eg-1",
+  "92": "version-range-in-product-version-eg-1",
+  "93": "flag-without-product-reference-eg-1",
+  "94": "multiple-flags-with-vex-justification-codes-per-product-eg-1",
+  "95": "mandatory-tests--branches-recursion-depth-eg-1",
+  "96": "contradicting-remediations-eg-1",
+  "97": "contradicting-product-status-remediation-combination-eg-1",
+
+  "98": "unused-definition-of-product-id-eg-1",
+  "99": "missing-remediation-eg-1",
+  "100": "missing-metric-eg-1",
+  "101": "build-metadata-in-revision-history-eg-1",
+  "102": "older-initial-release-date-than-revision-history-eg-1",
+  "103": "older-current-release-date-than-revision-history-eg-1",
+  "104": "missing-date-in-involvements-eg-1",
+  "105": "use-of-md5-as-the-only-hash-algorithm-eg-1",
+  "106": "use-of-sha-1-as-the-only-hash-algorithm-eg-1",
+  "107": "missing-tlp-label-eg-1",
+  "108": "missing-canonical-url-eg-1",
+  "109": "missing-document-language-eg-1",
+  "110": "optional-tests--sorting-eg-1",
+  "111": "use-of-private-language-eg-1",
+  "112": "use-of-default-language-eg-1",
+  "113": "missing-product-identification-helper-eg-1",
+  "114": "cve-in-field-ids-eg-1",
+  "115": "product-version-range-without-vers-eg-1",
+  "116": "cvss-for-fixed-products-eg-1",
+  "117": "additional-properties-eg-1",
+  "118": "same-timestamps-in-revision-history-eg-1",
+  "119": "document-tracking-id-in-title-eg-1",
+  "120": "usage-of-deprecated-cwe-eg-1",
+  "121": "usage-of-non-latest-cwe-version-eg-1",
+  "122": "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1",
+  "123": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1",
+  "124": "discouraged-product-status-remediation-combination-eg-1",
+  "125": "use-of-cvss-v2-as-the-only-scoring-system-eg-1",
+  "126": "use-of-cvss-v3-0-eg-1",
+  "127": "missing-cve-eg-1",
+  "128": "missing-cwe-eg-1",
+  "129": "use-of-short-hash-eg-1",
+  "130": "use-of-non-self-referencing-urls-failing-to-resolve-eg-1",
+  "131": "use-of-self-referencing-urls-failing-to-resolve-eg-1",
+  "132": "spell-check-eg-1",
+  "133": "branch-categories-eg-1",
+  "134": "usage-of-product-version-range-eg-1",
+  "135": "usage-of-v-as-version-indicator-eg-1",
+  "136": "missing-cvss-v4-0-eg-1",
+  "137": "requirement-7-provider-metadata-json-eg-1",
+  "138": "requirement-8-security-txt-eg-1",
+  "139": "requirement-9-well-known-url-for-provider-metadata-json-eg-1",
+  "140": "requirement-11-one-folder-per-year-eg-1",
+  "141": "requirement-12-index-txt-eg-1",
+  "142": "requirement-13-changes-csv-eg-1",
+  "143": "requirement-15-rolie-feed-eg-1",
+  "144": "requirement-16-rolie-service-document-eg-1",
+  "145": "requirement-17-rolie-category-document-eg-1",
+  "146": "requirement-17-rolie-category-document-eg-2",
+  "147": "requirement-17-rolie-category-document-eg-3",
+  "148": "requirement-18-integrity-eg-1",
+  "149": "requirement-18-integrity-eg-2",
+  "150": "requirement-19-signatures-eg-1",
+  "151": "requirement-21-list-of-csaf-providers-eg-1",
+  "152": "requirement-23-mirror-eg-1",
+  "153": "conformance-clause-5-cvrf-csaf-converter-eg-1",
+  "154": "conformance-clause-5-cvrf-csaf-converter-eg-2",
+  "155": "conformance-clause-5-cvrf-csaf-converter-eg-3",
+  "156": "conformance-clause-5-cvrf-csaf-converter-eg-4"
 }
diff --git a/csaf_2.1/prose/edit/etc/example-local-to-global.json b/csaf_2.1/prose/edit/etc/example-local-to-global.json
index e1d5a5a1..b5dddb86 100644
--- a/csaf_2.1/prose/edit/etc/example-local-to-global.json
+++ b/csaf_2.1/prose/edit/etc/example-local-to-global.json
@@ -3,43 +3,46 @@
   "acknowledgments-type-names-eg-1": "1",
   "acknowledgments-type-organization-eg-1": "2",
   "acknowledgments-type-summary-eg-1": "3",
-  "action-statement-eg-1": "86",
-  "additional-properties-eg-1": "113",
-  "branch-categories-eg-1": "128",
+  "action-statement-eg-1": "87",
+  "additional-properties-eg-1": "117",
+  "branch-categories-eg-1": "133",
   "branches-type-name-eg-1": "5",
   "branches-type-name-under-product-version-eg-1": "6",
   "branches-type-name-under-product-version-eg-2": "7",
   "branches-type-name-under-product-version-range-eg-1": "8",
   "branches-type-name-under-product-version-range-eg-2": "9",
-  "build-metadata-in-revision-history-eg-1": "97",
-  "circular-definition-of-product-id-eg-1": "52",
-  "conformance-clause-5-cvrf-csaf-converter-eg-1": "148",
-  "conformance-clause-5-cvrf-csaf-converter-eg-2": "149",
-  "conformance-clause-5-cvrf-csaf-converter-eg-3": "150",
-  "conformance-clause-5-cvrf-csaf-converter-eg-4": "151",
-  "contradicting-product-status-eg-1": "55",
-  "cve-in-field-ids-eg-1": "110",
-  "cvss-for-fixed-products-eg-1": "112",
-  "cwe-eg-1": "60",
-  "document-notes-eg-1": "77",
-  "document-property-aggregate-severity-eg-1": "29",
-  "document-property-category-eg-1": "30",
-  "document-property-distribution-text-eg-1": "31",
-  "document-property-distribution-tlp-eg-1": "32",
-  "document-property-publisher-contact-details-eg-1": "33",
-  "document-property-publisher-name-eg-1": "34",
-  "document-property-publisher-namespace-eg-1": "35",
-  "document-property-title-eg-1": "36",
-  "document-property-tracking-aliases-eg-1": "37",
-  "document-property-tracking-generator-eg-1": "38",
-  "document-property-tracking-generator-eg-2": "39",
-  "document-property-tracking-id-eg-1": "40",
-  "document-references-eg-1": "78",
-  "document-status-draft-eg-1": "66",
-  "document-tracking-id-in-title-eg-1": "115",
-  "filename-eg-1": "48",
-  "filename-eg-2": "49",
-  "flag-without-product-reference-eg-1": "92",
+  "build-metadata-in-revision-history-eg-1": "101",
+  "circular-definition-of-product-id-eg-1": "53",
+  "conformance-clause-5-cvrf-csaf-converter-eg-1": "153",
+  "conformance-clause-5-cvrf-csaf-converter-eg-2": "154",
+  "conformance-clause-5-cvrf-csaf-converter-eg-3": "155",
+  "conformance-clause-5-cvrf-csaf-converter-eg-4": "156",
+  "contradicting-product-status-eg-1": "56",
+  "contradicting-product-status-remediation-combination-eg-1": "97",
+  "contradicting-remediations-eg-1": "96",
+  "cve-in-field-ids-eg-1": "114",
+  "cvss-for-fixed-products-eg-1": "116",
+  "cwe-eg-1": "61",
+  "discouraged-product-status-remediation-combination-eg-1": "124",
+  "document-notes-eg-1": "78",
+  "document-property-aggregate-severity-eg-1": "30",
+  "document-property-category-eg-1": "31",
+  "document-property-distribution-text-eg-1": "32",
+  "document-property-distribution-tlp-eg-1": "33",
+  "document-property-publisher-contact-details-eg-1": "34",
+  "document-property-publisher-name-eg-1": "35",
+  "document-property-publisher-namespace-eg-1": "36",
+  "document-property-title-eg-1": "37",
+  "document-property-tracking-aliases-eg-1": "38",
+  "document-property-tracking-generator-eg-1": "39",
+  "document-property-tracking-generator-eg-2": "40",
+  "document-property-tracking-id-eg-1": "41",
+  "document-references-eg-1": "79",
+  "document-status-draft-eg-1": "67",
+  "document-tracking-id-in-title-eg-1": "119",
+  "filename-eg-1": "49",
+  "filename-eg-2": "50",
+  "flag-without-product-reference-eg-1": "93",
   "full-product-name-type-name-eg-1": "10",
   "full-product-name-type-product-identification-helper-generic-uris-eg-1": "16",
   "full-product-name-type-product-identification-helper-generic-uris-eg-2": "17",
@@ -48,107 +51,109 @@
   "full-product-name-type-product-identification-helper-hashes-eg-3": "13",
   "full-product-name-type-product-identification-helper-model-numbers-eg-1": "14",
   "full-product-name-type-product-identification-helper-sbom-urls-eg-1": "15",
-  "impact-statement-eg-1": "85",
-  "inconsistent-cvss-eg-1": "59",
-  "invalid-cvss-computation-eg-1": "58",
-  "invalid-cvss-eg-1": "57",
-  "language-eg-1": "61",
+  "impact-statement-eg-1": "86",
+  "inconsistent-cvss-eg-1": "60",
+  "invalid-cvss-computation-eg-1": "59",
+  "invalid-cvss-eg-1": "58",
+  "language-eg-1": "62",
   "language-type-eg-1": "18",
-  "latest-document-version-eg-1": "65",
-  "missing-canonical-url-eg-1": "104",
-  "missing-cve-eg-1": "122",
-  "missing-cvss-v4-0-eg-1": "131",
-  "missing-cwe-eg-1": "123",
-  "missing-date-in-involvements-eg-1": "100",
-  "missing-definition-of-product-group-id-eg-1": "53",
-  "missing-definition-of-product-id-eg-1": "50",
-  "missing-document-language-eg-1": "105",
-  "missing-item-in-revision-history-eg-1": "70",
-  "missing-metric-eg-1": "96",
-  "missing-product-identification-helper-eg-1": "109",
-  "missing-remediation-eg-1": "95",
-  "missing-tlp-label-eg-1": "103",
-  "mixed-integer-and-semantic-versioning-eg-1": "90",
-  "multiple-definition-in-involvements-eg-1": "73",
-  "multiple-definition-in-revision-history-eg-1": "71",
-  "multiple-definition-of-product-group-id-eg-1": "54",
-  "multiple-definition-of-product-id-eg-1": "51",
-  "multiple-flags-with-vex-justification-codes-per-product-eg-1": "93",
-  "multiple-scores-with-same-version-per-product-eg-1": "56",
-  "multiple-use-of-same-cve-eg-1": "72",
-  "multiple-use-of-same-hash-algorithm-eg-1": "74",
-  "non-draft-document-version-eg-1": "69",
+  "latest-document-version-eg-1": "66",
+  "mandatory-tests--branches-recursion-depth-eg-1": "95",
+  "missing-canonical-url-eg-1": "108",
+  "missing-cve-eg-1": "127",
+  "missing-cvss-v4-0-eg-1": "136",
+  "missing-cwe-eg-1": "128",
+  "missing-date-in-involvements-eg-1": "104",
+  "missing-definition-of-product-group-id-eg-1": "54",
+  "missing-definition-of-product-id-eg-1": "51",
+  "missing-document-language-eg-1": "109",
+  "missing-item-in-revision-history-eg-1": "71",
+  "missing-metric-eg-1": "100",
+  "missing-product-identification-helper-eg-1": "113",
+  "missing-remediation-eg-1": "99",
+  "missing-tlp-label-eg-1": "107",
+  "mixed-integer-and-semantic-versioning-eg-1": "91",
+  "multiple-definition-in-involvements-eg-1": "74",
+  "multiple-definition-in-revision-history-eg-1": "72",
+  "multiple-definition-of-product-group-id-eg-1": "55",
+  "multiple-definition-of-product-id-eg-1": "52",
+  "multiple-flags-with-vex-justification-codes-per-product-eg-1": "94",
+  "multiple-scores-with-same-version-per-product-eg-1": "57",
+  "multiple-use-of-same-cve-eg-1": "73",
+  "multiple-use-of-same-hash-algorithm-eg-1": "75",
+  "non-draft-document-version-eg-1": "70",
   "notes-type-eg-1": "19",
   "notes-type-eg-2": "20",
-  "older-current-release-date-than-revision-history-eg-1": "99",
-  "older-initial-release-date-than-revision-history-eg-1": "98",
-  "optional-tests--sorting-eg-1": "106",
+  "older-current-release-date-than-revision-history-eg-1": "103",
+  "older-initial-release-date-than-revision-history-eg-1": "102",
+  "optional-tests--sorting-eg-1": "110",
   "product-group-id-type-eg-1": "21",
   "product-id-type-eg-1": "22",
-  "product-status-eg-1": "82",
-  "product-tree-eg-1": "80",
-  "product-tree-property-product-groups-eg-1": "41",
-  "product-tree-property-relationships-eg-1": "42",
-  "product-version-range-without-vers-eg-1": "111",
-  "prohibited-document-category-name-eg-1": "75",
-  "prohibited-document-category-name-eg-2": "76",
-  "purl-eg-1": "62",
-  "released-revision-history-eg-1": "67",
-  "remediation-without-product-reference-eg-1": "89",
-  "requirement-11-one-folder-per-year-eg-1": "135",
-  "requirement-12-index-txt-eg-1": "136",
-  "requirement-13-changes-csv-eg-1": "137",
-  "requirement-15-rolie-feed-eg-1": "138",
-  "requirement-16-rolie-service-document-eg-1": "139",
-  "requirement-17-rolie-category-document-eg-1": "140",
-  "requirement-17-rolie-category-document-eg-2": "141",
-  "requirement-17-rolie-category-document-eg-3": "142",
-  "requirement-18-integrity-eg-1": "143",
-  "requirement-18-integrity-eg-2": "144",
-  "requirement-19-signatures-eg-1": "145",
-  "requirement-21-list-of-csaf-providers-eg-1": "146",
-  "requirement-23-mirror-eg-1": "147",
-  "requirement-7-provider-metadata-json-eg-1": "132",
-  "requirement-8-security-txt-eg-1": "133",
-  "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "134",
-  "revision-history-entries-for-pre-release-versions-eg-1": "68",
-  "same-timestamps-in-revision-history-eg-1": "114",
-  "sorted-revision-history-eg-1": "63",
-  "spell-check-eg-1": "127",
-  "translation-eg-1": "88",
-  "translator-eg-1": "64",
+  "product-status-eg-1": "83",
+  "product-tree-eg-1": "81",
+  "product-tree-property-product-groups-eg-1": "42",
+  "product-tree-property-relationships-eg-1": "43",
+  "product-version-range-without-vers-eg-1": "115",
+  "prohibited-document-category-name-eg-1": "76",
+  "prohibited-document-category-name-eg-2": "77",
+  "purl-eg-1": "63",
+  "released-revision-history-eg-1": "68",
+  "remediation-without-product-reference-eg-1": "90",
+  "requirement-11-one-folder-per-year-eg-1": "140",
+  "requirement-12-index-txt-eg-1": "141",
+  "requirement-13-changes-csv-eg-1": "142",
+  "requirement-15-rolie-feed-eg-1": "143",
+  "requirement-16-rolie-service-document-eg-1": "144",
+  "requirement-17-rolie-category-document-eg-1": "145",
+  "requirement-17-rolie-category-document-eg-2": "146",
+  "requirement-17-rolie-category-document-eg-3": "147",
+  "requirement-18-integrity-eg-1": "148",
+  "requirement-18-integrity-eg-2": "149",
+  "requirement-19-signatures-eg-1": "150",
+  "requirement-21-list-of-csaf-providers-eg-1": "151",
+  "requirement-23-mirror-eg-1": "152",
+  "requirement-7-provider-metadata-json-eg-1": "137",
+  "requirement-8-security-txt-eg-1": "138",
+  "requirement-9-well-known-url-for-provider-metadata-json-eg-1": "139",
+  "revision-history-entries-for-pre-release-versions-eg-1": "69",
+  "same-timestamps-in-revision-history-eg-1": "118",
+  "sorted-revision-history-eg-1": "64",
+  "spell-check-eg-1": "132",
+  "translation-eg-1": "89",
+  "translator-eg-1": "65",
   "typographical-conventions-eg-1": "4321",
-  "unused-definition-of-product-id-eg-1": "94",
-  "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1": "119",
-  "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1": "118",
-  "usage-of-deprecated-cwe-eg-1": "116",
-  "usage-of-non-latest-cwe-version-eg-1": "117",
-  "usage-of-product-version-range-eg-1": "129",
-  "usage-of-v-as-version-indicator-eg-1": "130",
-  "use-of-cvss-v2-as-the-only-scoring-system-eg-1": "120",
-  "use-of-cvss-v3-0-eg-1": "121",
-  "use-of-default-language-eg-1": "108",
-  "use-of-md5-as-the-only-hash-algorithm-eg-1": "101",
-  "use-of-non-self-referencing-urls-failing-to-resolve-eg-1": "125",
-  "use-of-private-language-eg-1": "107",
-  "use-of-self-referencing-urls-failing-to-resolve-eg-1": "126",
-  "use-of-sha-1-as-the-only-hash-algorithm-eg-1": "102",
-  "use-of-short-hash-eg-1": "124",
-  "version-range-in-product-version-eg-1": "91",
+  "unused-definition-of-product-id-eg-1": "98",
+  "usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1": "123",
+  "usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1": "122",
+  "usage-of-deprecated-cwe-eg-1": "120",
+  "usage-of-non-latest-cwe-version-eg-1": "121",
+  "usage-of-product-version-range-eg-1": "134",
+  "usage-of-v-as-version-indicator-eg-1": "135",
+  "use-of-cvss-v2-as-the-only-scoring-system-eg-1": "125",
+  "use-of-cvss-v3-0-eg-1": "126",
+  "use-of-default-language-eg-1": "112",
+  "use-of-md5-as-the-only-hash-algorithm-eg-1": "105",
+  "use-of-non-self-referencing-urls-failing-to-resolve-eg-1": "130",
+  "use-of-private-language-eg-1": "111",
+  "use-of-self-referencing-urls-failing-to-resolve-eg-1": "131",
+  "use-of-sha-1-as-the-only-hash-algorithm-eg-1": "106",
+  "use-of-short-hash-eg-1": "129",
+  "version-range-in-product-version-eg-1": "92",
   "version-type-eg-1": "23",
   "version-type-semantic-versioning-eg-1": "24",
   "version-type-semantic-versioning-eg-2": "25",
   "version-type-semantic-versioning-eg-3": "26",
   "version-type-semantic-versioning-eg-4": "27",
   "version-type-semantic-versioning-eg-5": "28",
-  "vex-product-status-eg-1": "83",
-  "vulnerabilities-for-informational-advisory-eg-1": "79",
-  "vulnerabilities-for-security-advisory-or-vex-eg-1": "87",
-  "vulnerabilities-property-cwes-eg-1": "43",
-  "vulnerabilities-property-cwes-eg-2": "44",
-  "vulnerabilities-property-cwes-eg-3": "45",
-  "vulnerabilities-property-ids-eg-1": "46",
-  "vulnerabilities-property-ids-eg-2": "47",
-  "vulnerability-id-eg-1": "84",
-  "vulnerability-notes-eg-1": "81"
+  "version-type-semantic-versioning-eg-6": "29",
+  "vex-product-status-eg-1": "84",
+  "vulnerabilities-for-informational-advisory-eg-1": "80",
+  "vulnerabilities-for-security-advisory-or-vex-eg-1": "88",
+  "vulnerabilities-property-cwes-eg-1": "44",
+  "vulnerabilities-property-cwes-eg-2": "45",
+  "vulnerabilities-property-cwes-eg-3": "46",
+  "vulnerabilities-property-ids-eg-1": "47",
+  "vulnerabilities-property-ids-eg-2": "48",
+  "vulnerability-id-eg-1": "85",
+  "vulnerability-notes-eg-1": "82"
 }
\ No newline at end of file
diff --git a/csaf_2.1/prose/edit/etc/section-display-to-label.json b/csaf_2.1/prose/edit/etc/section-display-to-label.json
index 55ddfad9..e28c2a37 100644
--- a/csaf_2.1/prose/edit/etc/section-display-to-label.json
+++ b/csaf_2.1/prose/edit/etc/section-display-to-label.json
@@ -7,6 +7,7 @@
   "1.5": "typographical-conventions",
   "2": "design-considerations",
   "2.1": "construction-principles",
+  "2.2": "date-and-time",
   "3": "schema-elements",
   "3.1": "definitions",
   "3.1.1": "acknowledgments-type",
@@ -162,6 +163,9 @@
   "6.1.31": "version-range-in-product-version",
   "6.1.32": "flag-without-product-reference",
   "6.1.33": "multiple-flags-with-vex-justification-codes-per-product",
+  "6.1.34": "mandatory-tests--branches-recursion-depth",
+  "6.1.35": "contradicting-remediations",
+  "6.1.36": "contradicting-product-status-remediation-combination",
   "6.2": "optional-tests",
   "6.2.1": "unused-definition-of-product-id",
   "6.2.2": "missing-remediation",
@@ -189,6 +193,7 @@
   "6.2.24": "usage-of-non-latest-cwe-version",
   "6.2.25": "usage-of-cwe-not-allowed-for-vulnerability-mapping",
   "6.2.26": "usage-of-cwe-allowed-with-review-for-vulnerability-mapping",
+  "6.2.27": "discouraged-product-status-remediation-combination",
   "6.3": "informative-test",
   "6.3.1": "use-of-cvss-v2-as-the-only-scoring-system",
   "6.3.2": "use-of-cvss-v3-0",
@@ -261,6 +266,7 @@
   "9.1.20": "conformance-clause-20-csaf-library-with-basic-validation",
   "9.1.21": "conformance-clause-21-csaf-library-with-extended-validation",
   "9.1.22": "conformance-clause-22-csaf-library-with-full-validation",
+  "9.1.23": "conformance-clause-23-csaf-downloader",
   "Appendix A.": "acknowledgments",
   "Appendix B.": "revision-history",
   "Appendix C.": "guidance-on-the-size-of-csaf-documents",
diff --git a/csaf_2.1/prose/edit/etc/section-label-to-display.json b/csaf_2.1/prose/edit/etc/section-label-to-display.json
index 9aed0ae6..6a6e3918 100644
--- a/csaf_2.1/prose/edit/etc/section-label-to-display.json
+++ b/csaf_2.1/prose/edit/etc/section-label-to-display.json
@@ -38,6 +38,7 @@
   "conformance-clause-20-csaf-library-with-basic-validation": "9.1.20",
   "conformance-clause-21-csaf-library-with-extended-validation": "9.1.21",
   "conformance-clause-22-csaf-library-with-full-validation": "9.1.22",
+  "conformance-clause-23-csaf-downloader": "9.1.23",
   "conformance-clause-3-csaf-direct-producer": "9.1.3",
   "conformance-clause-4-csaf-converter": "9.1.4",
   "conformance-clause-5-cvrf-csaf-converter": "9.1.5",
@@ -48,12 +49,16 @@
   "conformance-targets": "9.1",
   "construction-principles": "2.1",
   "contradicting-product-status": "6.1.6",
+  "contradicting-product-status-remediation-combination": "6.1.36",
+  "contradicting-remediations": "6.1.35",
   "cve-in-field-ids": "6.2.17",
   "cvss-for-fixed-products": "6.2.19",
   "cwe": "6.1.11",
   "date": "C.6",
+  "date-and-time": "2.2",
   "definitions": "3.1",
   "design-considerations": "2",
+  "discouraged-product-status-remediation-combination": "6.2.27",
   "distributing-csaf-documents": "7",
   "document-notes": "6.1.27.1",
   "document-property": "3.2.2",
@@ -117,6 +122,7 @@
   "language-type": "3.1.4",
   "latest-document-version": "6.1.16",
   "mandatory-tests": "6.1",
+  "mandatory-tests--branches-recursion-depth": "6.1.34",
   "missing-canonical-url": "6.2.11",
   "missing-cve": "6.3.3",
   "missing-cvss-v4-0": "6.3.12",
diff --git a/csaf_2.1/prose/edit/src/conformance.md b/csaf_2.1/prose/edit/src/conformance.md
index 3a2aeb9a..426d009c 100644
--- a/csaf_2.1/prose/edit/src/conformance.md
+++ b/csaf_2.1/prose/edit/src/conformance.md
@@ -61,7 +61,7 @@ The entities ("conformance targets") for which this document defines requirement
 
 A text file or data stream satisfies the "CSAF document" conformance profile if it:
 
-* conforms to the syntax and semantics defined in section [sec](#date-time)
+* conforms to the syntax and semantics defined in section [sec](#date-and-time)
 * conforms to the syntax and semantics defined in section [sec](#schema-elements).
 * satisfies at least one profile defined in section [sec](#profiles).
 * does not fail any mandatory test defined in section [sec](#mandatory-tests).
@@ -673,4 +673,5 @@ A program satisfies the "CSAF downloader" conformance profile if the program:
 * uses a program-specific HTTP User Agent, e.g. consisting of the name and version of the program.
 
 > A tool MAY implement an option to store CSAF documents that fail any of the steps in section [sec](#retrieving-csaf-documents).
+
 -------
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.html b/csaf_2.1/prose/share/csaf-v2.1-draft.html
index 8e845916..c99352a0 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.html
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.html
@@ -41,8 +41,8 @@ <h1 id="common-security-advisory-framework-version-21">
     <h2 id="committee-specification-draft-01">
       Committee Specification Draft 01
     </h2>
-    <h2 id="28-august-2024">
-      28 August 2024
+    <h2 id="30-october-2024">
+      30 October 2024
     </h2>
     <h4 id="this-stage">
       This stage:
@@ -160,7 +160,7 @@ <h4 id="citation-format">
       <strong>[csaf-v2.1]</strong>
     </p>
     <p>
-      <em>Common Security Advisory Framework Version 2.1</em>. Edited by Stefan Hagen, and Thomas Schmidt. 28 August 2024. OASIS Committee Specification Draft 01. <a href="https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html">https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html</a>. Latest stage: <a href=
+      <em>Common Security Advisory Framework Version 2.1</em>. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. <a href="https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html">https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html</a>. Latest stage: <a href=
       "https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html">https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html</a>.
     </p>
     <hr />
@@ -230,6 +230,8 @@ <h1 id="table-of-contents">
           <ul>
             <li>2.1 <a href="#construction-principles">Construction Principles</a>
             </li>
+            <li>2.2 <a href="#date-and-time">Date and Time</a>
+            </li>
           </ul>
         </li>
         <li>3. <a href="#schema-elements">Schema Elements</a>
@@ -586,6 +588,12 @@ <h1 id="table-of-contents">
                 </li>
                 <li>6.1.33 <a href="#multiple-flags-with-vex-justification-codes-per-product">Multiple Flags with VEX Justification Codes per Product</a>
                 </li>
+                <li>6.1.34 <a href="#mandatory-tests--branches-recursion-depth">Branches Recursion Depth</a>
+                </li>
+                <li>6.1.35 <a href="#contradicting-remediations">Contradicting Remediations</a>
+                </li>
+                <li>6.1.36 <a href="#contradicting-product-status-remediation-combination">Contradicting Product Status Remediation Combination</a>
+                </li>
               </ul>
             </li>
             <li>6.2 <a href="#optional-tests">Optional Tests</a>
@@ -608,7 +616,7 @@ <h1 id="table-of-contents">
                 </li>
                 <li>6.2.9 <a href="#use-of-sha-1-as-the-only-hash-algorithm">Use of SHA-1 as the only Hash Algorithm</a>
                 </li>
-                <li>6.2.10 <a href="#missing-tlp-label">Missing TLP label (deprecated)</a>
+                <li>6.2.10 <a href="#missing-tlp-label">Missing TLP label (obsolete)</a>
                 </li>
                 <li>6.2.11 <a href="#missing-canonical-url">Missing Canonical URL</a>
                 </li>
@@ -642,6 +650,8 @@ <h1 id="table-of-contents">
                 </li>
                 <li>6.2.26 <a href="#usage-of-cwe-allowed-with-review-for-vulnerability-mapping">Usage of CWE Allowed with Review for Vulnerability Mapping</a>
                 </li>
+                <li>6.2.27 <a href="#discouraged-product-status-remediation-combination">Discouraged Product Status Remediation Combination</a>
+                </li>
               </ul>
             </li>
             <li>6.3 <a href="#informative-test">Informative Test</a>
@@ -802,6 +812,8 @@ <h1 id="table-of-contents">
                 </li>
                 <li>9.1.22 <a href="#conformance-clause-22-csaf-library-with-full-validation">Conformance Clause 22: CSAF library with full validation</a>
                 </li>
+                <li>9.1.23 <a href="#conformance-clause-23-csaf-downloader">Conformance Clause 23: CSAF downloader</a>
+                </li>
               </ul>
             </li>
           </ul>
@@ -930,6 +942,12 @@ <h2 id="12-terminology-">
       <dd>
         security advisory text document in the format defined by this document.
       </dd>
+      <dt id="def;csaf-downloader">
+        CSAF downloader
+      </dt>
+      <dd>
+        A program that retrieves CSAF documents in an automated fashion.
+      </dd>
       <dt id="def;csaf-extended-validator">
         CSAF extended validator
       </dt>
@@ -1092,6 +1110,12 @@ <h2 id="12-terminology-">
       <dd>
         result which an end user decides does not actually represent a problem
       </dd>
+      <dt id="def;filter">
+        filter
+      </dt>
+      <dd>
+        refine a list by selecting entries that match given criteria
+      </dd>
       <dt id="def;fingerprint">
         fingerprint
       </dt>
@@ -1230,6 +1254,12 @@ <h2 id="12-terminology-">
       <dd>
         container for a related set of files in a version control system
       </dd>
+      <dt id="def;search">
+        search
+      </dt>
+      <dd>
+        compile a list of entries that match given criteria
+      </dd>
       <dt id="def;taxonomy">
         taxonomy
       </dt>
@@ -1324,6 +1354,10 @@ <h2 id="12-terminology-">
     <h2 id="13-normative-references-">
       1.3 Normative References <a id='normative-references'></a>
     </h2>
+    <p>
+      <strong>[</strong><span id="ISO8601" class="anchor"></span><strong>ISO8601]</strong> <em>Data elements and interchange formats — Information interchange — Representation of dates and times</em>, International Standard, ISO 8601:2004(E), December 1, 2004, <a href=
+      "https://www.iso.org/standard/40874.html">https://www.iso.org/standard/40874.html</a>.
+    </p>
     <p>
       <strong>[</strong><span id="JSON-Schema-Core" class="anchor"></span><strong>JSON-Schema-Core]</strong> <em>JSON Schema: A Media Type for Describing JSON Documents</em>, draft-bhutton-json-schema-00, December 2020, <a href=
       "https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00">https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00</a>.
@@ -1343,6 +1377,9 @@ <h2 id="13-normative-references-">
     <p>
       <strong>[</strong><span id="RFC2119" class="anchor"></span><strong>RFC2119]</strong> Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>.
     </p>
+    <p>
+      <strong>[</strong><span id="RFC3339" class="anchor"></span><strong>RFC3339]</strong> Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, <a href="https://www.rfc-editor.org/info/rfc3339">https://www.rfc-editor.org/info/rfc3339</a>.
+    </p>
     <p>
       <strong>[</strong><span id="RFC7464" class="anchor"></span><strong>RFC7464]</strong> Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, <a href="https://www.rfc-editor.org/info/rfc7464">https://www.rfc-editor.org/info/rfc7464</a>.
     </p>
@@ -1416,10 +1453,6 @@ <h2 id="14-informative-references-">
     <p>
       <strong>[</strong><span id="GFMENG" class="anchor"></span><strong>GFMENG]</strong> <em>GitHub Engineering: A formal spec for GitHub Flavored Markdown</em>, <a href="https://githubengineering.com/a-formal-spec-for-github-markdown/">https://githubengineering.com/a-formal-spec-for-github-markdown/</a>.
     </p>
-    <p>
-      <strong>[</strong><span id="ISO8601" class="anchor"></span><strong>ISO8601]</strong> <em>Data elements and interchange formats — Information interchange — Representation of dates and times</em>, International Standard, ISO 8601:2004(E), December 1, 2004, <a href=
-      "https://www.iso.org/standard/40874.html">https://www.iso.org/standard/40874.html</a>.
-    </p>
     <p>
       <strong>[</strong><span id="ISO19770-2" class="anchor"></span><strong>ISO19770-2]</strong> <em>Information technology — IT asset management — Part 2: Software identification tag</em>, International Standard, ISO 19770-2:2015, September 30, 2015, <a href=
       "https://www.iso.org/standard/65666.html">https://www.iso.org/standard/65666.html</a>.
@@ -1433,9 +1466,6 @@ <h2 id="14-informative-references-">
     <p>
       <strong>[</strong><span id="PURL" class="anchor"></span><strong>PURL]</strong> <em>Package URL (purl)</em>, GitHub Project, <a href="https://github.com/package-url/purl-spec">https://github.com/package-url/purl-spec</a>.
     </p>
-    <p>
-      <strong>[</strong><span id="RFC3339" class="anchor"></span><strong>RFC3339]</strong> Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, <a href="https://www.rfc-editor.org/info/rfc3339">https://www.rfc-editor.org/info/rfc3339</a>.
-    </p>
     <p>
       <strong>[</strong><span id="RFC3552" class="anchor"></span><strong>RFC3552]</strong> Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, <a href="https://www.rfc-editor.org/info/rfc3552">https://www.rfc-editor.org/info/rfc3552</a>.
     </p>
@@ -1652,6 +1682,26 @@ <h2 id="21-construction-principles-">
       from the specification which can not be tested by the schema. Section <a href="#distributing-csaf-documents">7</a> states how to distribute and where to find CSAF documents. Safety, Security and Data Protection are considered in section <a href="#safety-security-and-data-protection-considerations">8</a>. Finally, a set of conformance
       targets describes tools in the ecosystem.
     </p>
+    <h2 id="22-date-and-time-">
+      2.2 Date and Time <a id='date-and-time'></a>
+    </h2>
+    <p>
+      This standard uses the <code>date-time</code> format as defined in JSON Schema Draft 2020-12 Section 7.3.1. In accordance with RFC 3339 and ISO 8601, the following rules apply:
+    </p>
+    <ul>
+      <li>The letter <code>T</code> separating the date and time SHALL be upper case.
+      </li>
+      <li>The letter <code>Z</code> indicating the timezone UTC SHALL be upper case.
+      </li>
+      <li>Fractions of seconds are allowed as specified in the standards mention above with the full stop (<code>.</code>) as separator.
+      </li>
+      <li>Leap seconds are supported. However, they SHOULD be avoided if possible.
+      </li>
+      <li>Empty timezones are prohibited.
+      </li>
+      <li>The ABNF of RFC 3339, section 5.6 applies.
+      </li>
+    </ul>
     <hr />
     <h1 id="3-schema-elements-">
       3. Schema Elements <a id='schema-elements'></a>
@@ -2113,29 +2163,28 @@ <h4 id="3133-full-product-name-type---product-identification-helper-">
         "cpe": {
           // ...
         },
-        "hashes": [
+        "hashes": {
           // ...
-        ],
-        "model_numbers": [
+        },
+        "model_numbers": {
           // ...
-        ],
+        },
         "purl": {
           // ...
         },
-        "sbom_urls": [
+        "sbom_urls": {
           // ...
-        ],
-        "serial_numbers": [
+        },
+        "serial_numbers": {
           // ...
-        ],
-        "skus": [
+        },
+        "skus": {
           // ...
-        ],
-        "x_generic_uris": [
+        },
+        "x_generic_uris": {
           // ...
-        ]
-      }
-    }</code></pre>
+        }
+      }</code></pre>
     <h5 id="31331-full-product-name-type---product-identification-helper---cpe-">
       3.1.3.3.1 Full Product Name Type - Product Identification Helper - CPE <a id='full-product-name-type-product-identification-helper-cpe'></a>
     </h5>
@@ -2146,6 +2195,11 @@ <h5 id="31331-full-product-name-type---product-identification-helper---cpe-">
     <p>
       The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification. See [CPE23-N] for details.
     </p>
+    <blockquote>
+      <p>
+        Both, CPE 2.2 and CPE 2.3, are supported in CSAF.
+      </p>
+    </blockquote>
     <h5 id="31332-full-product-name-type---product-identification-helper---hashes-">
       3.1.3.3.2 Full Product Name Type - Product Identification Helper - Hashes <a id='full-product-name-type-product-identification-helper-hashes'></a>
     </h5>
@@ -2800,7 +2854,7 @@ <h4 id="31112-version-type---semantic-versioning-">
         <pre><code>1.0.0-0.3.7
 1.0.0-alpha
 1.0.0-alpha.1
-1.0.0-x-y-z.–
+1.0.0-x-y-z.--
 1.0.0-x.7.z.92</code></pre>
       </li>
       <li>
@@ -2817,7 +2871,7 @@ <h4 id="31112-version-type---semantic-versioning-">
           <em>Examples 2:</em><a id='version-type-semantic-versioning-eg-2'></a><a id='sec-3-1-11-2-eg-2'></a><a id='example-25'></a>
         </p>
         <pre><code>1.0.0+20130313144700
-1.0.0+21AF26D3—-117B344092BD
+1.0.0+21AF26D3----117B344092BD
 1.0.0-alpha+001
 1.0.0-beta+exp.sha.5114f85</code></pre>
       </li>
@@ -2871,6 +2925,17 @@ <h4 id="31112-version-type---semantic-versioning-">
         </ol>
       </li>
     </ol>
+    <p>
+      Note, that the following values do no conform the semantic versioning described above.
+    </p>
+    <p>
+      <em>Examples 6 (which are invalid):</em><a id='version-type-semantic-versioning-eg-6'></a><a id='sec-3-1-11-2-eg-6'></a><a id='example-29'></a>
+    </p>
+    <pre><code>  1.16.13.14-Cor
+  1.0.0-x-y-z.–
+  1.0.0+21AF26D3—-117B344092BD
+  2.5.20+3f93da6b+7cc
+  3.20.0-00</code></pre>
     <h2 id="32-properties-">
       3.2 Properties <a id='properties'></a>
     </h2>
@@ -2972,7 +3037,7 @@ <h4 id="3222-document-property---aggregate-severity-">
       The Text of aggregate severity (<code>text</code>) of value type <code>string</code> with 1 or more characters provides a severity which is independent of - and in addition to - any other standard metric for determining the impact or severity of a given vulnerability (such as CVSS).
     </p>
     <p>
-      <em>Examples 1:</em><a id='document-property-aggregate-severity-eg-1'></a><a id='sec-3-2-2-2-eg-1'></a><a id='example-29'></a>
+      <em>Examples 1:</em><a id='document-property-aggregate-severity-eg-1'></a><a id='sec-3-2-2-2-eg-1'></a><a id='example-30'></a>
     </p>
     <pre><code>    Critical
     Important
@@ -2996,7 +3061,7 @@ <h4 id="3223-document-property---category-">
       // ...
     }</code></pre>
     <p>
-      <em>Examples 1:</em><a id='document-property-category-eg-1'></a><a id='sec-3-2-2-3-eg-1'></a><a id='example-30'></a>
+      <em>Examples 1:</em><a id='document-property-category-eg-1'></a><a id='sec-3-2-2-3-eg-1'></a><a id='example-31'></a>
     </p>
     <pre><code>    csaf_base
     csaf_security_advisory
@@ -3036,7 +3101,7 @@ <h5 id="32251-document-property---distribution---text-">
       The Textual description (<code>text</code>) of value type <code>string</code> with 1 or more characters provides a textual description of additional constraints.
     </p>
     <p>
-      <em>Examples 1:</em><a id='document-property-distribution-text-eg-1'></a><a id='sec-3-2-2-5-1-eg-1'></a><a id='example-31'></a>
+      <em>Examples 1:</em><a id='document-property-distribution-text-eg-1'></a><a id='sec-3-2-2-5-1-eg-1'></a><a id='example-32'></a>
     </p>
     <pre><code>    Copyright 2024, Example Company, All Rights Reserved.
     Distribute freely.
@@ -3084,7 +3149,7 @@ <h5 id="32252-document-property---distribution---tlp-">
     </p>
     <pre><code>    https://www.first.org/tlp/</code></pre>
     <p>
-      <em>Examples 1:</em><a id='document-property-distribution-tlp-eg-1'></a><a id='sec-3-2-2-5-2-eg-1'></a><a id='example-32'></a>
+      <em>Examples 1:</em><a id='document-property-distribution-tlp-eg-1'></a><a id='sec-3-2-2-5-2-eg-1'></a><a id='example-33'></a>
     </p>
     <pre><code>    https://www.us-cert.gov/tlp
     https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/TLP/merkblatt-tlp.pdf</code></pre>
@@ -3232,7 +3297,7 @@ <h5 id="32282-document-property---publisher---contact-details-">
       Contact details (<code>contact_details</code>) of value type <code>string</code> with 1 or more characters provides information on how to contact the publisher, possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.
     </p>
     <p>
-      <em>Example 1:</em><a id='document-property-publisher-contact-details-eg-1'></a><a id='sec-3-2-2-8-2-eg-1'></a><a id='example-33'></a>
+      <em>Example 1:</em><a id='document-property-publisher-contact-details-eg-1'></a><a id='sec-3-2-2-8-2-eg-1'></a><a id='example-34'></a>
     </p>
     <pre><code>    Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.</code></pre>
     <h5 id="32283-document-property---publisher---issuing-authority-">
@@ -3248,7 +3313,7 @@ <h5 id="32284-document-property---publisher---name-">
       The Name of publisher (<code>name</code>) of value type <code>string</code> with 1 or more characters contains the name of the issuing party.
     </p>
     <p>
-      <em>Example 1:</em><a id='document-property-publisher-name-eg-1'></a><a id='sec-3-2-2-8-4-eg-1'></a><a id='example-34'></a>
+      <em>Example 1:</em><a id='document-property-publisher-name-eg-1'></a><a id='sec-3-2-2-8-4-eg-1'></a><a id='example-35'></a>
     </p>
     <pre><code>     BSI
      Cisco PSIRT
@@ -3277,7 +3342,7 @@ <h5 id="32285-document-property---publisher---namespace-">
       </li>
     </ul>
     <p>
-      <em>Examples 1:</em><a id='document-property-publisher-namespace-eg-1'></a><a id='sec-3-2-2-8-5-eg-1'></a><a id='example-35'></a>
+      <em>Examples 1:</em><a id='document-property-publisher-namespace-eg-1'></a><a id='sec-3-2-2-8-5-eg-1'></a><a id='example-36'></a>
     </p>
     <pre><code>    https://csaf.io
     https://www.example.com</code></pre>
@@ -3312,7 +3377,7 @@ <h4 id="32211-document-property---title-">
       Title of this document (<code>title</code>) of value type <code>string</code> with 1 or more characters SHOULD be a canonical name for the document, and sufficiently unique to distinguish it from similar documents.
     </p>
     <p>
-      <em>Examples 1:</em><a id='document-property-title-eg-1'></a><a id='sec-3-2-2-11-eg-1'></a><a id='example-36'></a>
+      <em>Examples 1:</em><a id='document-property-title-eg-1'></a><a id='sec-3-2-2-11-eg-1'></a><a id='example-37'></a>
     </p>
     <pre><code>    Cisco IPv6 Crafted Packet Denial of Service Vulnerability
     Example Company Cross-Site-Scripting Vulnerability in Example Generator</code></pre>
@@ -3368,7 +3433,7 @@ <h5 id="322121-document-property---tracking---aliases-">
       Every such Alternate Name of value type <code>string</code> with 1 or more characters specifies a non-empty string that represents a distinct optional alternative ID used to refer to the document.
     </p>
     <p>
-      <em>Example 1:</em><a id='document-property-tracking-aliases-eg-1'></a><a id='sec-3-2-2-12-1-eg-1'></a><a id='example-37'></a>
+      <em>Example 1:</em><a id='document-property-tracking-aliases-eg-1'></a><a id='sec-3-2-2-12-1-eg-1'></a><a id='example-38'></a>
     </p>
     <pre><code>    CVE-2019-12345</code></pre>
     <h5 id="322122-document-property---tracking---current-release-date-">
@@ -3417,7 +3482,7 @@ <h5 id="322123-document-property---tracking---generator-">
       Engine name (<code>name</code>) of value type <code>string</code> with 1 or more characters represents the name of the engine that generated the CSAF document.
     </p>
     <p>
-      <em>Examples 1:</em><a id='document-property-tracking-generator-eg-1'></a><a id='sec-3-2-2-12-3-eg-1'></a><a id='example-38'></a>
+      <em>Examples 1:</em><a id='document-property-tracking-generator-eg-1'></a><a id='sec-3-2-2-12-3-eg-1'></a><a id='example-39'></a>
     </p>
     <pre><code>    Red Hat rhsa-to-cvrf
     Secvisogram
@@ -3431,7 +3496,7 @@ <h5 id="322123-document-property---tracking---generator-">
       </p>
     </blockquote>
     <p>
-      <em>Examples 2:</em><a id='document-property-tracking-generator-eg-2'></a><a id='sec-3-2-2-12-3-eg-2'></a><a id='example-39'></a>
+      <em>Examples 2:</em><a id='document-property-tracking-generator-eg-2'></a><a id='sec-3-2-2-12-3-eg-2'></a><a id='example-40'></a>
     </p>
     <pre><code>    0.6.0
     1.0.0-beta+exp.sha.a1c44f85
@@ -3455,7 +3520,7 @@ <h5 id="322124-document-property---tracking---id-">
       The ID is a simple label that provides for a wide range of numbering values, types, and schemes. Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.
     </p>
     <p>
-      <em>Examples 1:</em><a id='document-property-tracking-id-eg-1'></a><a id='sec-3-2-2-12-4-eg-1'></a><a id='example-40'></a>
+      <em>Examples 1:</em><a id='document-property-tracking-id-eg-1'></a><a id='sec-3-2-2-12-4-eg-1'></a><a id='example-41'></a>
     </p>
     <pre><code>    Example Company - 2019-YH3234
     RHBA-2019:0024
@@ -3620,7 +3685,7 @@ <h4 id="3233-product-tree-property---product-groups-">
       The summary of the product group (<code>summary</code>) of value type <code>string</code> with 1 or more characters gives a short, optional description of the group.
     </p>
     <p>
-      <em>Examples 1:</em><a id='product-tree-property-product-groups-eg-1'></a><a id='sec-3-2-3-3-eg-1'></a><a id='example-41'></a>
+      <em>Examples 1:</em><a id='product-tree-property-product-groups-eg-1'></a><a id='sec-3-2-3-3-eg-1'></a><a id='example-42'></a>
     </p>
     <pre><code>    Products supporting Modbus.
     The x64 versions of the operating system.</code></pre>
@@ -3698,7 +3763,7 @@ <h4 id="3234-product-tree-property---relationships-">
       Relates to Product Reference (<code>relates_to_product_reference</code>) of value type Product ID (<code>product_id_t</code>) holds a Product ID that refers to the Full Product Name element, which is referenced as the second element of the relationship.
     </p>
     <p>
-      <em>Examples 1:</em><a id='product-tree-property-relationships-eg-1'></a><a id='sec-3-2-3-4-eg-1'></a><a id='example-42'></a>
+      <em>Examples 1:</em><a id='product-tree-property-relationships-eg-1'></a><a id='sec-3-2-3-4-eg-1'></a><a id='example-43'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -3851,7 +3916,7 @@ <h4 id="3243-vulnerabilities-property---cwes-">
       It holds the ID for the weakness associated.
     </p>
     <p>
-      <em>Examples 1:</em><a id='vulnerabilities-property-cwes-eg-1'></a><a id='sec-3-2-4-3-eg-1'></a><a id='example-43'></a>
+      <em>Examples 1:</em><a id='vulnerabilities-property-cwes-eg-1'></a><a id='sec-3-2-4-3-eg-1'></a><a id='example-44'></a>
     </p>
     <pre><code>    CWE-22
     CWE-352
@@ -3860,7 +3925,7 @@ <h4 id="3243-vulnerabilities-property---cwes-">
       The Weakness name (<code>name</code>) has value type <code>string</code> with 1 or more characters and holds the full name of the weakness as given in the CWE specification.
     </p>
     <p>
-      <em>Examples 2:</em><a id='vulnerabilities-property-cwes-eg-2'></a><a id='sec-3-2-4-3-eg-2'></a><a id='example-44'></a>
+      <em>Examples 2:</em><a id='vulnerabilities-property-cwes-eg-2'></a><a id='sec-3-2-4-3-eg-2'></a><a id='example-45'></a>
     </p>
     <pre><code>    Cross-Site Request Forgery (CSRF)
     Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
@@ -3873,7 +3938,7 @@ <h4 id="3243-vulnerabilities-property---cwes-">
       It holds the version string of the CWE specification this weakness was extracted from. When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
     </p>
     <p>
-      <em>Examples 3:</em><a id='vulnerabilities-property-cwes-eg-3'></a><a id='sec-3-2-4-3-eg-3'></a><a id='example-45'></a>
+      <em>Examples 3:</em><a id='vulnerabilities-property-cwes-eg-3'></a><a id='sec-3-2-4-3-eg-3'></a><a id='example-46'></a>
     </p>
     <pre><code>    "1.0",
     "3.4.1",
@@ -3998,7 +4063,7 @@ <h4 id="3246-vulnerabilities-property---ids-">
       System name (<code>system_name</code>) of value type <code>string</code> with 1 or more characters indicates the name of the vulnerability tracking or numbering system.
     </p>
     <p>
-      <em>Examples 1:</em><a id='vulnerabilities-property-ids-eg-1'></a><a id='sec-3-2-4-6-eg-1'></a><a id='example-46'></a>
+      <em>Examples 1:</em><a id='vulnerabilities-property-ids-eg-1'></a><a id='sec-3-2-4-6-eg-1'></a><a id='example-47'></a>
     </p>
     <pre><code>    Cisco Bug ID
     GitHub Issue</code></pre>
@@ -4006,7 +4071,7 @@ <h4 id="3246-vulnerabilities-property---ids-">
       Text (<code>text</code>) of value type <code>string</code> with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists).
     </p>
     <p>
-      <em>Examples 2:</em><a id='vulnerabilities-property-ids-eg-2'></a><a id='sec-3-2-4-6-eg-2'></a><a id='example-47'></a>
+      <em>Examples 2:</em><a id='vulnerabilities-property-ids-eg-2'></a><a id='sec-3-2-4-6-eg-2'></a><a id='example-48'></a>
     </p>
     <pre><code>    CSCso66472
     oasis-tcs/csaf#210</code></pre>
@@ -4386,9 +4451,11 @@ <h5 id="324131-vulnerabilities-property---remediations---category-">
     <p>
       Category of the remediation (<code>category</code>) of value type <code>string</code> and <code>enum</code> specifies the category which this remediation belongs to. Valid values are:
     </p>
-    <pre><code>    mitigation
+    <pre><code>    fix_planned
+    mitigation
     no_fix_planned
     none_available
+    optional_patch
     vendor_fix
     workaround</code></pre>
     <p>
@@ -4400,21 +4467,416 @@ <h5 id="324131-vulnerabilities-property---remediations---category-">
       product. Mitigations MAY or MAY NOT be issued by the original author of the affected product, and they MAY or MAY NOT be officially sanctioned by the document producer.
     </p>
     <p>
-      The value <code>vendor_fix</code> indicates that the remediation contains information about an official fix that is issued by the original author of the affected product. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability. This value contradicts with the categories <code>none_available</code> and
-      <code>no_fix_planned</code> for the same product. Therefore, such a combination can't be used in the list of remediations.
+      The value <code>vendor_fix</code> indicates that the remediation contains information about an official fix that is issued by the original author of the affected product. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability.
     </p>
     <p>
-      The value <code>none_available</code> indicates that there is currently no fix or other remediation available. The text in field <code>details</code> SHOULD contain details about why there is no fix or other remediation. The values <code>none_available</code> and <code>vendor_fix</code> are mutually exclusive per product.
+      The value <code>optional_patch</code> indicates that the remediation contains information about an patch that is issued by the original author of the affected product. Its application is not necessary, but might be desired by the user, e.g. to calm a security scanner by updating a dependency to a fixed version even though the dependency
+      in the affected version was used in the product in a way that the product itself was not affected. Unless otherwise noted, it is assumed that this does not change the state regarding the vulnerability.
     </p>
     <blockquote>
       <p>
-        An issuing party might choose to use this category to announce that a fix is currently developed. It is recommended that this also includes a date when a customer can expect the fix to be ready and distributed.
+        This is sometimes also referred to as a "regulatory compliance patch".
       </p>
     </blockquote>
+    <p>
+      The value <code>none_available</code> indicates that there is currently no fix or other remediation available. The text in field <code>details</code> SHOULD contain details about why there is no fix or other remediation.
+    </p>
+    <p>
+      The value <code>fix_planned</code> indicates that there is a fix for the vulnerability planned but not yet ready. An issuing party might choose to use this category to announce that a fix is currently developed. The text in field <code>details</code> SHOULD contain details including a date when a customer can expect the fix to be ready
+      and distributed.
+    </p>
     <p>
       The value <code>no_fix_planned</code> indicates that there is no fix for the vulnerability and it is not planned to provide one at any time. This is often the case when a product has been orphaned, declared end-of-life, or otherwise deprecated. The text in field <code>details</code> SHOULD contain details about why there will be no fix
-      issued. The values <code>no_fix_planned</code> and <code>vendor_fix</code> are mutually exclusive per product.
+      issued.
+    </p>
+    <p>
+      Some category values contradict each other and thus are mutually exclusive per product. Therefore, such a combination MUST NOT be used in the list of remediations for the same product. This is independent from whether the product is referenced directly or indirectly through a product group. The following tables shows the allowed and
+      prohibited combinations:
     </p>
+    <table>
+      <thead>
+        <tr>
+          <th style="text-align: center;">
+            category value
+          </th>
+          <th style="text-align: center;">
+            <code>workaround</code>
+          </th>
+          <th style="text-align: center;">
+            <code>mitigation</code>
+          </th>
+          <th style="text-align: center;">
+            <code>vendor_fix</code>
+          </th>
+          <th style="text-align: center;">
+            <code>optional_patch</code>
+          </th>
+          <th style="text-align: center;">
+            <code>none_available</code>
+          </th>
+          <th style="text-align: center;">
+            <code>fix_planned</code>
+          </th>
+          <th style="text-align: center;">
+            <code>no_fix_planned</code>
+          </th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr>
+          <td style="text-align: center;">
+            <code>workaround</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>mitigation</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>vendor_fix</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>optional_patch</code>
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>none_available</code>
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>fix_planned</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>no_fix_planned</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+        </tr>
+      </tbody>
+    </table>
+    <p>
+      Some category values contradict certain product status groups. Therefore, such a combination MUST NOT exist in a vulnerability item for the same product. This is independent from whether the product is referenced directly or indirectly through a product group. The following tables shows the allowed, discouraged and prohibited
+      combinations:
+    </p>
+    <table>
+      <thead>
+        <tr>
+          <th style="text-align: center;">
+            category value
+          </th>
+          <th style="text-align: center;">
+            Affected
+          </th>
+          <th style="text-align: center;">
+            Not Affected
+          </th>
+          <th style="text-align: center;">
+            Fixed
+          </th>
+          <th style="text-align: center;">
+            Under Investigation
+          </th>
+          <th style="text-align: center;">
+            Recommended
+          </th>
+        </tr>
+      </thead>
+      <tbody>
+        <tr>
+          <td style="text-align: center;">
+            <code>workaround</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            discouraged
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>mitigation</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            discouraged
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>vendor_fix</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            discouraged
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>optional_patch</code>
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            discouraged
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>none_available</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>fix_planned</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            discouraged
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            discouraged
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+        </tr>
+        <tr>
+          <td style="text-align: center;">
+            <code>no_fix_planned</code>
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            discouraged
+          </td>
+          <td style="text-align: center;">
+            prohibited
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+          <td style="text-align: center;">
+            allowed
+          </td>
+        </tr>
+      </tbody>
+    </table>
     <h5 id="324132-vulnerabilities-property---remediations---date-">
       3.2.4.13.2 Vulnerabilities Property - Remediations - Date <a id='vulnerabilities-property-remediations-date'></a>
     </h5>
@@ -4941,7 +5403,7 @@ <h2 id="51-filename-">
       </li>
     </ol>
     <p>
-      <em>Examples 1:</em><a id='filename-eg-1'></a><a id='sec-5-1-eg-1'></a><a id='example-48'></a>
+      <em>Examples 1:</em><a id='filename-eg-1'></a><a id='sec-5-1-eg-1'></a><a id='example-49'></a>
     </p>
     <pre><code>  cisco-sa-20190513-secureboot.json
   example_company_-_2019-yh3234.json
@@ -4952,7 +5414,7 @@ <h2 id="51-filename-">
       </p>
     </blockquote>
     <p>
-      <em>Examples 2:</em><a id='filename-eg-2'></a><a id='sec-5-1-eg-2'></a><a id='example-49'></a>
+      <em>Examples 2:</em><a id='filename-eg-2'></a><a id='sec-5-1-eg-2'></a><a id='example-50'></a>
     </p>
     <pre><code>  cisco-sa-20190513-secureboot_invalid.json
   example_company_-_2019-yh3234_invalid.json
@@ -5038,7 +5500,7 @@ <h3 id="611-missing-definition-of-product-id-">
   /vulnerabilities[]/remediations[]/product_ids[]
   /vulnerabilities[]/threats[]/product_ids[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-definition-of-product-id-eg-1'></a><a id='sec-6-1-1-eg-1'></a><a id='example-50'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-definition-of-product-id-eg-1'></a><a id='sec-6-1-1-eg-1'></a><a id='example-51'></a>
     </p>
     <pre><code>  "product_tree": {
     "product_groups": [
@@ -5069,7 +5531,7 @@ <h3 id="612-multiple-definition-of-product-id-">
   /product_tree/full_product_names[]/product_id
   /product_tree/relationships[]/full_product_name/product_id</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='multiple-definition-of-product-id-eg-1'></a><a id='sec-6-1-2-eg-1'></a><a id='example-51'></a>
+      <em>Example 1 (which fails the test):</em><a id='multiple-definition-of-product-id-eg-1'></a><a id='sec-6-1-2-eg-1'></a><a id='example-52'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -5105,7 +5567,7 @@ <h3 id="613-circular-definition-of-product-id-">
       </p>
     </blockquote>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='circular-definition-of-product-id-eg-1'></a><a id='sec-6-1-3-eg-1'></a><a id='example-52'></a>
+      <em>Example 1 (which fails the test):</em><a id='circular-definition-of-product-id-eg-1'></a><a id='sec-6-1-3-eg-1'></a><a id='example-53'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -5144,7 +5606,7 @@ <h3 id="614-missing-definition-of-product-group-id-">
     <pre><code>  /vulnerabilities[]/remediations[]/group_ids
   /vulnerabilities[]/threats[]/group_ids</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-definition-of-product-group-id-eg-1'></a><a id='sec-6-1-4-eg-1'></a><a id='example-53'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-definition-of-product-group-id-eg-1'></a><a id='sec-6-1-4-eg-1'></a><a id='example-54'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -5183,7 +5645,7 @@ <h3 id="615-multiple-definition-of-product-group-id-">
     </p>
     <pre><code>    /product_tree/product_groups[]/group_id</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='multiple-definition-of-product-group-id-eg-1'></a><a id='sec-6-1-5-eg-1'></a><a id='example-54'></a>
+      <em>Example 1 (which fails the test):</em><a id='multiple-definition-of-product-group-id-eg-1'></a><a id='sec-6-1-5-eg-1'></a><a id='example-55'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -5266,7 +5728,7 @@ <h3 id="616-contradicting-product-status-">
       </p>
     </blockquote>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='contradicting-product-status-eg-1'></a><a id='sec-6-1-6-eg-1'></a><a id='example-55'></a>
+      <em>Example 1 (which fails the test):</em><a id='contradicting-product-status-eg-1'></a><a id='sec-6-1-6-eg-1'></a><a id='example-56'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -5309,7 +5771,7 @@ <h3 id="617-multiple-scores-with-same-version-per-product-">
     </p>
     <pre><code>    /vulnerabilities[]/metrics[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='multiple-scores-with-same-version-per-product-eg-1'></a><a id='sec-6-1-7-eg-1'></a><a id='example-56'></a>
+      <em>Example 1 (which fails the test):</em><a id='multiple-scores-with-same-version-per-product-eg-1'></a><a id='sec-6-1-7-eg-1'></a><a id='example-57'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -5369,7 +5831,7 @@ <h3 id="618-invalid-cvss-">
   /vulnerabilities[]/metrics[]/content/cvss_v3
   /vulnerabilities[]/metrics[]/content/cvss_v4</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='invalid-cvss-eg-1'></a><a id='sec-6-1-8-eg-1'></a><a id='example-57'></a>
+      <em>Example 1 (which fails the test):</em><a id='invalid-cvss-eg-1'></a><a id='sec-6-1-8-eg-1'></a><a id='example-58'></a>
     </p>
     <pre><code>  "cvss_v3": {
     "version": "3.1",
@@ -5416,7 +5878,7 @@ <h3 id="619-invalid-cvss-computation-">
   /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalScore
   /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='invalid-cvss-computation-eg-1'></a><a id='sec-6-1-9-eg-1'></a><a id='example-58'></a>
+      <em>Example 1 (which fails the test):</em><a id='invalid-cvss-computation-eg-1'></a><a id='sec-6-1-9-eg-1'></a><a id='example-59'></a>
     </p>
     <pre><code>  "cvss_v3": {
     "version": "3.1",
@@ -5447,7 +5909,7 @@ <h3 id="6110-inconsistent-cvss-">
   /vulnerabilities[]/metrics[]/content/cvss_v3
   /vulnerabilities[]/metrics[]/content/cvss_v4</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='inconsistent-cvss-eg-1'></a><a id='sec-6-1-10-eg-1'></a><a id='example-59'></a>
+      <em>Example 1 (which fails the test):</em><a id='inconsistent-cvss-eg-1'></a><a id='sec-6-1-10-eg-1'></a><a id='example-60'></a>
     </p>
     <pre><code>  "cvss_v3": {
     "version": "3.1",
@@ -5484,7 +5946,7 @@ <h3 id="6111-cwe-">
     </p>
     <pre><code>    /vulnerabilities[]/cwes[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='cwe-eg-1'></a><a id='sec-6-1-11-eg-1'></a><a id='example-60'></a>
+      <em>Example 1 (which fails the test):</em><a id='cwe-eg-1'></a><a id='sec-6-1-11-eg-1'></a><a id='example-61'></a>
     </p>
     <pre><code>  "cwes": [
     {
@@ -5510,7 +5972,7 @@ <h3 id="6112-language-">
     <pre><code>  /document/lang
   /document/source_lang</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='language-eg-1'></a><a id='sec-6-1-12-eg-1'></a><a id='example-61'></a>
+      <em>Example 1 (which fails the test):</em><a id='language-eg-1'></a><a id='sec-6-1-12-eg-1'></a><a id='example-62'></a>
     </p>
     <pre><code>  "lang": "EZ"</code></pre>
     <blockquote>
@@ -5536,7 +5998,7 @@ <h3 id="6113-purl-">
   /product_tree/full_product_names[]/product_identification_helper/purl
   /product_tree/relationships[]/full_product_name/product_identification_helper/purl</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='purl-eg-1'></a><a id='sec-6-1-13-eg-1'></a><a id='example-62'></a>
+      <em>Example 1 (which fails the test):</em><a id='purl-eg-1'></a><a id='sec-6-1-13-eg-1'></a><a id='example-63'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -5565,7 +6027,7 @@ <h3 id="6114-sorted-revision-history-">
     </p>
     <pre><code>    /document/tracking/revision_history</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='sorted-revision-history-eg-1'></a><a id='sec-6-1-14-eg-1'></a><a id='example-63'></a>
+      <em>Example 1 (which fails the test):</em><a id='sorted-revision-history-eg-1'></a><a id='sec-6-1-14-eg-1'></a><a id='example-64'></a>
     </p>
     <pre><code>  "revision_history": [
     {
@@ -5595,7 +6057,7 @@ <h3 id="6115-translator-">
     </p>
     <pre><code>    /document/source_lang</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='translator-eg-1'></a><a id='sec-6-1-15-eg-1'></a><a id='example-64'></a>
+      <em>Example 1 (which fails the test):</em><a id='translator-eg-1'></a><a id='sec-6-1-15-eg-1'></a><a id='example-65'></a>
     </p>
     <pre><code>  "document": {
     // ...
@@ -5624,7 +6086,7 @@ <h3 id="6116-latest-document-version-">
     </p>
     <pre><code>    /document/tracking/version</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='latest-document-version-eg-1'></a><a id='sec-6-1-16-eg-1'></a><a id='example-65'></a>
+      <em>Example 1 (which fails the test):</em><a id='latest-document-version-eg-1'></a><a id='sec-6-1-16-eg-1'></a><a id='example-66'></a>
     </p>
     <pre><code>  "tracking": {
     // ...
@@ -5659,7 +6121,7 @@ <h3 id="6117-document-status-draft-">
     </p>
     <pre><code>    /document/tracking/status</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='document-status-draft-eg-1'></a><a id='sec-6-1-17-eg-1'></a><a id='example-66'></a>
+      <em>Example 1 (which fails the test):</em><a id='document-status-draft-eg-1'></a><a id='sec-6-1-17-eg-1'></a><a id='example-67'></a>
     </p>
     <pre><code>    "tracking": {
       // ...
@@ -5682,7 +6144,7 @@ <h3 id="6118-released-revision-history-">
     </p>
     <pre><code>    /document/tracking/revision_history[]/number</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='released-revision-history-eg-1'></a><a id='sec-6-1-18-eg-1'></a><a id='example-67'></a>
+      <em>Example 1 (which fails the test):</em><a id='released-revision-history-eg-1'></a><a id='sec-6-1-18-eg-1'></a><a id='example-68'></a>
     </p>
     <pre><code>    "tracking": {
       // ...
@@ -5717,7 +6179,7 @@ <h3 id="6119-revision-history-entries-for-pre-release-versions-">
     </p>
     <pre><code>    /document/tracking/revision_history[]/number</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='revision-history-entries-for-pre-release-versions-eg-1'></a><a id='sec-6-1-19-eg-1'></a><a id='example-68'></a>
+      <em>Example 1 (which fails the test):</em><a id='revision-history-entries-for-pre-release-versions-eg-1'></a><a id='sec-6-1-19-eg-1'></a><a id='example-69'></a>
     </p>
     <pre><code>    "revision_history": [
       {
@@ -5747,7 +6209,7 @@ <h3 id="6120-non-draft-document-version-">
     </p>
     <pre><code>    /document/tracking/version</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='non-draft-document-version-eg-1'></a><a id='sec-6-1-20-eg-1'></a><a id='example-69'></a>
+      <em>Example 1 (which fails the test):</em><a id='non-draft-document-version-eg-1'></a><a id='sec-6-1-20-eg-1'></a><a id='example-70'></a>
     </p>
     <pre><code>    "tracking": {
       // ...
@@ -5771,7 +6233,7 @@ <h3 id="6121-missing-item-in-revision-history-">
     </p>
     <pre><code>    /document/tracking/revision_history</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-item-in-revision-history-eg-1'></a><a id='sec-6-1-21-eg-1'></a><a id='example-70'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-item-in-revision-history-eg-1'></a><a id='sec-6-1-21-eg-1'></a><a id='example-71'></a>
     </p>
     <pre><code>    "revision_history": [
       {
@@ -5801,7 +6263,7 @@ <h3 id="6122-multiple-definition-in-revision-history-">
     </p>
     <pre><code>    /document/tracking/revision_history</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='multiple-definition-in-revision-history-eg-1'></a><a id='sec-6-1-22-eg-1'></a><a id='example-71'></a>
+      <em>Example 1 (which fails the test):</em><a id='multiple-definition-in-revision-history-eg-1'></a><a id='sec-6-1-22-eg-1'></a><a id='example-72'></a>
     </p>
     <pre><code>   "revision_history": [
       {
@@ -5831,7 +6293,7 @@ <h3 id="6123-multiple-use-of-same-cve-">
     </p>
     <pre><code>    /vulnerabilities[]/cve</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='multiple-use-of-same-cve-eg-1'></a><a id='sec-6-1-23-eg-1'></a><a id='example-72'></a>
+      <em>Example 1 (which fails the test):</em><a id='multiple-use-of-same-cve-eg-1'></a><a id='sec-6-1-23-eg-1'></a><a id='example-73'></a>
     </p>
     <pre><code>  "vulnerabilities": [
     {
@@ -5857,7 +6319,7 @@ <h3 id="6124-multiple-definition-in-involvements-">
     </p>
     <pre><code>    /vulnerabilities[]/involvements</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='multiple-definition-in-involvements-eg-1'></a><a id='sec-6-1-24-eg-1'></a><a id='example-73'></a>
+      <em>Example 1 (which fails the test):</em><a id='multiple-definition-in-involvements-eg-1'></a><a id='sec-6-1-24-eg-1'></a><a id='example-74'></a>
     </p>
     <pre><code>  "vulnerabilities": [
     {
@@ -5894,7 +6356,7 @@ <h3 id="6125-multiple-use-of-same-hash-algorithm-">
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='multiple-use-of-same-hash-algorithm-eg-1'></a><a id='sec-6-1-25-eg-1'></a><a id='example-74'></a>
+      <em>Example 1 (which fails the test):</em><a id='multiple-use-of-same-hash-algorithm-eg-1'></a><a id='sec-6-1-25-eg-1'></a><a id='example-75'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -5954,7 +6416,7 @@ <h3 id="6126-prohibited-document-category-name-">
     </p>
     <pre><code>  /document/category</code></pre>
     <p>
-      <em>Examples 1 (for currently prohibited values):</em><a id='prohibited-document-category-name-eg-1'></a><a id='sec-6-1-26-eg-1'></a><a id='example-75'></a>
+      <em>Examples 1 (for currently prohibited values):</em><a id='prohibited-document-category-name-eg-1'></a><a id='sec-6-1-26-eg-1'></a><a id='example-76'></a>
     </p>
     <pre><code>  Csaf_a
   Informational Advisory
@@ -5963,7 +6425,7 @@ <h3 id="6126-prohibited-document-category-name-">
   veX
   V_eX</code></pre>
     <p>
-      <em>Example 2 (which fails the test):</em><a id='prohibited-document-category-name-eg-2'></a><a id='sec-6-1-26-eg-2'></a><a id='example-76'></a>
+      <em>Example 2 (which fails the test):</em><a id='prohibited-document-category-name-eg-2'></a><a id='sec-6-1-26-eg-2'></a><a id='example-77'></a>
     </p>
     <pre><code>  "category": "Security_Incident_Response"</code></pre>
     <blockquote>
@@ -5998,7 +6460,7 @@ <h4 id="61271-document-notes-">
     </p>
     <pre><code>  /document/notes</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='document-notes-eg-1'></a><a id='sec-6-1-27-1-eg-1'></a><a id='example-77'></a>
+      <em>Example 1 (which fails the test):</em><a id='document-notes-eg-1'></a><a id='sec-6-1-27-1-eg-1'></a><a id='example-78'></a>
     </p>
     <pre><code>  "notes": [
     {
@@ -6028,7 +6490,7 @@ <h4 id="61272-document-references-">
     </p>
     <pre><code>  /document/references</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='document-references-eg-1'></a><a id='sec-6-1-27-2-eg-1'></a><a id='example-78'></a>
+      <em>Example 1 (which fails the test):</em><a id='document-references-eg-1'></a><a id='sec-6-1-27-2-eg-1'></a><a id='example-79'></a>
     </p>
     <pre><code>  "references": [
     {
@@ -6057,7 +6519,7 @@ <h4 id="61273-vulnerabilities-">
     </p>
     <pre><code>  /vulnerabilities</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='vulnerabilities-for-informational-advisory-eg-1'></a><a id='sec-6-1-27-3-eg-1'></a><a id='example-79'></a>
+      <em>Example 1 (which fails the test):</em><a id='vulnerabilities-for-informational-advisory-eg-1'></a><a id='sec-6-1-27-3-eg-1'></a><a id='example-80'></a>
     </p>
     <pre><code>  "vulnerabilities": [
     {
@@ -6090,7 +6552,7 @@ <h4 id="61274-product-tree-">
     </p>
     <pre><code>  /product_tree</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='product-tree-eg-1'></a><a id='sec-6-1-27-4-eg-1'></a><a id='example-80'></a>
+      <em>Example 1 (which fails the test):</em><a id='product-tree-eg-1'></a><a id='sec-6-1-27-4-eg-1'></a><a id='example-81'></a>
     </p>
     <pre><code>  {
     "document": {
@@ -6121,7 +6583,7 @@ <h4 id="61275-vulnerability-notes-">
     </p>
     <pre><code>  /vulnerabilities[]/notes</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='vulnerability-notes-eg-1'></a><a id='sec-6-1-27-5-eg-1'></a><a id='example-81'></a>
+      <em>Example 1 (which fails the test):</em><a id='vulnerability-notes-eg-1'></a><a id='sec-6-1-27-5-eg-1'></a><a id='example-82'></a>
     </p>
     <pre><code>  "vulnerabilities": [
     {
@@ -6148,7 +6610,7 @@ <h4 id="61276-product-status-">
     </p>
     <pre><code>  /vulnerabilities[]/product_status</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='product-status-eg-1'></a><a id='sec-6-1-27-6-eg-1'></a><a id='example-82'></a>
+      <em>Example 1 (which fails the test):</em><a id='product-status-eg-1'></a><a id='sec-6-1-27-6-eg-1'></a><a id='example-83'></a>
     </p>
     <pre><code>  "vulnerabilities": [
     {
@@ -6178,7 +6640,7 @@ <h4 id="61277-vex-product-status-">
   /vulnerabilities[]/product_status/known_not_affected
   /vulnerabilities[]/product_status/under_investigation</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='vex-product-status-eg-1'></a><a id='sec-6-1-27-7-eg-1'></a><a id='example-83'></a>
+      <em>Example 1 (which fails the test):</em><a id='vex-product-status-eg-1'></a><a id='sec-6-1-27-7-eg-1'></a><a id='example-84'></a>
     </p>
     <pre><code>  "product_status": {
     "first_fixed": [
@@ -6209,7 +6671,7 @@ <h4 id="61278-vulnerability-id-">
     <pre><code>  /vulnerabilities[]/cve
   /vulnerabilities[]/ids</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='vulnerability-id-eg-1'></a><a id='sec-6-1-27-8-eg-1'></a><a id='example-84'></a>
+      <em>Example 1 (which fails the test):</em><a id='vulnerability-id-eg-1'></a><a id='sec-6-1-27-8-eg-1'></a><a id='example-85'></a>
     </p>
     <pre><code>  "vulnerabilities": [
     {
@@ -6237,7 +6699,7 @@ <h4 id="61279-impact-statement-">
     <pre><code>  /vulnerabilities[]/flags
   /vulnerabilities[]/threats</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='impact-statement-eg-1'></a><a id='sec-6-1-27-9-eg-1'></a><a id='example-85'></a>
+      <em>Example 1 (which fails the test):</em><a id='impact-statement-eg-1'></a><a id='sec-6-1-27-9-eg-1'></a><a id='example-86'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -6308,7 +6770,7 @@ <h4 id="612710-action-statement-">
     </p>
     <pre><code>  /vulnerabilities[]/remediations</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='action-statement-eg-1'></a><a id='sec-6-1-27-10-eg-1'></a><a id='example-86'></a>
+      <em>Example 1 (which fails the test):</em><a id='action-statement-eg-1'></a><a id='sec-6-1-27-10-eg-1'></a><a id='example-87'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -6381,7 +6843,7 @@ <h4 id="612711-vulnerabilities-">
     </p>
     <pre><code>  /vulnerabilities</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='vulnerabilities-for-security-advisory-or-vex-eg-1'></a><a id='sec-6-1-27-11-eg-1'></a><a id='example-87'></a>
+      <em>Example 1 (which fails the test):</em><a id='vulnerabilities-for-security-advisory-or-vex-eg-1'></a><a id='sec-6-1-27-11-eg-1'></a><a id='example-88'></a>
     </p>
     <pre><code>  {
     "document": {
@@ -6408,7 +6870,7 @@ <h3 id="6128-translation-">
     <pre><code>  /document/lang
   /document/source_lang</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='translation-eg-1'></a><a id='sec-6-1-28-eg-1'></a><a id='example-88'></a>
+      <em>Example 1 (which fails the test):</em><a id='translation-eg-1'></a><a id='sec-6-1-28-eg-1'></a><a id='example-89'></a>
     </p>
     <pre><code>  "document": {
     // ...
@@ -6441,7 +6903,7 @@ <h3 id="6129-remediation-without-product-reference-">
     </p>
     <pre><code>  /vulnerabilities[]/remediations[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='remediation-without-product-reference-eg-1'></a><a id='sec-6-1-29-eg-1'></a><a id='example-89'></a>
+      <em>Example 1 (which fails the test):</em><a id='remediation-without-product-reference-eg-1'></a><a id='sec-6-1-29-eg-1'></a><a id='example-90'></a>
     </p>
     <pre><code>      "remediations": [
         {
@@ -6471,7 +6933,7 @@ <h3 id="6130-mixed-integer-and-semantic-versioning-">
     <pre><code>  /document/tracking/revision_history[]/number
   /document/tracking/version</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='mixed-integer-and-semantic-versioning-eg-1'></a><a id='sec-6-1-30-eg-1'></a><a id='example-90'></a>
+      <em>Example 1 (which fails the test):</em><a id='mixed-integer-and-semantic-versioning-eg-1'></a><a id='sec-6-1-30-eg-1'></a><a id='example-91'></a>
     </p>
     <pre><code>    "tracking": {
       // ...
@@ -6527,7 +6989,7 @@ <h3 id="6131-version-range-in-product-version-">
     </p>
     <pre><code>  /product_tree/branches[](/branches[])*/name</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='version-range-in-product-version-eg-1'></a><a id='sec-6-1-31-eg-1'></a><a id='example-91'></a>
+      <em>Example 1 (which fails the test):</em><a id='version-range-in-product-version-eg-1'></a><a id='sec-6-1-31-eg-1'></a><a id='example-92'></a>
     </p>
     <pre><code>            "branches": [
               {
@@ -6552,7 +7014,7 @@ <h3 id="6132-flag-without-product-reference-">
     </p>
     <pre><code>  /vulnerabilities[]/flags[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='flag-without-product-reference-eg-1'></a><a id='sec-6-1-32-eg-1'></a><a id='example-92'></a>
+      <em>Example 1 (which fails the test):</em><a id='flag-without-product-reference-eg-1'></a><a id='sec-6-1-32-eg-1'></a><a id='example-93'></a>
     </p>
     <pre><code>      "flags": [
         {
@@ -6580,7 +7042,7 @@ <h3 id="6133-multiple-flags-with-vex-justification-codes-per-product-">
     </p>
     <pre><code>  /vulnerabilities[]/flags</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='multiple-flags-with-vex-justification-codes-per-product-eg-1'></a><a id='sec-6-1-33-eg-1'></a><a id='example-93'></a>
+      <em>Example 1 (which fails the test):</em><a id='multiple-flags-with-vex-justification-codes-per-product-eg-1'></a><a id='sec-6-1-33-eg-1'></a><a id='example-94'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -6634,6 +7096,288 @@ <h3 id="6133-multiple-flags-with-vex-justification-codes-per-product-">
         There are two flags given for <code>CSAFPID-9080700</code> - one indirect through <code>CSAFGID-0001</code> and one direct.
       </p>
     </blockquote>
+    <h3 id="6134-branches-recursion-depth-">
+      6.1.34 Branches Recursion Depth <a id='mandatory-tests--branches-recursion-depth'></a>
+    </h3>
+    <p>
+      For each product defined under <code>/product_tree/branches[]</code> it MUST be tested that the complete JSON path does not contain more than 30 instances of <code>branches</code>.
+    </p>
+    <p>
+      The relevant path for this test is:
+    </p>
+    <pre><code>  /product_tree/branches[](/branches[])*/product</code></pre>
+    <p>
+      <em>Example 1 (which fails the test):</em><a id='mandatory-tests--branches-recursion-depth-eg-1'></a><a id='sec-6-1-34-eg-1'></a><a id='example-95'></a>
+    </p>
+    <pre><code>  "product_tree": {
+    "branches": [
+      {
+        "branches": [
+          {
+            "branches": [
+              {
+                "branches": [
+                  {
+                    "branches": [
+                      {
+                        "branches": [
+                          {
+                            "branches": [
+                              {
+                                "branches": [
+                                  {
+                                    "branches": [
+                                      {
+                                        "branches": [
+                                          {
+                                            "branches": [
+                                              {
+                                                "branches": [
+                                                  {
+                                                    "branches": [
+                                                      {
+                                                        "branches": [
+                                                          {
+                                                            "branches": [
+                                                              {
+                                                                "branches": [
+                                                                  {
+                                                                    "branches": [
+                                                                      {
+                                                                        "branches": [
+                                                                          {
+                                                                            "branches": [
+                                                                              {
+                                                                                "branches": [
+                                                                                  {
+                                                                                    "branches": [
+                                                                                      {
+                                                                                        "branches": [
+                                                                                          {
+                                                                                            "branches": [
+                                                                                              {
+                                                                                                "branches": [
+                                                                                                  {
+                                                                                                    "branches": [
+                                                                                                      {
+                                                                                                        "branches": [
+                                                                                                          {
+                                                                                                            "branches": [
+                                                                                                              {
+                                                                                                                "branches": [
+                                                                                                                  {
+                                                                                                                    "branches": [
+                                                                                                                      {
+                                                                                                                        "branches": [
+                                                                                                                          {
+                                                                                                                            "branches": [
+                                                                                                                              {
+                                                                                                                                "category": "product_name",
+                                                                                                                                "name": "branches",
+                                                                                                                                "product": {
+                                                                                                                                  "name": "&lt;&lt;generate Product name&gt;&gt;",
+                                                                                                                                  "product_id": "CSAFPID-9080700"
+                                                                                                                                }
+                                                                                                                              }
+                                                                                                                            ],
+                                                                                                                            "category": "product_family",
+                                                                                                                            "name": "31"
+                                                                                                                          }
+                                                                                                                        ],
+                                                                                                                        "category": "product_family",
+                                                                                                                        "name": "with"
+                                                                                                                      }
+                                                                                                                    ],
+                                                                                                                    "category": "product_family",
+                                                                                                                    "name": "test"
+                                                                                                                  }
+                                                                                                                ],
+                                                                                                                "category": "product_family",
+                                                                                                                "name": "the"
+                                                                                                              }
+                                                                                                            ],
+                                                                                                            "category": "product_family",
+                                                                                                            "name": "fail"
+                                                                                                          }
+                                                                                                        ],
+                                                                                                        "category": "product_family",
+                                                                                                        "name": "and"
+                                                                                                      }
+                                                                                                    ],
+                                                                                                    "category": "product_family",
+                                                                                                    "name": "limits"
+                                                                                                  }
+                                                                                                ],
+                                                                                                "category": "product_family",
+                                                                                                "name": "the"
+                                                                                              }
+                                                                                            ],
+                                                                                            "category": "product_family",
+                                                                                            "name": "testing"
+                                                                                          }
+                                                                                        ],
+                                                                                        "category": "product_family",
+                                                                                        "name": "are"
+                                                                                      }
+                                                                                    ],
+                                                                                    "category": "product_family",
+                                                                                    "name": "they"
+                                                                                  }
+                                                                                ],
+                                                                                "category": "product_family",
+                                                                                "name": "but"
+                                                                              }
+                                                                            ],
+                                                                            "category": "product_family",
+                                                                            "name": "unrealistic"
+                                                                          }
+                                                                        ],
+                                                                        "category": "product_family",
+                                                                        "name": "less"
+                                                                      }
+                                                                    ],
+                                                                    "category": "product_family",
+                                                                    "name": "or"
+                                                                  }
+                                                                ],
+                                                                "category": "product_family",
+                                                                "name": "more"
+                                                              }
+                                                            ],
+                                                            "category": "product_family",
+                                                            "name": "and"
+                                                          }
+                                                        ],
+                                                        "category": "product_family",
+                                                        "name": "unnecessary"
+                                                      }
+                                                    ],
+                                                    "category": "product_family",
+                                                    "name": "seem"
+                                                  }
+                                                ],
+                                                "category": "product_family",
+                                                "name": "which"
+                                              }
+                                            ],
+                                            "category": "product_family",
+                                            "name": "product"
+                                          }
+                                        ],
+                                        "category": "product_family",
+                                        "name": "hypothetical"
+                                      }
+                                    ],
+                                    "category": "product_family",
+                                    "name": "this"
+                                  }
+                                ],
+                                "category": "product_family",
+                                "name": "for"
+                              }
+                            ],
+                            "category": "product_family",
+                            "name": "structure"
+                          }
+                        ],
+                        "category": "product_family",
+                        "name": "nested"
+                      }
+                    ],
+                    "category": "product_family",
+                    "name": "deeply"
+                  }
+                ],
+                "category": "product_family",
+                "name": "a"
+              }
+            ],
+            "category": "product_family",
+            "name": "uses"
+          }
+        ],
+        "category": "vendor",
+        "name": "Example Company"
+      }
+    ]
+  }</code></pre>
+    <blockquote>
+      <p>
+        The complete JSON path contains 31 times <code>branches</code>.
+      </p>
+    </blockquote>
+    <h3 id="6135-contradicting-remediations-">
+      6.1.35 Contradicting Remediations <a id='contradicting-remediations'></a>
+    </h3>
+    <p>
+      For each item in <code>/vulnerabilities[]/remediations</code> it MUST be tested that a product is not member of contradicting remediation categories. This takes indirect relations through product groups into account.
+    </p>
+    <p>
+      The relevant path for this test is:
+    </p>
+    <pre><code>  /vulnerabilities[]/remediations[]</code></pre>
+    <p>
+      <em>Example 1 (which fails the test):</em><a id='contradicting-remediations-eg-1'></a><a id='sec-6-1-35-eg-1'></a><a id='example-96'></a>
+    </p>
+    <pre><code>      "remediations": [
+        {
+          "category": "no_fix_planned",
+          "details": "The product is end-of-life. Therefore, no fix will be provided.",
+          "product_ids": [
+            "CSAFPID-9080700"
+          ]
+        },
+        {
+          "category": "vendor_fix",
+          "details": "Update to version &gt;=14.3 to fix the vulnerability.",
+          "product_ids": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]</code></pre>
+    <blockquote>
+      <p>
+        The two remediations given for the product with product ID <code>CSAFPID-908070</code> contradict each other.
+      </p>
+    </blockquote>
+    <blockquote>
+      <p>
+        A tool MAY apply the conversion rules from the conformance target CSAF 2.0 to CSAF 2.1 converter if applicable or remove the product from the remediation with the lower priority. The priority MAY be defined as follows: <code>vendor_fix</code> &gt; <code>mitigation</code> &gt; <code>workaround</code> &gt; <code>fix_planned</code> &gt;
+        <code>no_fix_planned</code> &gt; <code>optional_patch</code> &gt; <code>none_available</code>
+      </p>
+    </blockquote>
+    <h3 id="6136-contradicting-product-status-remediation-combination-">
+      6.1.36 Contradicting Product Status Remediation Combination <a id='contradicting-product-status-remediation-combination'></a>
+    </h3>
+    <p>
+      For each item in <code>/vulnerabilities[]/remediations</code> it MUST be tested that a product is not member of a contradicting product status group. This takes indirect relations through product groups into account.
+    </p>
+    <p>
+      The relevant path for this test is:
+    </p>
+    <pre><code>  /vulnerabilities[]/remediations[]</code></pre>
+    <p>
+      <em>Example 1 (which fails the test):</em><a id='contradicting-product-status-remediation-combination-eg-1'></a><a id='sec-6-1-36-eg-1'></a><a id='example-97'></a>
+    </p>
+    <pre><code>      "product_status": {
+        "known_not_affected": [
+          "CSAFPID-9080700"
+        ]
+      },
+      "remediations": [
+        {
+          "category": "vendor_fix",
+          "details": "Update to version &gt;=14.3 to fix the vulnerability.",
+          "product_ids": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]</code></pre>
+    <blockquote>
+      <p>
+        For the product with product ID <code>CSAFPID-908070</code> a <code>vendor_fix</code> is given but the product was not affected at all.
+      </p>
+    </blockquote>
     <h2 id="62-optional-tests-">
       6.2 Optional Tests <a id='optional-tests'></a>
     </h2>
@@ -6656,7 +7400,7 @@ <h3 id="621-unused-definition-of-product-id-">
   /product_tree/full_product_names[]/product_id
   /product_tree/relationships[]/full_product_name/product_id</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='unused-definition-of-product-id-eg-1'></a><a id='sec-6-2-1-eg-1'></a><a id='example-94'></a>
+      <em>Example 1 (which fails the test):</em><a id='unused-definition-of-product-id-eg-1'></a><a id='sec-6-2-1-eg-1'></a><a id='example-98'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -6695,7 +7439,7 @@ <h3 id="622-missing-remediation-">
   /vulnerabilities[]/product_status/last_affected[]
   /vulnerabilities[]/product_status/under_investigation[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-remediation-eg-1'></a><a id='sec-6-2-2-eg-1'></a><a id='example-95'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-remediation-eg-1'></a><a id='sec-6-2-2-eg-1'></a><a id='example-99'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -6732,7 +7476,7 @@ <h3 id="623-missing-metric-">
   /vulnerabilities[]/product_status/known_affected[]
   /vulnerabilities[]/product_status/last_affected[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-metric-eg-1'></a><a id='sec-6-2-3-eg-1'></a><a id='example-96'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-metric-eg-1'></a><a id='sec-6-2-3-eg-1'></a><a id='example-100'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -6767,7 +7511,7 @@ <h3 id="624-build-metadata-in-revision-history-">
     </p>
     <pre><code>    /document/tracking/revision_history[]/number</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='build-metadata-in-revision-history-eg-1'></a><a id='sec-6-2-4-eg-1'></a><a id='example-97'></a>
+      <em>Example 1 (which fails the test):</em><a id='build-metadata-in-revision-history-eg-1'></a><a id='sec-6-2-4-eg-1'></a><a id='example-101'></a>
     </p>
     <pre><code>    "revision_history": [
       {
@@ -6792,7 +7536,7 @@ <h3 id="625-older-initial-release-date-than-revision-history-">
     </p>
     <pre><code>    /document/tracking/initial_release_date</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='older-initial-release-date-than-revision-history-eg-1'></a><a id='sec-6-2-5-eg-1'></a><a id='example-98'></a>
+      <em>Example 1 (which fails the test):</em><a id='older-initial-release-date-than-revision-history-eg-1'></a><a id='sec-6-2-5-eg-1'></a><a id='example-102'></a>
     </p>
     <pre><code>    "tracking": {
       // ...
@@ -6827,7 +7571,7 @@ <h3 id="626-older-current-release-date-than-revision-history-">
     </p>
     <pre><code>    /document/tracking/current_release_date</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='older-current-release-date-than-revision-history-eg-1'></a><a id='sec-6-2-6-eg-1'></a><a id='example-99'></a>
+      <em>Example 1 (which fails the test):</em><a id='older-current-release-date-than-revision-history-eg-1'></a><a id='sec-6-2-6-eg-1'></a><a id='example-103'></a>
     </p>
     <pre><code>    "tracking": {
       "current_release_date": "2023-09-06T10:00:00.000Z",
@@ -6862,7 +7606,7 @@ <h3 id="627-missing-date-in-involvements-">
     </p>
     <pre><code>    /vulnerabilities[]/involvements</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-date-in-involvements-eg-1'></a><a id='sec-6-2-7-eg-1'></a><a id='example-100'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-date-in-involvements-eg-1'></a><a id='sec-6-2-7-eg-1'></a><a id='example-104'></a>
     </p>
     <pre><code>  "vulnerabilities": [
     {
@@ -6897,7 +7641,7 @@ <h3 id="628-use-of-md5-as-the-only-hash-algorithm-">
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='use-of-md5-as-the-only-hash-algorithm-eg-1'></a><a id='sec-6-2-8-eg-1'></a><a id='example-101'></a>
+      <em>Example 1 (which fails the test):</em><a id='use-of-md5-as-the-only-hash-algorithm-eg-1'></a><a id='sec-6-2-8-eg-1'></a><a id='example-105'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -6943,7 +7687,7 @@ <h3 id="629-use-of-sha-1-as-the-only-hash-algorithm-">
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='use-of-sha-1-as-the-only-hash-algorithm-eg-1'></a><a id='sec-6-2-9-eg-1'></a><a id='example-102'></a>
+      <em>Example 1 (which fails the test):</em><a id='use-of-sha-1-as-the-only-hash-algorithm-eg-1'></a><a id='sec-6-2-9-eg-1'></a><a id='example-106'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -6971,30 +7715,12 @@ <h3 id="629-use-of-sha-1-as-the-only-hash-algorithm-">
         The hash algorithm <code>sha1</code> is used in one item of hashes without being accompanied by a second hash algorithm.
       </p>
     </blockquote>
-    <h3 id="6210-missing-tlp-label-deprecated-">
-      6.2.10 Missing TLP label (deprecated) <a id='missing-tlp-label'></a>
+    <h3 id="6210-missing-tlp-label-obsolete-">
+      6.2.10 Missing TLP label (obsolete) <a id='missing-tlp-label'></a>
     </h3>
-    <p>
-      It MUST be tested that <code>/document/distribution/tlp/label</code> is present and valid.
-    </p>
-    <blockquote>
-      <p>
-        TLP labels support the machine-readability and automated distribution.
-      </p>
-    </blockquote>
-    <p>
-      The relevant path for this test is:
-    </p>
-    <pre><code>  /document/distribution/tlp/label</code></pre>
-    <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-tlp-label-eg-1'></a><a id='sec-6-2-10-eg-1'></a><a id='example-103'></a>
-    </p>
-    <pre><code>    "distribution": {
-      "text": "Distribute freely."
-    }</code></pre>
     <blockquote>
       <p>
-        The CSAF document has no TLP label.
+        The TLP label is now required by the schema. Therefore, the optional test is obsolete. This section is kept to document that change and keep the numbering of the remaining sections stable.
       </p>
     </blockquote>
     <h3 id="6211-missing-canonical-url-">
@@ -7021,7 +7747,7 @@ <h3 id="6211-missing-canonical-url-">
     </p>
     <pre><code>  /document/references</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-canonical-url-eg-1'></a><a id='sec-6-2-11-eg-1'></a><a id='example-104'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-canonical-url-eg-1'></a><a id='sec-6-2-11-eg-1'></a><a id='example-108'></a>
     </p>
     <pre><code>  "document": {
     // ...
@@ -7057,7 +7783,7 @@ <h3 id="6212-missing-document-language-">
     </p>
     <pre><code>  /document/lang</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-document-language-eg-1'></a><a id='sec-6-2-12-eg-1'></a><a id='example-105'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-document-language-eg-1'></a><a id='sec-6-2-12-eg-1'></a><a id='example-109'></a>
     </p>
     <pre><code>  "document": {
     "category": "csaf_base",
@@ -7088,7 +7814,7 @@ <h3 id="6213-sorting-">
     </p>
     <pre><code>  /</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='optional-tests--sorting-eg-1'></a><a id='sec-6-2-13-eg-1'></a><a id='example-106'></a>
+      <em>Example 1 (which fails the test):</em><a id='optional-tests--sorting-eg-1'></a><a id='sec-6-2-13-eg-1'></a><a id='example-110'></a>
     </p>
     <pre><code>  "document": {
     "csaf_version": "2.1",
@@ -7117,7 +7843,7 @@ <h3 id="6214-use-of-private-language-">
     <pre><code>  /document/lang
   /document/source_lang</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='use-of-private-language-eg-1'></a><a id='sec-6-2-14-eg-1'></a><a id='example-107'></a>
+      <em>Example 1 (which fails the test):</em><a id='use-of-private-language-eg-1'></a><a id='sec-6-2-14-eg-1'></a><a id='example-111'></a>
     </p>
     <pre><code>  "lang": "qtx"</code></pre>
     <blockquote>
@@ -7142,7 +7868,7 @@ <h3 id="6215-use-of-default-language-">
     <pre><code>  /document/lang
   /document/source_lang</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='use-of-default-language-eg-1'></a><a id='sec-6-2-15-eg-1'></a><a id='example-108'></a>
+      <em>Example 1 (which fails the test):</em><a id='use-of-default-language-eg-1'></a><a id='sec-6-2-15-eg-1'></a><a id='example-112'></a>
     </p>
     <pre><code>  "lang": "i-default"</code></pre>
     <blockquote>
@@ -7168,7 +7894,7 @@ <h3 id="6216-missing-product-identification-helper-">
   /product_tree/full_product_names[]
   /product_tree/relationships[]/full_product_name</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-product-identification-helper-eg-1'></a><a id='sec-6-2-16-eg-1'></a><a id='example-109'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-product-identification-helper-eg-1'></a><a id='sec-6-2-16-eg-1'></a><a id='example-113'></a>
     </p>
     <pre><code>    "full_product_names": [
       {
@@ -7197,7 +7923,7 @@ <h3 id="6217-cve-in-field-ids-">
     </p>
     <pre><code>  /vulnerabilities[]/ids[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='cve-in-field-ids-eg-1'></a><a id='sec-6-2-17-eg-1'></a><a id='example-110'></a>
+      <em>Example 1 (which fails the test):</em><a id='cve-in-field-ids-eg-1'></a><a id='sec-6-2-17-eg-1'></a><a id='example-114'></a>
     </p>
     <pre><code>      "ids": [
         {
@@ -7232,7 +7958,7 @@ <h3 id="6218-product-version-range-without-vers-">
     </p>
     <pre><code>  /product_tree/branches[](/branches[])*/name</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='product-version-range-without-vers-eg-1'></a><a id='sec-6-2-18-eg-1'></a><a id='example-111'></a>
+      <em>Example 1 (which fails the test):</em><a id='product-version-range-without-vers-eg-1'></a><a id='sec-6-2-18-eg-1'></a><a id='example-115'></a>
     </p>
     <pre><code>            "branches": [
               {
@@ -7259,7 +7985,7 @@ <h3 id="6219-cvss-for-fixed-products-">
     <pre><code>  /vulnerabilities[]/product_status/first_fixed[]
   /vulnerabilities[]/product_status/fixed[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='cvss-for-fixed-products-eg-1'></a><a id='sec-6-2-19-eg-1'></a><a id='example-112'></a>
+      <em>Example 1 (which fails the test):</em><a id='cvss-for-fixed-products-eg-1'></a><a id='sec-6-2-19-eg-1'></a><a id='example-116'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -7319,7 +8045,7 @@ <h3 id="6220-additional-properties-">
       </p>
     </blockquote>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='additional-properties-eg-1'></a><a id='sec-6-2-20-eg-1'></a><a id='example-113'></a>
+      <em>Example 1 (which fails the test):</em><a id='additional-properties-eg-1'></a><a id='sec-6-2-20-eg-1'></a><a id='example-117'></a>
     </p>
     <pre><code>  "document": {
     "category": "csaf_base",
@@ -7348,7 +8074,7 @@ <h3 id="6221-same-timestamps-in-revision-history-">
     </p>
     <pre><code>  /document/tracking/revision_history[]/date</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='same-timestamps-in-revision-history-eg-1'></a><a id='sec-6-2-21-eg-1'></a><a id='example-114'></a>
+      <em>Example 1 (which fails the test):</em><a id='same-timestamps-in-revision-history-eg-1'></a><a id='sec-6-2-21-eg-1'></a><a id='example-118'></a>
     </p>
     <pre><code>  "revision_history": [
     {
@@ -7378,7 +8104,7 @@ <h3 id="6222-document-tracking-id-in-title-">
     </p>
     <pre><code>  /document/title</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='document-tracking-id-in-title-eg-1'></a><a id='sec-6-2-22-eg-1'></a><a id='example-115'></a>
+      <em>Example 1 (which fails the test):</em><a id='document-tracking-id-in-title-eg-1'></a><a id='sec-6-2-22-eg-1'></a><a id='example-119'></a>
     </p>
     <pre><code>    "title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)",
     "tracking": {
@@ -7407,7 +8133,7 @@ <h3 id="6223-usage-of-deprecated-cwe-">
     </p>
     <pre><code>  /vulnerabilities[]/cwes[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='usage-of-deprecated-cwe-eg-1'></a><a id='sec-6-2-23-eg-1'></a><a id='example-116'></a>
+      <em>Example 1 (which fails the test):</em><a id='usage-of-deprecated-cwe-eg-1'></a><a id='sec-6-2-23-eg-1'></a><a id='example-120'></a>
     </p>
     <pre><code>     "cwes": [
         {
@@ -7437,7 +8163,7 @@ <h3 id="6224-usage-of-non-latest-cwe-version-">
     </p>
     <pre><code>  /vulnerabilities[]/cwes[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='usage-of-non-latest-cwe-version-eg-1'></a><a id='sec-6-2-24-eg-1'></a><a id='example-117'></a>
+      <em>Example 1 (which fails the test):</em><a id='usage-of-non-latest-cwe-version-eg-1'></a><a id='sec-6-2-24-eg-1'></a><a id='example-121'></a>
     </p>
     <pre><code>  "document": {
     // ...
@@ -7483,7 +8209,7 @@ <h3 id="6225-usage-of-cwe-not-allowed-for-vulnerability-mapping-">
     </p>
     <pre><code>  /vulnerabilities[]/cwes[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1'></a><a id='sec-6-2-25-eg-1'></a><a id='example-118'></a>
+      <em>Example 1 (which fails the test):</em><a id='usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1'></a><a id='sec-6-2-25-eg-1'></a><a id='example-122'></a>
     </p>
     <pre><code>      "cwes": [
         {
@@ -7513,7 +8239,7 @@ <h3 id="6226-usage-of-cwe-allowed-with-review-for-vulnerability-mapping-">
     </p>
     <pre><code>  /vulnerabilities[]/cwes[]</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1'></a><a id='sec-6-2-26-eg-1'></a><a id='example-119'></a>
+      <em>Example 1 (which fails the test):</em><a id='usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1'></a><a id='sec-6-2-26-eg-1'></a><a id='example-123'></a>
     </p>
     <pre><code>      "cwes": [
         {
@@ -7527,6 +8253,38 @@ <h3 id="6226-usage-of-cwe-allowed-with-review-for-vulnerability-mapping-">
         The usage of CWE-1023 is allowed with review as the "CWE entry is a Class and might have Base-level children that would be more appropriate". <a href="https://cwe.mitre.org/data/definitions/1023.html#Vulnerability_Mapping_Notes_1023">cite</a>
       </p>
     </blockquote>
+    <h3 id="6227-discouraged-product-status-remediation-combination-">
+      6.2.27 Discouraged Product Status Remediation Combination <a id='discouraged-product-status-remediation-combination'></a>
+    </h3>
+    <p>
+      For each item in <code>/vulnerabilities[]/remediations</code> it MUST be tested that a Product is not member of a discouraged product status group remediation category combination. This takes indirect relations through Product Groups into account.
+    </p>
+    <p>
+      The relevant path for this test is:
+    </p>
+    <pre><code>  /vulnerabilities[]/remediations[]</code></pre>
+    <p>
+      <em>Example 1 (which fails the test):</em><a id='discouraged-product-status-remediation-combination-eg-1'></a><a id='sec-6-2-27-eg-1'></a><a id='example-124'></a>
+    </p>
+    <pre><code>      "product_status": {
+        "known_not_affected": [
+          "CSAFPID-9080700"
+        ]
+      },
+      "remediations": [
+        {
+          "category": "fix_planned",
+          "details": "The fix should be available in Q4 2024.",
+          "product_ids": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]</code></pre>
+    <blockquote>
+      <p>
+        For the product with product ID <code>CSAFPID-908070</code> a fix is planned but the product was not affected at all.
+      </p>
+    </blockquote>
     <h2 id="63-informative-test-">
       6.3 Informative Test <a id='informative-test'></a>
     </h2>
@@ -7550,7 +8308,7 @@ <h3 id="631-use-of-cvss-v2-as-the-only-scoring-system-">
     </p>
     <pre><code>    /vulnerabilities[]/metrics</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='use-of-cvss-v2-as-the-only-scoring-system-eg-1'></a><a id='sec-6-3-1-eg-1'></a><a id='example-120'></a>
+      <em>Example 1 (which fails the test):</em><a id='use-of-cvss-v2-as-the-only-scoring-system-eg-1'></a><a id='sec-6-3-1-eg-1'></a><a id='example-125'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -7601,7 +8359,7 @@ <h3 id="632-use-of-cvss-v30-">
     <pre><code>  /vulnerabilities[]/metrics[]/content/cvss_v3/version
   /vulnerabilities[]/metrics[]/content/cvss_v3/vectorString</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='use-of-cvss-v3-0-eg-1'></a><a id='sec-6-3-2-eg-1'></a><a id='example-121'></a>
+      <em>Example 1 (which fails the test):</em><a id='use-of-cvss-v3-0-eg-1'></a><a id='sec-6-3-2-eg-1'></a><a id='example-126'></a>
     </p>
     <pre><code>  "cvss_v3": {
     "version": "3.0",
@@ -7637,7 +8395,7 @@ <h3 id="633-missing-cve-">
     </p>
     <pre><code>  /vulnerabilities[]/cve</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-cve-eg-1'></a><a id='sec-6-3-3-eg-1'></a><a id='example-122'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-cve-eg-1'></a><a id='sec-6-3-3-eg-1'></a><a id='example-127'></a>
     </p>
     <pre><code>  "vulnerabilities": [
     {
@@ -7666,7 +8424,7 @@ <h3 id="634-missing-cwe-">
     </p>
     <pre><code>  /vulnerabilities[]/cwe</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-cwe-eg-1'></a><a id='sec-6-3-4-eg-1'></a><a id='example-123'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-cwe-eg-1'></a><a id='sec-6-3-4-eg-1'></a><a id='example-128'></a>
     </p>
     <pre><code>  "vulnerabilities": [
     {
@@ -7692,7 +8450,7 @@ <h3 id="635-use-of-short-hash-">
   /product_tree/full_product_names[]/product_identification_helper/hashes[]/file_hashes[]/value
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='use-of-short-hash-eg-1'></a><a id='sec-6-3-5-eg-1'></a><a id='example-124'></a>
+      <em>Example 1 (which fails the test):</em><a id='use-of-short-hash-eg-1'></a><a id='sec-6-3-5-eg-1'></a><a id='example-129'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -7755,7 +8513,7 @@ <h3 id="636-use-of-non-self-referencing-urls-failing-to-resolve-">
   /vulnerabilities[]/references[]/url
   /vulnerabilities[]/remediations[]/url</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='use-of-non-self-referencing-urls-failing-to-resolve-eg-1'></a><a id='sec-6-3-6-eg-1'></a><a id='example-125'></a>
+      <em>Example 1 (which fails the test):</em><a id='use-of-non-self-referencing-urls-failing-to-resolve-eg-1'></a><a id='sec-6-3-6-eg-1'></a><a id='example-130'></a>
     </p>
     <pre><code>    "references": [
       {
@@ -7785,7 +8543,7 @@ <h3 id="637-use-of-self-referencing-urls-failing-to-resolve-">
     <pre><code>  /document/references[]/url
   /vulnerabilities[]/references[]/url</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='use-of-self-referencing-urls-failing-to-resolve-eg-1'></a><a id='sec-6-3-7-eg-1'></a><a id='example-126'></a>
+      <em>Example 1 (which fails the test):</em><a id='use-of-self-referencing-urls-failing-to-resolve-eg-1'></a><a id='sec-6-3-7-eg-1'></a><a id='example-131'></a>
     </p>
     <pre><code>    "references": [
       {
@@ -7846,7 +8604,7 @@ <h3 id="638-spell-check-">
   /vulnerabilities[]/threats[]/details
   /vulnerabilities[]/title</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='spell-check-eg-1'></a><a id='sec-6-3-8-eg-1'></a><a id='example-127'></a>
+      <em>Example 1 (which fails the test):</em><a id='spell-check-eg-1'></a><a id='sec-6-3-8-eg-1'></a><a id='example-132'></a>
     </p>
     <pre><code>  "document": {
     // ...
@@ -7881,7 +8639,7 @@ <h3 id="639-branch-categories-">
     </p>
     <pre><code>  /product_tree/branches</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='branch-categories-eg-1'></a><a id='sec-6-3-9-eg-1'></a><a id='example-128'></a>
+      <em>Example 1 (which fails the test):</em><a id='branch-categories-eg-1'></a><a id='sec-6-3-9-eg-1'></a><a id='example-133'></a>
     </p>
     <pre><code>    "branches": [
       {
@@ -7926,7 +8684,7 @@ <h3 id="6310-usage-of-product-version-range-">
     </p>
     <pre><code>  /product_tree/branches[](/branches[])*/category</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='usage-of-product-version-range-eg-1'></a><a id='sec-6-3-10-eg-1'></a><a id='example-129'></a>
+      <em>Example 1 (which fails the test):</em><a id='usage-of-product-version-range-eg-1'></a><a id='sec-6-3-10-eg-1'></a><a id='example-134'></a>
     </p>
     <pre><code>                "category": "product_version_range",</code></pre>
     <blockquote>
@@ -7951,7 +8709,7 @@ <h3 id="6311-usage-of-v-as-version-indicator-">
     </p>
     <pre><code>  /product_tree/branches[](/branches[])*/name</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='usage-of-v-as-version-indicator-eg-1'></a><a id='sec-6-3-11-eg-1'></a><a id='example-130'></a>
+      <em>Example 1 (which fails the test):</em><a id='usage-of-v-as-version-indicator-eg-1'></a><a id='sec-6-3-11-eg-1'></a><a id='example-135'></a>
     </p>
     <pre><code>            "branches": [
               {
@@ -7976,7 +8734,7 @@ <h3 id="6312-missing-cvss-v40-">
     </p>
     <pre><code>    /vulnerabilities[]/metrics[]/content</code></pre>
     <p>
-      <em>Example 1 (which fails the test):</em><a id='missing-cvss-v4-0-eg-1'></a><a id='sec-6-3-12-eg-1'></a><a id='example-131'></a>
+      <em>Example 1 (which fails the test):</em><a id='missing-cvss-v4-0-eg-1'></a><a id='sec-6-3-12-eg-1'></a><a id='example-136'></a>
     </p>
     <pre><code>  "product_tree": {
     "full_product_names": [
@@ -8075,6 +8833,9 @@ <h3 id="716-requirement-6-no-redirects-">
         Reasoning: Clients should not parse the payload for navigation and some, as e.g. <code>curl</code>, do not follow any other kind of redirects.
       </p>
     </blockquote>
+    <p>
+      If any redirects are used, there SHOULD not be more than 5 and MUST NOT be more than 10 consecutive redirects.
+    </p>
     <h3 id="717-requirement-7-provider-metadatajson-">
       7.1.7 Requirement 7: provider-metadata.json <a id='requirement-7-provider-metadata-json'></a>
     </h3>
@@ -8107,7 +8868,7 @@ <h3 id="717-requirement-7-provider-metadatajson-">
       </ul>
     </blockquote>
     <p>
-      <em>Example 1 (minimal with ROLIE document):</em><a id='requirement-7-provider-metadata-json-eg-1'></a><a id='sec-7-1-7-eg-1'></a><a id='example-132'></a>
+      <em>Example 1 (minimal with ROLIE document):</em><a id='requirement-7-provider-metadata-json-eg-1'></a><a id='sec-7-1-7-eg-1'></a><a id='example-137'></a>
     </p>
     <pre><code>  {
     "canonical_url": "https://www.example.com/.well-known/csaf/provider-metadata.json",
@@ -8161,11 +8922,11 @@ <h3 id="718-requirement-8-securitytxt-">
     </p>
     <blockquote>
       <p>
-        The security.txt was published as [<a href="#RFC9116">RFC9116</a>] in April 2022. At the time of this writing, the <code>CSAF</code> field is in the process of being officially added.
+        The security.txt was published as [<a href="#RFC9116">RFC9116</a>] in April 2022. The <code>CSAF</code> field was officially added through the IANA registry.
       </p>
     </blockquote>
     <p>
-      <em>Examples 1:</em><a id='requirement-8-security-txt-eg-1'></a><a id='sec-7-1-8-eg-1'></a><a id='example-133'></a>
+      <em>Examples 1:</em><a id='requirement-8-security-txt-eg-1'></a><a id='sec-7-1-8-eg-1'></a><a id='example-138'></a>
     </p>
     <pre><code>CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
 CSAF: https://psirt.domain.tld/advisories/csaf/provider-metadata.json
@@ -8179,17 +8940,18 @@ <h3 id="719-requirement-9-well-known-url-for-provider-metadatajson-">
       7.1.9 Requirement 9: Well-known URL for provider-metadata.json <a id='requirement-9-well-known-url-for-provider-metadata-json'></a>
     </h3>
     <p>
-      The URL path <code>/.well-known/csaf/provider-metadata.json</code> under the main domain of the issuing authority serves directly the <code>provider-metadata.json</code> according to requirement 7. The use of the scheme "HTTPS" is required. See [<a href="#RFC8615">RFC8615</a>] for more details.
+      The URL path <code>/.well-known/csaf/provider-metadata.json</code> under the main domain of the issuing authority serves directly the <code>provider-metadata.json</code> according to requirement 7. That implies that redirects SHALL NOT be used. The use of the scheme "HTTPS" is required. See [<a href="#RFC8615">RFC8615</a>] for more
+      details.
     </p>
     <p>
-      <em>Example 1:</em><a id='requirement-9-well-known-url-for-provider-metadata-json-eg-1'></a><a id='sec-7-1-9-eg-1'></a><a id='example-134'></a>
+      <em>Example 1:</em><a id='requirement-9-well-known-url-for-provider-metadata-json-eg-1'></a><a id='sec-7-1-9-eg-1'></a><a id='example-139'></a>
     </p>
     <pre><code>  https://www.example.com/.well-known/csaf/provider-metadata.json</code></pre>
     <h3 id="7110-requirement-10-dns-path-">
       7.1.10 Requirement 10: DNS path <a id='requirement-10-dns-path'></a>
     </h3>
     <p>
-      The DNS record <code>csaf.data.security.domain.tld</code> SHALL resolve as a web server which serves directly the <code>provider-metadata.json</code> according to requirement 7. The use of the scheme "HTTPS" is required.
+      The DNS record <code>csaf.data.security.domain.tld</code> SHALL resolve as a web server which serves directly the <code>provider-metadata.json</code> according to requirement 7. That implies that redirects SHALL NOT be used. The use of the scheme "HTTPS" is required.
     </p>
     <h3 id="7111-requirement-11-one-folder-per-year-">
       7.1.11 Requirement 11: One folder per year <a id='requirement-11-one-folder-per-year'></a>
@@ -8198,7 +8960,7 @@ <h3 id="7111-requirement-11-one-folder-per-year-">
       The CSAF documents MUST be located within folders named <code>&lt;YYYY&gt;</code> where <code>&lt;YYYY&gt;</code> is the year given in the value of <code>/document/tracking/initial_release_date</code>.
     </p>
     <p>
-      <em>Examples 1:</em><a id='requirement-11-one-folder-per-year-eg-1'></a><a id='sec-7-1-11-eg-1'></a><a id='example-135'></a>
+      <em>Examples 1:</em><a id='requirement-11-one-folder-per-year-eg-1'></a><a id='sec-7-1-11-eg-1'></a><a id='example-140'></a>
     </p>
     <pre><code>2024
 2023</code></pre>
@@ -8209,7 +8971,7 @@ <h3 id="7112-requirement-12-indextxt-">
       The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
     </p>
     <p>
-      <em>Example 1:</em><a id='requirement-12-index-txt-eg-1'></a><a id='sec-7-1-12-eg-1'></a><a id='example-136'></a>
+      <em>Example 1:</em><a id='requirement-12-index-txt-eg-1'></a><a id='sec-7-1-12-eg-1'></a><a id='example-141'></a>
     </p>
     <pre><code>2023/esa-2023-09953.json
 2022/esa-2022-02723.json
@@ -8227,7 +8989,7 @@ <h3 id="7113-requirement-13-changescsv-">
       The file changes.csv MUST contain the filename as well as the value of <code>/document/tracking/current_release_date</code> for each CSAF document in the sub-directories without a heading; lines MUST be sorted by the <code>current_release_date</code> timestamp with the latest one first.
     </p>
     <p>
-      <em>Example 1:</em><a id='requirement-13-changes-csv-eg-1'></a><a id='sec-7-1-13-eg-1'></a><a id='example-137'></a>
+      <em>Example 1:</em><a id='requirement-13-changes-csv-eg-1'></a><a id='sec-7-1-13-eg-1'></a><a id='example-142'></a>
     </p>
     <pre><code>"2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
 "2021/esa-2021-03676.json","2023-07-01T10:09:01Z"
@@ -8258,7 +9020,7 @@ <h3 id="7115-requirement-15-rolie-feed-">
       MUST exist. Each ROLIE feed document MUST be a JSON file that conforms with [<a href="#RFC8322">RFC8322</a>].
     </p>
     <p>
-      <em>Example 1:</em><a id='requirement-15-rolie-feed-eg-1'></a><a id='sec-7-1-15-eg-1'></a><a id='example-138'></a>
+      <em>Example 1:</em><a id='requirement-15-rolie-feed-eg-1'></a><a id='sec-7-1-15-eg-1'></a><a id='example-143'></a>
     </p>
     <pre><code>  {
     "feed": {
@@ -8324,7 +9086,7 @@ <h3 id="7116-requirement-16-rolie-service-document-">
       the filename <code>service.json</code> and reside next to the <code>provider-metadata.json</code>.
     </p>
     <p>
-      <em>Example 1:</em><a id='requirement-16-rolie-service-document-eg-1'></a><a id='sec-7-1-16-eg-1'></a><a id='example-139'></a>
+      <em>Example 1:</em><a id='requirement-16-rolie-service-document-eg-1'></a><a id='sec-7-1-16-eg-1'></a><a id='example-144'></a>
     </p>
     <pre><code>  {
     "service": {
@@ -8391,7 +9153,7 @@ <h3 id="7117-requirement-17-rolie-category-document-">
           type of product
         </p>
         <p>
-          <em>Examples 1:</em><a id='requirement-17-rolie-category-document-eg-1'></a><a id='sec-7-1-17-eg-1'></a><a id='example-140'></a>
+          <em>Examples 1:</em><a id='requirement-17-rolie-category-document-eg-1'></a><a id='sec-7-1-17-eg-1'></a><a id='example-145'></a>
         </p>
         <pre><code>  CPU
   Firewall
@@ -8407,7 +9169,7 @@ <h3 id="7117-requirement-17-rolie-category-document-">
           areas or sectors, the products are used in
         </p>
         <p>
-          <em>Examples 2:</em><a id='requirement-17-rolie-category-document-eg-2'></a><a id='sec-7-1-17-eg-2'></a><a id='example-141'></a>
+          <em>Examples 2:</em><a id='requirement-17-rolie-category-document-eg-2'></a><a id='sec-7-1-17-eg-2'></a><a id='example-146'></a>
         </p>
         <pre><code>  Chemical
   Commercial
@@ -8425,7 +9187,7 @@ <h3 id="7117-requirement-17-rolie-category-document-">
       </li>
     </ul>
     <p>
-      <em>Example 3:</em><a id='requirement-17-rolie-category-document-eg-3'></a><a id='sec-7-1-17-eg-3'></a><a id='example-142'></a>
+      <em>Example 3:</em><a id='requirement-17-rolie-category-document-eg-3'></a><a id='sec-7-1-17-eg-3'></a><a id='example-147'></a>
     </p>
     <pre><code>  {
     "categories": {
@@ -8449,7 +9211,7 @@ <h3 id="7118-requirement-18-integrity-">
       MD5 and SHA1 SHOULD NOT be used.
     </p>
     <p>
-      <em>Example 1:</em><a id='requirement-18-integrity-eg-1'></a><a id='sec-7-1-18-eg-1'></a><a id='example-143'></a>
+      <em>Example 1:</em><a id='requirement-18-integrity-eg-1'></a><a id='sec-7-1-18-eg-1'></a><a id='example-148'></a>
     </p>
     <pre><code>File name of CSAF document: esa-2022-02723.json
 File name of SHA-256 hash file: esa-2022-02723.json.sha256
@@ -8458,7 +9220,7 @@ <h3 id="7118-requirement-18-integrity-">
       The file content SHALL start with the first byte of the hexadecimal hash value. Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
     </p>
     <p>
-      <em>Example 2:</em><a id='requirement-18-integrity-eg-2'></a><a id='sec-7-1-18-eg-2'></a><a id='example-144'></a>
+      <em>Example 2:</em><a id='requirement-18-integrity-eg-2'></a><a id='sec-7-1-18-eg-2'></a><a id='example-149'></a>
     </p>
     <pre><code>ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  esa-2022-02723.json</code></pre>
     <p>
@@ -8471,7 +9233,7 @@ <h3 id="7119-requirement-19-signatures-">
       All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is extended by the appropriate extension. See [<a href="#RFC4880">RFC4880</a>] for more details.
     </p>
     <p>
-      <em>Example 1:</em><a id='requirement-19-signatures-eg-1'></a><a id='sec-7-1-19-eg-1'></a><a id='example-145'></a>
+      <em>Example 1:</em><a id='requirement-19-signatures-eg-1'></a><a id='sec-7-1-19-eg-1'></a><a id='example-150'></a>
     </p>
     <pre><code>File name of CSAF document: esa-2022-02723.json
 File name of signature file: esa-2022-02723.json.asc</code></pre>
@@ -8537,7 +9299,7 @@ <h3 id="7121-requirement-21-list-of-csaf-providers-">
       The file <code>aggregator.json</code> SHOULD only list the latest version of the metadata of a CSAF provider.
     </p>
     <p>
-      <em>Example 1:</em><a id='requirement-21-list-of-csaf-providers-eg-1'></a><a id='sec-7-1-21-eg-1'></a><a id='example-146'></a>
+      <em>Example 1:</em><a id='requirement-21-list-of-csaf-providers-eg-1'></a><a id='sec-7-1-21-eg-1'></a><a id='example-151'></a>
     </p>
     <pre><code>  {
     "aggregator": {
@@ -8594,7 +9356,7 @@ <h3 id="7123-requirement-23-mirror-">
       </li>
     </ul>
     <p>
-      <em>Example 1:</em><a id='requirement-23-mirror-eg-1'></a><a id='sec-7-1-23-eg-1'></a><a id='example-147'></a>
+      <em>Example 1:</em><a id='requirement-23-mirror-eg-1'></a><a id='sec-7-1-23-eg-1'></a><a id='example-152'></a>
     </p>
     <pre><code>  {
     "aggregator": {
@@ -8921,6 +9683,9 @@ <h2 id="91-conformance-targets-">
       <li>
         <strong>CSAF document</strong>: A security advisory text document in the format defined by this document.
       </li>
+      <li>
+        <strong>CSAF downloader</strong>: A program that retrieves CSAF documents in an automated fashion.
+      </li>
       <li>
         <strong>CSAF producer</strong>: A program which emits output in the CSAF format.
       </li>
@@ -8992,6 +9757,8 @@ <h3 id="911-conformance-clause-1-csaf-document-">
       A text file or data stream satisfies the "CSAF document" conformance profile if it:
     </p>
     <ul>
+      <li>conforms to the syntax and semantics defined in section <a href="#date-and-time">2.2</a>
+      </li>
       <li>conforms to the syntax and semantics defined in section <a href="#schema-elements">3</a>.
       </li>
       <li>satisfies at least one profile defined in section <a href="#profiles">4</a>.
@@ -9112,8 +9879,26 @@ <h3 id="915-conformance-clause-5-cvrf-csaf-converter-">
         <code>/vulnerabilities[]/ids</code>: If a <code>vuln:ID</code> element is given, the CVRF CSAF converter converts it into the first item of the <code>ids</code> array.
       </li>
       <li>
-        <code>/vulnerabilities[]/remediation[]</code>: If no <code>product_ids</code> or <code>group_ids</code> is given, the CVRF CSAF converter appends all Product IDs which are listed under <code>../product_status</code> in the arrays <code>known_affected</code>, <code>first_affected</code> and <code>last_affected</code> into
-        <code>product_ids</code>. If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
+        <code>/vulnerabilities[]/remediations[]</code>:
+        <ul>
+          <li>If neither <code>product_ids</code> nor <code>group_ids</code> are given, the CVRF CSAF converter appends all Product IDs which are listed under <code>../product_status</code> in the arrays <code>known_affected</code>, <code>first_affected</code> and <code>last_affected</code> into <code>product_ids</code>. If none of these
+          arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
+          </li>
+          <li>The CVRF CSAF converter MUST convert any remediation with the type <code>Vendor Fix</code> into the category <code>optional_patch</code> if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability. Otherwise, the category <code>vendor_fix</code> MUST be set. If multiple
+          products are associated with the remediation - either directly or through a product group - and the products belong to different product status groups, the CVRF CSAF converter MUST duplicate the remediation, change the category in one instance to <code>optional_patch</code> and distribute the products accordingly as stated by the
+          conversion rule.
+          </li>
+          <li>The CVRF CSAF converter MUST convert any remediation with the type <code>None Available</code> into the category <code>fix_planned</code> if the product in question is also listed in a remediation of the type <code>Vendor Fix</code> with a <code>Date</code> in the future or no <code>Date</code> at all. Consequently, the product
+          MUST be removed from the remediation of the category <code>vendor_fix</code>. If it was the last product in that remediation, the remediation MUST be removed.
+          </li>
+          <li>The CVRF CSAF converter MUST remove any product from a remediation with the type <code>None Available</code> if the product in question is also listed in a remediation of the type <code>Vendor Fix</code> with a <code>Date</code> in the past or to the exact same time. If it was the last product in that remediation, the
+          remediation MUST be removed.
+          </li>
+          <li>In any other case, the CVRF CSAF converter MUST preserve the product in the remediation of the category <code>none_available</code>.
+          </li>
+          <li>The CVRF CSAF converter MUST output a warning if a remediation was added, deleted or the value of the category was changed, including the products it was changed for.
+          </li>
+        </ul>
       </li>
       <li>
         <code>/vulnerabilities[]/metrics[]</code>:
@@ -9136,7 +9921,7 @@ <h3 id="915-conformance-clause-5-cvrf-csaf-converter-">
                   Retrieve the CVSS version from the CVSS vector, if present.
                 </p>
                 <p>
-                  <em>Example 1:</em><a id='conformance-clause-5-cvrf-csaf-converter-eg-1'></a><a id='sec-9-1-5-eg-1'></a><a id='example-148'></a>
+                  <em>Example 1:</em><a id='conformance-clause-5-cvrf-csaf-converter-eg-1'></a><a id='sec-9-1-5-eg-1'></a><a id='example-153'></a>
                 </p>
                 <pre><code>  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H =&gt; 3.1</code></pre>
               </li>
@@ -9145,7 +9930,7 @@ <h3 id="915-conformance-clause-5-cvrf-csaf-converter-">
                   Retrieve the CVSS version from the CVSS element's namespace, if present. The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
                 </p>
                 <p>
-                  <em>Example 2:</em><a id='conformance-clause-5-cvrf-csaf-converter-eg-2'></a><a id='sec-9-1-5-eg-2'></a><a id='example-149'></a>
+                  <em>Example 2:</em><a id='conformance-clause-5-cvrf-csaf-converter-eg-2'></a><a id='sec-9-1-5-eg-2'></a><a id='example-154'></a>
                 </p>
                 <pre><code>  xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
   &lt;!-- --&gt;
@@ -9154,7 +9939,7 @@ <h3 id="915-conformance-clause-5-cvrf-csaf-converter-">
                   is handled the same as
                 </p>
                 <p>
-                  <em>Example 3:</em><a id='conformance-clause-5-cvrf-csaf-converter-eg-3'></a><a id='sec-9-1-5-eg-3'></a><a id='example-150'></a>
+                  <em>Example 3:</em><a id='conformance-clause-5-cvrf-csaf-converter-eg-3'></a><a id='sec-9-1-5-eg-3'></a><a id='example-155'></a>
                 </p>
                 <pre><code>  &lt;ScoreSetV3 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd"&gt;</code></pre>
               </li>
@@ -9164,7 +9949,7 @@ <h3 id="915-conformance-clause-5-cvrf-csaf-converter-">
                   decision.
                 </p>
                 <p>
-                  <em>Example 4:</em><a id='conformance-clause-5-cvrf-csaf-converter-eg-4'></a><a id='sec-9-1-5-eg-4'></a><a id='example-151'></a>
+                  <em>Example 4:</em><a id='conformance-clause-5-cvrf-csaf-converter-eg-4'></a><a id='sec-9-1-5-eg-4'></a><a id='example-156'></a>
                 </p>
                 <pre><code>  xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" =&gt; 3.0</code></pre>
               </li>
@@ -9948,7 +10733,7 @@ <h3 id="9118-conformance-clause-18-csaf-20-to-csaf-21-converter-">
         </p>
         <blockquote>
           <p>
-            This is a common case for CSAF 2.0 documents labeled as TLP:RED but actually intended to be TLP:AMBER+STRICT.
+            This is a common case for CSAF 2.0 documents labeled as <code>TLP:RED</code> but actually intended to be <code>TLP:AMBER+STRICT</code>.
           </p>
         </blockquote>
         <p>
@@ -9980,6 +10765,27 @@ <h3 id="9118-conformance-clause-18-csaf-20-to-csaf-21-converter-">
           The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
         </p>
       </li>
+      <li>
+        <p>
+          <code>/vulnerabilities[]/remediations[]</code>:
+        </p>
+        <ul>
+          <li>The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category <code>vendor_fix</code> into the category <code>optional_patch</code> if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability. Otherwise, the category <code>vendor_fix</code> MUST stay the
+          same. If multiple products are associated with the remediation - either directly or through a product group - and the products belong to different product status groups, the CSAF 2.0 to CSAF 2.1 converter MUST duplicate the remediation, change the category in one instance to <code>optional_patch</code> and distribute the products
+          accordingly as stated by the conversion rule.
+          </li>
+          <li>The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category <code>none_available</code> into the category <code>fix_planned</code> if the product in question is also listed in a remediation of the category <code>vendor_fix</code> with a <code>date</code> in the future or no <code>date</code> at all.
+          Consequently, the product MUST be removed from the remediation of the category <code>vendor_fix</code>. If it was the last product in that remediation, the remediation MUST be removed.
+          </li>
+          <li>The CSAF 2.0 to CSAF 2.1 converter MUST remove any product from a remediation with the category <code>none_available</code> if the product in question is also listed in a remediation of the category <code>vendor_fix</code> with a <code>date</code> in the past or to the exact same time. If it was the last product in that
+          remediation, the remediation MUST be removed.
+          </li>
+          <li>In any other case, the CSAF 2.0 to CSAF 2.1 converter MUST preserve the product in the remediation of the category <code>none_available</code>.
+          </li>
+          <li>The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if a remediation was added, deleted or the value of the category was changed, including the products it was changed for.
+          </li>
+        </ul>
+      </li>
     </ul>
     <blockquote>
       <p>
@@ -10111,6 +10917,27 @@ <h3 id="9122-conformance-clause-22-csaf-library-with-full-validation-">
     <p>
       A CSAF library does not satisfies the "CSAF library with full validation" conformance profile if the CSAF library uses an external library or program for the "CSAF full validator" part and does not enforce its presence.
     </p>
+    <h3 id="9123-conformance-clause-23-csaf-downloader-">
+      9.1.23 Conformance Clause 23: CSAF downloader <a id='conformance-clause-23-csaf-downloader'></a>
+    </h3>
+    <p>
+      A program satisfies the "CSAF downloader" conformance profile if the program:
+    </p>
+    <ul>
+      <li>conforms to the process defined in section <a href="#retrieving-rules">7.3</a> by executing all parts that are applicable to the given role.
+      </li>
+      <li>supports directory-based and ROLIE-based retrieval.
+      </li>
+      <li>is able to execute both steps from section <a href="#retrieving-rules">7.3</a> separately.
+      </li>
+      <li>uses a program-specific HTTP User Agent, e.g. consisting of the name and version of the program.
+      </li>
+    </ul>
+    <blockquote>
+      <p>
+        A tool MAY implement an option to store CSAF documents that fail any of the steps in section <a href="#retrieving-csaf-documents">7.3.2</a>.
+      </p>
+    </blockquote>
     <hr />
     <h1 id="appendix-a-acknowledgments-">
       Appendix A. Acknowledgments <a id='acknowledgments'></a>
@@ -11483,6 +12310,20 @@ <h1 id="appendix-b-revision-history-">
             Next Editor Revision
           </td>
         </tr>
+        <tr>
+          <td style="text-align: left;">
+            csaf-v2.0-wd20241030-dev
+          </td>
+          <td style="text-align: left;">
+            2024-10-30
+          </td>
+          <td style="text-align: left;">
+            Stefan Hagen and Thomas Schmidt
+          </td>
+          <td style="text-align: left;">
+            Next Editor Revision
+          </td>
+        </tr>
       </tbody>
     </table>
     <hr />
diff --git a/csaf_2.1/prose/share/csaf-v2.1-draft.md b/csaf_2.1/prose/share/csaf-v2.1-draft.md
index c1a4af6f..efb04675 100644
--- a/csaf_2.1/prose/share/csaf-v2.1-draft.md
+++ b/csaf_2.1/prose/share/csaf-v2.1-draft.md
@@ -7,7 +7,7 @@
 
 ## Committee Specification Draft 01
 
-## 28 August 2024
+## 30 October 2024
 
 #### This stage:
 https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.md (Authoritative) \
@@ -71,7 +71,7 @@ When referencing this specification the following citation format should be used
 
 **[csaf-v2.1]**
 
-_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 28 August 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
+_Common Security Advisory Framework Version 2.1_. Edited by Stefan Hagen, and Thomas Schmidt. 30 October 2024. OASIS Committee Specification Draft 01. https://docs.oasis-open.org/csaf/csaf/v2.1/csd01/csaf-v2.1-csd01.html. Latest stage: https://docs.oasis-open.org/csaf/csaf/v2.1/csaf-v2.1.html.
 
 
 -------
@@ -110,6 +110,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 	1.5 [Typographical Conventions](#typographical-conventions)  
 2. [Design Considerations](#design-considerations)  
 	2.1 [Construction Principles](#construction-principles)  
+	2.2 [Date and Time](#date-and-time)  
 3. [Schema Elements](#schema-elements)  
 	3.1 [Definitions](#definitions)  
 		3.1.1 [Acknowledgments Type](#acknowledgments-type)  
@@ -267,6 +268,9 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		6.1.31 [Version Range in Product Version](#version-range-in-product-version)  
 		6.1.32 [Flag without Product Reference](#flag-without-product-reference)  
 		6.1.33 [Multiple Flags with VEX Justification Codes per Product](#multiple-flags-with-vex-justification-codes-per-product)  
+		6.1.34 [Branches Recursion Depth](#mandatory-tests--branches-recursion-depth)  
+		6.1.35 [Contradicting Remediations](#contradicting-remediations)  
+		6.1.36 [Contradicting Product Status Remediation Combination](#contradicting-product-status-remediation-combination)  
 	6.2 [Optional Tests](#optional-tests)  
 		6.2.1 [Unused Definition of Product ID](#unused-definition-of-product-id)  
 		6.2.2 [Missing Remediation](#missing-remediation)  
@@ -277,7 +281,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		6.2.7 [Missing Date in Involvements](#missing-date-in-involvements)  
 		6.2.8 [Use of MD5 as the only Hash Algorithm](#use-of-md5-as-the-only-hash-algorithm)  
 		6.2.9 [Use of SHA-1 as the only Hash Algorithm](#use-of-sha-1-as-the-only-hash-algorithm)  
-		6.2.10 [Missing TLP label (deprecated)](#missing-tlp-label)  
+		6.2.10 [Missing TLP label (obsolete)](#missing-tlp-label)  
 		6.2.11 [Missing Canonical URL](#missing-canonical-url)  
 		6.2.12 [Missing Document Language](#missing-document-language)  
 		6.2.13 [Sorting](#optional-tests--sorting)  
@@ -294,6 +298,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		6.2.24 [Usage of Non-Latest CWE Version](#usage-of-non-latest-cwe-version)  
 		6.2.25 [Usage of CWE Not Allowed for Vulnerability Mapping](#usage-of-cwe-not-allowed-for-vulnerability-mapping)  
 		6.2.26 [Usage of CWE Allowed with Review for Vulnerability Mapping](#usage-of-cwe-allowed-with-review-for-vulnerability-mapping)  
+		6.2.27 [Discouraged Product Status Remediation Combination](#discouraged-product-status-remediation-combination)  
 	6.3 [Informative Test](#informative-test)  
 		6.3.1 [Use of CVSS v2 as the only Scoring System](#use-of-cvss-v2-as-the-only-scoring-system)  
 		6.3.2 [Use of CVSS v3.0](#use-of-cvss-v3-0)  
@@ -367,6 +372,7 @@ The name "OASIS" is a trademark of [OASIS](https://www.oasis-open.org/), the own
 		9.1.20 [Conformance Clause 20: CSAF library with basic validation](#conformance-clause-20-csaf-library-with-basic-validation)  
 		9.1.21 [Conformance Clause 21: CSAF library with extended validation](#conformance-clause-21-csaf-library-with-extended-validation)  
 		9.1.22 [Conformance Clause 22: CSAF library with full validation](#conformance-clause-22-csaf-library-with-full-validation)  
+		9.1.23 [Conformance Clause 23: CSAF downloader](#conformance-clause-23-csaf-downloader)  
 
 Appendix A. [Acknowledgments](#acknowledgments)  
 Appendix B. [Revision History](#revision-history)  
@@ -434,6 +440,8 @@ For purposes of this document, the following terms and definitions apply:
   <dd>analysis tool which acts as a CSAF producer</dd>
   <dt id="def;csaf-document">CSAF document</dt>
   <dd>security advisory text document in the format defined by this document.</dd>
+  <dt id="def;csaf-downloader">CSAF downloader</dt>
+  <dd>A program that retrieves CSAF documents in an automated fashion.</dd>
   <dt id="def;csaf-extended-validator">CSAF extended validator</dt>
   <dd>A CSAF basic validator that additionally performs optional tests.</dd>
   <dt id="def;csaf-full-validator">CSAF full validator</dt>
@@ -497,6 +505,8 @@ For purposes of this document, the following terms and definitions apply:
   <dd>property stored outside of the CSAF document to which it logically belongs</dd>
   <dt id="def;false-positive">false positive</dt>
   <dd>result which an end user decides does not actually represent a problem</dd>
+  <dt id="def;filter">filter</dt>
+  <dd>refine a list by selecting entries that match given criteria</dd>
   <dt id="def;fingerprint">fingerprint</dt>
   <dd>stable value that can be used by a result management system to uniquely identify a result over time,
       even if a relevant artifact is modified</dd>
@@ -555,6 +565,8 @@ For purposes of this document, the following terms and definitions apply:
       <em>Examples</em>: severity level, rank</dd>
   <dt id="def;repository">repository</dt>
   <dd>container for a related set of files in a version control system</dd>
+  <dt id="def;search">search</dt>
+  <dd>compile a list of entries that match given criteria</dd>
   <dt id="def;taxonomy">taxonomy</dt>
   <dd>classification of analysis results into a set of categories</dd>
   <dt id="def;tag">tag</dt>
@@ -592,6 +604,8 @@ For purposes of this document, the following terms and definitions apply:
 
 ## 1.3 Normative References <a id='normative-references'></a>
 
+**\[**<span id="ISO8601" class="anchor"></span>**ISO8601\]** _Data elements and interchange formats — Information interchange — Representation of dates and times_, International Standard, ISO 8601:2004(E), December 1, 2004, https://www.iso.org/standard/40874.html.
+
 **\[**<span id="JSON-Schema-Core" class="anchor"></span>**JSON-Schema-Core\]** _JSON Schema: A Media Type for Describing JSON Documents_, draft-bhutton-json-schema-00, December 2020, <https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00>.
 
 **\[**<span id="JSON-Schema-Validation" class="anchor"></span>**JSON-Schema-Validation\]** _JSON Schema Validation: A Vocabulary for Structural Validation of JSON_, draft-bhutton-json-schema-validation-00, December 2020, <https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-validation-00>.
@@ -602,6 +616,8 @@ For purposes of this document, the following terms and definitions apply:
 
 **\[**<span id="RFC2119" class="anchor"></span>**RFC2119\]** Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
 
+**\[**<span id="RFC3339" class="anchor"></span>**RFC3339\]** Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, <https://www.rfc-editor.org/info/rfc3339>.
+
 **\[**<span id="RFC7464" class="anchor"></span>**RFC7464\]** Williams, N., "JavaScript Object Notation (JSON) Text Sequences", RFC 7464, DOI 10.17487/RFC7464, February 2015, <https://www.rfc-editor.org/info/rfc7464>.
 
 **\[**<span id="RFC8174" class="anchor"></span>**RFC8174\]** Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
@@ -644,8 +660,6 @@ For purposes of this document, the following terms and definitions apply:
 
 **\[**<span id="GFMENG" class="anchor"></span>**GFMENG\]** _GitHub Engineering: A formal spec for GitHub Flavored Markdown_, https://githubengineering.com/a-formal-spec-for-github-markdown/.
 
-**\[**<span id="ISO8601" class="anchor"></span>**ISO8601\]** _Data elements and interchange formats — Information interchange — Representation of dates and times_, International Standard, ISO 8601:2004(E), December 1, 2004, https://www.iso.org/standard/40874.html.
-
 **\[**<span id="ISO19770-2" class="anchor"></span>**ISO19770-2\]** _Information technology — IT asset management — Part 2: Software identification tag_, International Standard, ISO 19770-2:2015, September 30, 2015, <https://www.iso.org/standard/65666.html>.
 
 **\[**<span id="ISO29147" class="anchor"></span>**ISO29147\]** _Information technology — Security techniques — Vulnerability disclosure_, International Standard, ISO/IEC 29147:2018, October, 2018, <https://www.iso.org/standard/72311.html>.
@@ -654,8 +668,6 @@ For purposes of this document, the following terms and definitions apply:
 
 **\[**<span id="PURL" class="anchor"></span>**PURL\]** _Package URL (purl)_, GitHub Project, https://github.com/package-url/purl-spec.
 
-**\[**<span id="RFC3339" class="anchor"></span>**RFC3339\]** Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, <https://www.rfc-editor.org/info/rfc3339>.
-
 **\[**<span id="RFC3552" class="anchor"></span>**RFC3552\]** Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, <https://www.rfc-editor.org/info/rfc3552>.
 
 **\[**<span id="RFC3986" class="anchor"></span>**RFC3986\]** Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <https://www.rfc-editor.org/info/rfc3986>.
@@ -811,6 +823,19 @@ Section [7](#distributing-csaf-documents) states how to distribute and where to
 Safety, Security and Data Protection are considered in section [8](#safety-security-and-data-protection-considerations).
 Finally, a set of conformance targets describes tools in the ecosystem.
 
+
+## 2.2 Date and Time <a id='date-and-time'></a>
+
+This standard uses the `date-time` format as defined in JSON Schema Draft 2020-12 Section 7.3.1.
+In accordance with RFC 3339 and ISO 8601, the following rules apply:
+
+* The letter `T` separating the date and time SHALL be upper case.
+* The letter `Z` indicating the timezone UTC SHALL be upper case.
+* Fractions of seconds are allowed as specified in the standards mention above with the full stop (`.`) as separator.
+* Leap seconds are supported. However, they SHOULD be avoided if possible.
+* Empty timezones are prohibited.
+* The ABNF of RFC 3339, section 5.6 applies.
+
 -------
 
 # 3. Schema Elements <a id='schema-elements'></a>
@@ -1250,29 +1275,28 @@ and `x_generic_uris`, one is mandatory.
         "cpe": {
           // ...
         },
-        "hashes": [
+        "hashes": {
           // ...
-        ],
-        "model_numbers": [
+        },
+        "model_numbers": {
           // ...
-        ],
+        },
         "purl": {
           // ...
         },
-        "sbom_urls": [
+        "sbom_urls": {
           // ...
-        ],
-        "serial_numbers": [
+        },
+        "serial_numbers": {
           // ...
-        ],
-        "skus": [
+        },
+        "skus": {
           // ...
-        ],
-        "x_generic_uris": [
+        },
+        "x_generic_uris": {
           // ...
-        ]
+        }
       }
-    }
 ```
 
 ##### 3.1.3.3.1 Full Product Name Type - Product Identification Helper - CPE <a id='full-product-name-type-product-identification-helper-cpe'></a>
@@ -1286,6 +1310,8 @@ Common Platform Enumeration representation (`cpe`) of value type `string` of 5 o
 The Common Platform Enumeration (CPE) attribute refers to a method for naming platforms external to this specification.
 See [CPE23-N] for details.
 
+> Both, CPE 2.2 and CPE 2.3, are supported in CSAF.
+
 ##### 3.1.3.3.2 Full Product Name Type - Product Identification Helper - Hashes <a id='full-product-name-type-product-identification-helper-hashes'></a>
 
 List of hashes (`hashes`) of value type `array` holding at least one item contains a list of cryptographic hashes usable to identify files.
@@ -1948,7 +1974,7 @@ This results in the following rules:
    1.0.0-0.3.7
    1.0.0-alpha
    1.0.0-alpha.1
-   1.0.0-x-y-z.–
+   1.0.0-x-y-z.--
    1.0.0-x.7.z.92
    ```
 
@@ -1962,7 +1988,7 @@ This results in the following rules:
 
     ```
     1.0.0+20130313144700
-    1.0.0+21AF26D3—-117B344092BD
+    1.0.0+21AF26D3----117B344092BD
     1.0.0-alpha+001
     1.0.0-beta+exp.sha.5114f85
     ```
@@ -2002,6 +2028,18 @@ This results in the following rules:
        1.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta < 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0
        ```
 
+Note, that the following values do no conform the semantic versioning described above.
+
+*Examples 6 (which are invalid):*<a id='version-type-semantic-versioning-eg-6'></a><a id='sec-3-1-11-2-eg-6'></a><a id='example-29'></a>
+
+```
+  1.16.13.14-Cor
+  1.0.0-x-y-z.–
+  1.0.0+21AF26D3—-117B344092BD
+  2.5.20+3f93da6b+7cc
+  3.20.0-00
+```
+
 ## 3.2 Properties <a id='properties'></a>
 
 These final four subsections document the four properties of a CSAF document.
@@ -2110,7 +2148,7 @@ The Namespace of aggregate severity (`namespace`) of value type `string` with fo
 The Text of aggregate severity (`text`) of value type `string` with 1 or more characters provides a severity which is
 independent of - and in addition to - any other standard metric for determining the impact or severity of a given vulnerability (such as CVSS).
 
-*Examples 1:*<a id='document-property-aggregate-severity-eg-1'></a><a id='sec-3-2-2-2-eg-1'></a><a id='example-29'></a>
+*Examples 1:*<a id='document-property-aggregate-severity-eg-1'></a><a id='sec-3-2-2-2-eg-1'></a><a id='example-30'></a>
 
 ```
     Critical
@@ -2136,7 +2174,7 @@ Document category defines a short canonical name, chosen by the document produce
     }
 ```
 
-*Examples 1:*<a id='document-property-category-eg-1'></a><a id='sec-3-2-2-3-eg-1'></a><a id='example-30'></a>
+*Examples 1:*<a id='document-property-category-eg-1'></a><a id='sec-3-2-2-3-eg-1'></a><a id='example-31'></a>
 
 ```
     csaf_base
@@ -2179,7 +2217,7 @@ If both values are present, the TLP information SHOULD be preferred as this aids
 
 The Textual description (`text`) of value type `string` with 1 or more characters provides a textual description of additional constraints.
 
-*Examples 1:*<a id='document-property-distribution-text-eg-1'></a><a id='sec-3-2-2-5-1-eg-1'></a><a id='example-31'></a>
+*Examples 1:*<a id='document-property-distribution-text-eg-1'></a><a id='sec-3-2-2-5-1-eg-1'></a><a id='example-32'></a>
 
 ```
     Copyright 2024, Example Company, All Rights Reserved.
@@ -2234,7 +2272,7 @@ The default value is the URL to the definition by FIRST:
     https://www.first.org/tlp/
 ```
 
-*Examples 1:*<a id='document-property-distribution-tlp-eg-1'></a><a id='sec-3-2-2-5-2-eg-1'></a><a id='example-32'></a>
+*Examples 1:*<a id='document-property-distribution-tlp-eg-1'></a><a id='sec-3-2-2-5-2-eg-1'></a><a id='example-33'></a>
 
 ```
     https://www.us-cert.gov/tlp
@@ -2343,7 +2381,7 @@ product resellers and distributors, including authoritative vendor partners.
 Contact details (`contact_details`) of value type `string` with 1 or more characters provides information on how to contact the publisher,
 possibly including details such as web sites, email addresses, phone numbers, and postal mail addresses.
 
-*Example 1:*<a id='document-property-publisher-contact-details-eg-1'></a><a id='sec-3-2-2-8-2-eg-1'></a><a id='example-33'></a>
+*Example 1:*<a id='document-property-publisher-contact-details-eg-1'></a><a id='sec-3-2-2-8-2-eg-1'></a><a id='example-34'></a>
 
 ```
     Example Company can be reached at contact_us@example.com, or via our website at https://www.example.com/contact.
@@ -2358,7 +2396,7 @@ the authority of the issuing party to release the document, in particular, the p
 
 The Name of publisher (`name`) of value type `string` with 1 or more characters contains the name of the issuing party.
 
-*Example 1:*<a id='document-property-publisher-name-eg-1'></a><a id='sec-3-2-2-8-4-eg-1'></a><a id='example-34'></a>
+*Example 1:*<a id='document-property-publisher-name-eg-1'></a><a id='sec-3-2-2-8-4-eg-1'></a><a id='example-35'></a>
 
 ```
      BSI
@@ -2385,7 +2423,7 @@ an incremented (patch) version which has no other changes than:
 * the updated item in `/document/references[]` which points to the new version of the CSAF document
 * an added item in `/document/references[]` which points to the previous version of the CSAF document (if the URL changed)
 
-*Examples 1:*<a id='document-property-publisher-namespace-eg-1'></a><a id='sec-3-2-2-8-5-eg-1'></a><a id='example-35'></a>
+*Examples 1:*<a id='document-property-publisher-namespace-eg-1'></a><a id='sec-3-2-2-8-5-eg-1'></a><a id='example-36'></a>
 
 ```
     https://csaf.io
@@ -2420,7 +2458,7 @@ The property SHALL NOT be present if the document was not translated.
 Title of this document (`title`) of value type `string` with 1 or more characters SHOULD be a canonical name for the document,
 and sufficiently unique to distinguish it from similar documents.
 
-*Examples 1:*<a id='document-property-title-eg-1'></a><a id='sec-3-2-2-11-eg-1'></a><a id='example-36'></a>
+*Examples 1:*<a id='document-property-title-eg-1'></a><a id='sec-3-2-2-11-eg-1'></a><a id='example-37'></a>
 
 ```
     Cisco IPv6 Crafted Packet Denial of Service Vulnerability
@@ -2483,7 +2521,7 @@ list of alternate names for the same document.
 Every such Alternate Name of value type `string` with 1 or more characters specifies a non-empty string that represents a
 distinct optional alternative ID used to refer to the document.
 
-*Example 1:*<a id='document-property-tracking-aliases-eg-1'></a><a id='sec-3-2-2-12-1-eg-1'></a><a id='example-37'></a>
+*Example 1:*<a id='document-property-tracking-aliases-eg-1'></a><a id='sec-3-2-2-12-1-eg-1'></a><a id='example-38'></a>
 
 ```
     CVE-2019-12345
@@ -2537,7 +2575,7 @@ optional property Engine version (`version`) contains information about the engi
 
 Engine name (`name`) of value type `string` with 1 or more characters represents the name of the engine that generated the CSAF document.
 
-*Examples 1:*<a id='document-property-tracking-generator-eg-1'></a><a id='sec-3-2-2-12-3-eg-1'></a><a id='example-38'></a>
+*Examples 1:*<a id='document-property-tracking-generator-eg-1'></a><a id='sec-3-2-2-12-3-eg-1'></a><a id='example-39'></a>
 
 ```
     Red Hat rhsa-to-cvrf
@@ -2550,7 +2588,7 @@ Engine version (`version`) of value type `string` with 1 or more characters cont
 > Although it is not formally required, the TC suggests to use a versioning which is compatible with Semantic Versioning as described in
 > the external specification [SemVer]. This could help the end user to identify when CSAF consumers have to be updated.
 
-*Examples 2:*<a id='document-property-tracking-generator-eg-2'></a><a id='sec-3-2-2-12-3-eg-2'></a><a id='example-39'></a>
+*Examples 2:*<a id='document-property-tracking-generator-eg-2'></a><a id='sec-3-2-2-12-3-eg-2'></a><a id='example-40'></a>
 
 ```
     0.6.0
@@ -2573,7 +2611,7 @@ Unique identifier for the document holds the Identifier.
 The ID is a simple label that provides for a wide range of numbering values, types, and schemes.
 Its value SHOULD be assigned and maintained by the original document issuing authority. It MUST be unique for that organization.
 
-*Examples 1:*<a id='document-property-tracking-id-eg-1'></a><a id='sec-3-2-2-12-4-eg-1'></a><a id='example-40'></a>
+*Examples 1:*<a id='document-property-tracking-id-eg-1'></a><a id='sec-3-2-2-12-4-eg-1'></a><a id='example-41'></a>
 
 ```
     Example Company - 2019-YH3234
@@ -2741,7 +2779,7 @@ the optional Summary (`summary`) property.
 
 The summary of the product group (`summary`) of value type `string` with 1 or more characters gives a short, optional description of the group.
 
-*Examples 1:*<a id='product-tree-property-product-groups-eg-1'></a><a id='sec-3-2-3-3-eg-1'></a><a id='example-41'></a>
+*Examples 1:*<a id='product-tree-property-product-groups-eg-1'></a><a id='sec-3-2-3-3-eg-1'></a><a id='example-42'></a>
 
 ```
     Products supporting Modbus.
@@ -2830,7 +2868,7 @@ which is referenced as the first element of the relationship.
 Relates to Product Reference (`relates_to_product_reference`) of value type Product ID (`product_id_t`) holds a Product ID that refers to
 the Full Product Name element, which is referenced as the second element of the relationship.
 
-*Examples 1:*<a id='product-tree-property-relationships-eg-1'></a><a id='sec-3-2-3-4-eg-1'></a><a id='example-42'></a>
+*Examples 1:*<a id='product-tree-property-relationships-eg-1'></a><a id='sec-3-2-3-4-eg-1'></a><a id='example-43'></a>
 
 ```
   "product_tree": {
@@ -2996,7 +3034,7 @@ The Weakness ID (`id`) has value type `string` with `pattern` (regular expressio
 
 It holds the ID for the weakness associated.
 
-*Examples 1:*<a id='vulnerabilities-property-cwes-eg-1'></a><a id='sec-3-2-4-3-eg-1'></a><a id='example-43'></a>
+*Examples 1:*<a id='vulnerabilities-property-cwes-eg-1'></a><a id='sec-3-2-4-3-eg-1'></a><a id='example-44'></a>
 
 ```
     CWE-22
@@ -3007,7 +3045,7 @@ It holds the ID for the weakness associated.
 The Weakness name (`name`) has value type `string` with 1 or more characters and holds the full name of the weakness as given
 in the CWE specification.
 
-*Examples 2:*<a id='vulnerabilities-property-cwes-eg-2'></a><a id='sec-3-2-4-3-eg-2'></a><a id='example-44'></a>
+*Examples 2:*<a id='vulnerabilities-property-cwes-eg-2'></a><a id='sec-3-2-4-3-eg-2'></a><a id='example-45'></a>
 
 ```
     Cross-Site Request Forgery (CSRF)
@@ -3024,7 +3062,7 @@ The CWE version (`version`) has value type `string` with `pattern` (regular expr
 It holds the version string of the CWE specification this weakness was extracted from.
 When creating or modifying a CSAF document, the latest published version of the CWE specification SHOULD be used.
 
-*Examples 3:*<a id='vulnerabilities-property-cwes-eg-3'></a><a id='sec-3-2-4-3-eg-3'></a><a id='example-45'></a>
+*Examples 3:*<a id='vulnerabilities-property-cwes-eg-3'></a><a id='sec-3-2-4-3-eg-3'></a><a id='example-46'></a>
 
 ```
     "1.0",
@@ -3137,7 +3175,7 @@ tracking ID for the vulnerability.
 
 System name (`system_name`) of value type `string` with 1 or more characters indicates the name of the vulnerability tracking or numbering system.
 
-*Examples 1:*<a id='vulnerabilities-property-ids-eg-1'></a><a id='sec-3-2-4-6-eg-1'></a><a id='example-46'></a>
+*Examples 1:*<a id='vulnerabilities-property-ids-eg-1'></a><a id='sec-3-2-4-6-eg-1'></a><a id='example-47'></a>
 
 ```
     Cisco Bug ID
@@ -3146,7 +3184,7 @@ System name (`system_name`) of value type `string` with 1 or more characters ind
 
 Text (`text`) of value type `string` with 1 or more characters is unique label or tracking ID for the vulnerability (if such information exists).
 
-*Examples 2:*<a id='vulnerabilities-property-ids-eg-2'></a><a id='sec-3-2-4-6-eg-2'></a><a id='example-47'></a>
+*Examples 2:*<a id='vulnerabilities-property-ids-eg-2'></a><a id='sec-3-2-4-6-eg-2'></a><a id='example-48'></a>
 
 ```
     CSCso66472
@@ -3496,9 +3534,11 @@ Category of the remediation (`category`) of value type `string` and `enum` speci
 Valid values are:
 
 ```
+    fix_planned
     mitigation
     no_fix_planned
     none_available
+    optional_patch
     vendor_fix
     workaround
 ```
@@ -3516,20 +3556,56 @@ and they MAY or MAY NOT be officially sanctioned by the document producer.
 The value `vendor_fix` indicates that the remediation contains information about an official fix that
 is issued by the original author of the affected product.
 Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability.
-This value contradicts with the categories `none_available` and `no_fix_planned` for the same product.
-Therefore, such a combination can't be used in the list of remediations.
+
+The value `optional_patch` indicates that the remediation contains information about an patch that
+is issued by the original author of the affected product.
+Its application is not necessary, but might be desired by the user, e.g. to calm a security scanner by
+updating a dependency to a fixed version even though the dependency in the affected version was used
+in the product in a way that the product itself was not affected.
+Unless otherwise noted, it is assumed that this does not change the state regarding the vulnerability.
+
+> This is sometimes also referred to as a "regulatory compliance patch".
 
 The value `none_available` indicates that there is currently no fix or other remediation available.
 The text in field `details` SHOULD contain details about why there is no fix or other remediation.
-The values `none_available` and `vendor_fix` are mutually exclusive per product.
 
-> An issuing party might choose to use this category to announce that a fix is currently developed.
-It is recommended that this also includes a date when a customer can expect the fix to be ready and distributed.  
+The value `fix_planned` indicates that there is a fix for the vulnerability planned but not yet ready.
+An issuing party might choose to use this category to announce that a fix is currently developed.
+The text in field `details` SHOULD contain details including a date when a customer can expect the fix to be ready and distributed.
 
 The value `no_fix_planned` indicates that there is no fix for the vulnerability and it is not planned to provide one at any time.
 This is often the case when a product has been orphaned, declared end-of-life, or otherwise deprecated.
 The text in field `details` SHOULD contain details about why there will be no fix issued.
-The values `no_fix_planned` and `vendor_fix` are mutually exclusive per product.
+
+Some category values contradict each other and thus are mutually exclusive per product.
+Therefore, such a combination MUST NOT be used in the list of remediations for the same product.
+This is independent from whether the product is referenced directly or indirectly through a product group.
+The following tables shows the allowed and prohibited combinations:
+
+| category value   | `workaround` | `mitigation` | `vendor_fix` | `optional_patch` | `none_available` | `fix_planned` | `no_fix_planned` |
+|:----------------:|:------------:|:------------:|:------------:|:----------------:|:----------------:|:-------------:|:----------------:|
+| `workaround`     | allowed      | allowed      | allowed      | prohibited       | prohibited       | allowed       | allowed          |
+| `mitigation`     | allowed      | allowed      | allowed      | prohibited       | prohibited       | allowed       | allowed          |
+| `vendor_fix`     | allowed      | allowed      | allowed      | prohibited       | prohibited       | prohibited    | prohibited       |
+| `optional_patch` | prohibited   | prohibited   | prohibited   | allowed          | prohibited       | prohibited    | prohibited       |
+| `none_available` | prohibited   | prohibited   | prohibited   | prohibited       | allowed          | prohibited    | prohibited       |
+| `fix_planned`    | allowed      | allowed      | prohibited   | prohibited       | prohibited       | allowed       | prohibited       |
+| `no_fix_planned` | allowed      | allowed      | prohibited   | prohibited       | prohibited       | prohibited    | allowed          |
+
+Some category values contradict certain product status groups.
+Therefore, such a combination MUST NOT exist in a vulnerability item for the same product.
+This is independent from whether the product is referenced directly or indirectly through a product group.
+The following tables shows the allowed, discouraged and prohibited combinations:
+
+| category value   | Affected   | Not Affected | Fixed       | Under Investigation | Recommended |
+|:----------------:|:----------:|:------------:|:-----------:|:-------------------:|:-----------:|
+| `workaround`     | allowed    | prohibited   | prohibited  | discouraged         | allowed     |
+| `mitigation`     | allowed    | prohibited   | prohibited  | discouraged         | allowed     |
+| `vendor_fix`     | allowed    | prohibited   | prohibited  | discouraged         | allowed     |
+| `optional_patch` | prohibited | allowed      | discouraged | allowed             | allowed     |
+| `none_available` | allowed    | prohibited   | prohibited  | allowed             | allowed     |
+| `fix_planned`    | allowed    | discouraged  | prohibited  | discouraged         | allowed     |
+| `no_fix_planned` | allowed    | discouraged  | prohibited  | allowed             | allowed     |
 
 ##### 3.2.4.13.2 Vulnerabilities Property - Remediations - Date <a id='vulnerabilities-property-remediations-date'></a>
 
@@ -3887,7 +3963,7 @@ The following rules MUST be applied to determine the filename for the CSAF docum
    > As a result, a `/document/tracking/id` with the value `2022_#01-A` is converted into `2022_01-a` instead of `2022__01-a`.
 3. The file extension `.json` MUST be appended.
 
-*Examples 1:*<a id='filename-eg-1'></a><a id='sec-5-1-eg-1'></a><a id='example-48'></a>
+*Examples 1:*<a id='filename-eg-1'></a><a id='sec-5-1-eg-1'></a><a id='example-49'></a>
 
 ```
   cisco-sa-20190513-secureboot.json
@@ -3898,7 +3974,7 @@ The following rules MUST be applied to determine the filename for the CSAF docum
 > It is currently considered best practice to indicate that a CSAF document is invalid by
 > inserting `_invalid` into the filename in front of the file extension.
 
-*Examples 2:*<a id='filename-eg-2'></a><a id='sec-5-1-eg-2'></a><a id='example-49'></a>
+*Examples 2:*<a id='filename-eg-2'></a><a id='sec-5-1-eg-2'></a><a id='example-50'></a>
 
 ```
   cisco-sa-20190513-secureboot_invalid.json
@@ -3983,7 +4059,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/threats[]/product_ids[]
 ```
 
-*Example 1 (which fails the test):*<a id='missing-definition-of-product-id-eg-1'></a><a id='sec-6-1-1-eg-1'></a><a id='example-50'></a>
+*Example 1 (which fails the test):*<a id='missing-definition-of-product-id-eg-1'></a><a id='sec-6-1-1-eg-1'></a><a id='example-51'></a>
 
 ```
   "product_tree": {
@@ -4014,7 +4090,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_id
 ```
 
-*Example 1 (which fails the test):*<a id='multiple-definition-of-product-id-eg-1'></a><a id='sec-6-1-2-eg-1'></a><a id='example-51'></a>
+*Example 1 (which fails the test):*<a id='multiple-definition-of-product-id-eg-1'></a><a id='sec-6-1-2-eg-1'></a><a id='example-52'></a>
 
 ```
   "product_tree": {
@@ -4048,7 +4124,7 @@ The relevant path for this test is:
 > a Product ID defined in a relationship item is used as `product_reference` or `relates_to_product_reference`.
 > Only for those which fulfill this condition it is necessary to run the full check following the references.
 
-*Example 1 (which fails the test):*<a id='circular-definition-of-product-id-eg-1'></a><a id='sec-6-1-3-eg-1'></a><a id='example-52'></a>
+*Example 1 (which fails the test):*<a id='circular-definition-of-product-id-eg-1'></a><a id='sec-6-1-3-eg-1'></a><a id='example-53'></a>
 
 ```
   "product_tree": {
@@ -4087,7 +4163,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/threats[]/group_ids
 ```
 
-*Example 1 (which fails the test):*<a id='missing-definition-of-product-group-id-eg-1'></a><a id='sec-6-1-4-eg-1'></a><a id='example-53'></a>
+*Example 1 (which fails the test):*<a id='missing-definition-of-product-group-id-eg-1'></a><a id='sec-6-1-4-eg-1'></a><a id='example-54'></a>
 
 ```
   "product_tree": {
@@ -4126,7 +4202,7 @@ The relevant path for this test is:
     /product_tree/product_groups[]/group_id
 ```
 
-*Example 1 (which fails the test):*<a id='multiple-definition-of-product-group-id-eg-1'></a><a id='sec-6-1-5-eg-1'></a><a id='example-54'></a>
+*Example 1 (which fails the test):*<a id='multiple-definition-of-product-group-id-eg-1'></a><a id='sec-6-1-5-eg-1'></a><a id='example-55'></a>
 
 ```
   "product_tree": {
@@ -4202,7 +4278,7 @@ Contradiction groups are:
 > Note: An issuer might recommend (`/vulnerabilities[]/product_status/recommended`) a product version from any group - also from the affected group,
 > i.e. if it was discovered that fixed versions introduce a more severe vulnerability.
 
-*Example 1 (which fails the test):*<a id='contradicting-product-status-eg-1'></a><a id='sec-6-1-6-eg-1'></a><a id='example-55'></a>
+*Example 1 (which fails the test):*<a id='contradicting-product-status-eg-1'></a><a id='sec-6-1-6-eg-1'></a><a id='example-56'></a>
 
 ```
   "product_tree": {
@@ -4241,7 +4317,7 @@ The relevant path for this test is:
     /vulnerabilities[]/metrics[]
 ```
 
-*Example 1 (which fails the test):*<a id='multiple-scores-with-same-version-per-product-eg-1'></a><a id='sec-6-1-7-eg-1'></a><a id='example-56'></a>
+*Example 1 (which fails the test):*<a id='multiple-scores-with-same-version-per-product-eg-1'></a><a id='sec-6-1-7-eg-1'></a><a id='example-57'></a>
 
 ```
   "product_tree": {
@@ -4300,7 +4376,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v4
 ```
 
-*Example 1 (which fails the test):*<a id='invalid-cvss-eg-1'></a><a id='sec-6-1-8-eg-1'></a><a id='example-57'></a>
+*Example 1 (which fails the test):*<a id='invalid-cvss-eg-1'></a><a id='sec-6-1-8-eg-1'></a><a id='example-58'></a>
 
 ```
   "cvss_v3": {
@@ -4341,7 +4417,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v4/environmentalSeverity
 ```
 
-*Example 1 (which fails the test):*<a id='invalid-cvss-computation-eg-1'></a><a id='sec-6-1-9-eg-1'></a><a id='example-58'></a>
+*Example 1 (which fails the test):*<a id='invalid-cvss-computation-eg-1'></a><a id='sec-6-1-9-eg-1'></a><a id='example-59'></a>
 
 ```
   "cvss_v3": {
@@ -4368,7 +4444,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v4
 ```
 
-*Example 1 (which fails the test):*<a id='inconsistent-cvss-eg-1'></a><a id='sec-6-1-10-eg-1'></a><a id='example-59'></a>
+*Example 1 (which fails the test):*<a id='inconsistent-cvss-eg-1'></a><a id='sec-6-1-10-eg-1'></a><a id='example-60'></a>
 
 ```
   "cvss_v3": {
@@ -4402,7 +4478,7 @@ The relevant path for this test is:
     /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*<a id='cwe-eg-1'></a><a id='sec-6-1-11-eg-1'></a><a id='example-60'></a>
+*Example 1 (which fails the test):*<a id='cwe-eg-1'></a><a id='sec-6-1-11-eg-1'></a><a id='example-61'></a>
 
 ```
   "cwes": [
@@ -4427,7 +4503,7 @@ The relevant paths for this test are:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*<a id='language-eg-1'></a><a id='sec-6-1-12-eg-1'></a><a id='example-61'></a>
+*Example 1 (which fails the test):*<a id='language-eg-1'></a><a id='sec-6-1-12-eg-1'></a><a id='example-62'></a>
 
 ```
   "lang": "EZ"
@@ -4449,7 +4525,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/purl
 ```
 
-*Example 1 (which fails the test):*<a id='purl-eg-1'></a><a id='sec-6-1-13-eg-1'></a><a id='example-62'></a>
+*Example 1 (which fails the test):*<a id='purl-eg-1'></a><a id='sec-6-1-13-eg-1'></a><a id='example-63'></a>
 
 ```
   "product_tree": {
@@ -4479,7 +4555,7 @@ The relevant path for this test is:
     /document/tracking/revision_history
 ```
 
-*Example 1 (which fails the test):*<a id='sorted-revision-history-eg-1'></a><a id='sec-6-1-14-eg-1'></a><a id='example-63'></a>
+*Example 1 (which fails the test):*<a id='sorted-revision-history-eg-1'></a><a id='sec-6-1-14-eg-1'></a><a id='example-64'></a>
 
 ```
   "revision_history": [
@@ -4508,7 +4584,7 @@ The relevant path for this test is:
     /document/source_lang
 ```
 
-*Example 1 (which fails the test):*<a id='translator-eg-1'></a><a id='sec-6-1-15-eg-1'></a><a id='example-64'></a>
+*Example 1 (which fails the test):*<a id='translator-eg-1'></a><a id='sec-6-1-15-eg-1'></a><a id='example-65'></a>
 
 ```
   "document": {
@@ -4539,7 +4615,7 @@ The relevant path for this test is:
     /document/tracking/version
 ```
 
-*Example 1 (which fails the test):*<a id='latest-document-version-eg-1'></a><a id='sec-6-1-16-eg-1'></a><a id='example-65'></a>
+*Example 1 (which fails the test):*<a id='latest-document-version-eg-1'></a><a id='sec-6-1-16-eg-1'></a><a id='example-66'></a>
 
 ```
   "tracking": {
@@ -4573,7 +4649,7 @@ The relevant path for this test is:
     /document/tracking/status
 ```
 
-*Example 1 (which fails the test):*<a id='document-status-draft-eg-1'></a><a id='sec-6-1-17-eg-1'></a><a id='example-66'></a>
+*Example 1 (which fails the test):*<a id='document-status-draft-eg-1'></a><a id='sec-6-1-17-eg-1'></a><a id='example-67'></a>
 
 ```
     "tracking": {
@@ -4595,7 +4671,7 @@ The relevant path for this test is:
     /document/tracking/revision_history[]/number
 ```
 
-*Example 1 (which fails the test):*<a id='released-revision-history-eg-1'></a><a id='sec-6-1-18-eg-1'></a><a id='example-67'></a>
+*Example 1 (which fails the test):*<a id='released-revision-history-eg-1'></a><a id='sec-6-1-18-eg-1'></a><a id='example-68'></a>
 
 ```
     "tracking": {
@@ -4629,7 +4705,7 @@ The relevant path for this test is:
     /document/tracking/revision_history[]/number
 ```
 
-*Example 1 (which fails the test):*<a id='revision-history-entries-for-pre-release-versions-eg-1'></a><a id='sec-6-1-19-eg-1'></a><a id='example-68'></a>
+*Example 1 (which fails the test):*<a id='revision-history-entries-for-pre-release-versions-eg-1'></a><a id='sec-6-1-19-eg-1'></a><a id='example-69'></a>
 
 ```
     "revision_history": [
@@ -4658,7 +4734,7 @@ The relevant path for this test is:
     /document/tracking/version
 ```
 
-*Example 1 (which fails the test):*<a id='non-draft-document-version-eg-1'></a><a id='sec-6-1-20-eg-1'></a><a id='example-69'></a>
+*Example 1 (which fails the test):*<a id='non-draft-document-version-eg-1'></a><a id='sec-6-1-20-eg-1'></a><a id='example-70'></a>
 
 ```
     "tracking": {
@@ -4684,7 +4760,7 @@ The relevant path for this test is:
     /document/tracking/revision_history
 ```
 
-*Example 1 (which fails the test):*<a id='missing-item-in-revision-history-eg-1'></a><a id='sec-6-1-21-eg-1'></a><a id='example-70'></a>
+*Example 1 (which fails the test):*<a id='missing-item-in-revision-history-eg-1'></a><a id='sec-6-1-21-eg-1'></a><a id='example-71'></a>
 
 ```
     "revision_history": [
@@ -4713,7 +4789,7 @@ The relevant path for this test is:
     /document/tracking/revision_history
 ```
 
-*Example 1 (which fails the test):*<a id='multiple-definition-in-revision-history-eg-1'></a><a id='sec-6-1-22-eg-1'></a><a id='example-71'></a>
+*Example 1 (which fails the test):*<a id='multiple-definition-in-revision-history-eg-1'></a><a id='sec-6-1-22-eg-1'></a><a id='example-72'></a>
 
 ```
    "revision_history": [
@@ -4742,7 +4818,7 @@ The relevant path for this test is:
     /vulnerabilities[]/cve
 ```
 
-*Example 1 (which fails the test):*<a id='multiple-use-of-same-cve-eg-1'></a><a id='sec-6-1-23-eg-1'></a><a id='example-72'></a>
+*Example 1 (which fails the test):*<a id='multiple-use-of-same-cve-eg-1'></a><a id='sec-6-1-23-eg-1'></a><a id='example-73'></a>
 
 ```
   "vulnerabilities": [
@@ -4767,7 +4843,7 @@ The relevant path for this test is:
     /vulnerabilities[]/involvements
 ```
 
-*Example 1 (which fails the test):*<a id='multiple-definition-in-involvements-eg-1'></a><a id='sec-6-1-24-eg-1'></a><a id='example-73'></a>
+*Example 1 (which fails the test):*<a id='multiple-definition-in-involvements-eg-1'></a><a id='sec-6-1-24-eg-1'></a><a id='example-74'></a>
 
 ```
   "vulnerabilities": [
@@ -4803,7 +4879,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
 ```
 
-*Example 1 (which fails the test):*<a id='multiple-use-of-same-hash-algorithm-eg-1'></a><a id='sec-6-1-25-eg-1'></a><a id='example-74'></a>
+*Example 1 (which fails the test):*<a id='multiple-use-of-same-hash-algorithm-eg-1'></a><a id='sec-6-1-25-eg-1'></a><a id='example-75'></a>
 
 ```
   "product_tree": {
@@ -4863,7 +4939,7 @@ The relevant path for this test is:
   /document/category
 ```
 
-*Examples 1 (for currently prohibited values):*<a id='prohibited-document-category-name-eg-1'></a><a id='sec-6-1-26-eg-1'></a><a id='example-75'></a>
+*Examples 1 (for currently prohibited values):*<a id='prohibited-document-category-name-eg-1'></a><a id='sec-6-1-26-eg-1'></a><a id='example-76'></a>
 
 ```
   Csaf_a
@@ -4874,7 +4950,7 @@ The relevant path for this test is:
   V_eX
 ```
 
-*Example 2 (which fails the test):*<a id='prohibited-document-category-name-eg-2'></a><a id='sec-6-1-26-eg-2'></a><a id='example-76'></a>
+*Example 2 (which fails the test):*<a id='prohibited-document-category-name-eg-2'></a><a id='sec-6-1-26-eg-2'></a><a id='example-77'></a>
 
 ```
   "category": "Security_Incident_Response"
@@ -4908,7 +4984,7 @@ The relevant path for this test is:
   /document/notes
 ```
 
-*Example 1 (which fails the test):*<a id='document-notes-eg-1'></a><a id='sec-6-1-27-1-eg-1'></a><a id='example-77'></a>
+*Example 1 (which fails the test):*<a id='document-notes-eg-1'></a><a id='sec-6-1-27-1-eg-1'></a><a id='example-78'></a>
 
 ```
   "notes": [
@@ -4939,7 +5015,7 @@ The relevant path for this test is:
   /document/references
 ```
 
-*Example 1 (which fails the test):*<a id='document-references-eg-1'></a><a id='sec-6-1-27-2-eg-1'></a><a id='example-78'></a>
+*Example 1 (which fails the test):*<a id='document-references-eg-1'></a><a id='sec-6-1-27-2-eg-1'></a><a id='example-79'></a>
 
 ```
   "references": [
@@ -4969,7 +5045,7 @@ The relevant path for this test is:
   /vulnerabilities
 ```
 
-*Example 1 (which fails the test):*<a id='vulnerabilities-for-informational-advisory-eg-1'></a><a id='sec-6-1-27-3-eg-1'></a><a id='example-79'></a>
+*Example 1 (which fails the test):*<a id='vulnerabilities-for-informational-advisory-eg-1'></a><a id='sec-6-1-27-3-eg-1'></a><a id='example-80'></a>
 
 ```
   "vulnerabilities": [
@@ -5000,7 +5076,7 @@ The relevant path for this test is:
   /product_tree
 ```
 
-*Example 1 (which fails the test):*<a id='product-tree-eg-1'></a><a id='sec-6-1-27-4-eg-1'></a><a id='example-80'></a>
+*Example 1 (which fails the test):*<a id='product-tree-eg-1'></a><a id='sec-6-1-27-4-eg-1'></a><a id='example-81'></a>
 
 ```
   {
@@ -5032,7 +5108,7 @@ The relevant path for this test is:
   /vulnerabilities[]/notes
 ```
 
-*Example 1 (which fails the test):*<a id='vulnerability-notes-eg-1'></a><a id='sec-6-1-27-5-eg-1'></a><a id='example-81'></a>
+*Example 1 (which fails the test):*<a id='vulnerability-notes-eg-1'></a><a id='sec-6-1-27-5-eg-1'></a><a id='example-82'></a>
 
 ```
   "vulnerabilities": [
@@ -5060,7 +5136,7 @@ The relevant path for this test is:
   /vulnerabilities[]/product_status
 ```
 
-*Example 1 (which fails the test):*<a id='product-status-eg-1'></a><a id='sec-6-1-27-6-eg-1'></a><a id='example-82'></a>
+*Example 1 (which fails the test):*<a id='product-status-eg-1'></a><a id='sec-6-1-27-6-eg-1'></a><a id='example-83'></a>
 
 ```
   "vulnerabilities": [
@@ -5092,7 +5168,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/product_status/under_investigation
 ```
 
-*Example 1 (which fails the test):*<a id='vex-product-status-eg-1'></a><a id='sec-6-1-27-7-eg-1'></a><a id='example-83'></a>
+*Example 1 (which fails the test):*<a id='vex-product-status-eg-1'></a><a id='sec-6-1-27-7-eg-1'></a><a id='example-84'></a>
 
 ```
   "product_status": {
@@ -5124,7 +5200,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/ids
 ```
 
-*Example 1 (which fails the test):*<a id='vulnerability-id-eg-1'></a><a id='sec-6-1-27-8-eg-1'></a><a id='example-84'></a>
+*Example 1 (which fails the test):*<a id='vulnerability-id-eg-1'></a><a id='sec-6-1-27-8-eg-1'></a><a id='example-85'></a>
 
 ```
   "vulnerabilities": [
@@ -5155,7 +5231,7 @@ The relevant path for this test is:
   /vulnerabilities[]/threats
 ```
 
-*Example 1 (which fails the test):*<a id='impact-statement-eg-1'></a><a id='sec-6-1-27-9-eg-1'></a><a id='example-85'></a>
+*Example 1 (which fails the test):*<a id='impact-statement-eg-1'></a><a id='sec-6-1-27-9-eg-1'></a><a id='example-86'></a>
 
 ```
   "product_tree": {
@@ -5227,7 +5303,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations
 ```
 
-*Example 1 (which fails the test):*<a id='action-statement-eg-1'></a><a id='sec-6-1-27-10-eg-1'></a><a id='example-86'></a>
+*Example 1 (which fails the test):*<a id='action-statement-eg-1'></a><a id='sec-6-1-27-10-eg-1'></a><a id='example-87'></a>
 
 ```
   "product_tree": {
@@ -5300,7 +5376,7 @@ The relevant path for this test is:
   /vulnerabilities
 ```
 
-*Example 1 (which fails the test):*<a id='vulnerabilities-for-security-advisory-or-vex-eg-1'></a><a id='sec-6-1-27-11-eg-1'></a><a id='example-87'></a>
+*Example 1 (which fails the test):*<a id='vulnerabilities-for-security-advisory-or-vex-eg-1'></a><a id='sec-6-1-27-11-eg-1'></a><a id='example-88'></a>
 
 ```
   {
@@ -5326,7 +5402,7 @@ The relevant path for this test is:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*<a id='translation-eg-1'></a><a id='sec-6-1-28-eg-1'></a><a id='example-88'></a>
+*Example 1 (which fails the test):*<a id='translation-eg-1'></a><a id='sec-6-1-28-eg-1'></a><a id='example-89'></a>
 
 ```
   "document": {
@@ -5354,7 +5430,7 @@ The relevant path for this test is:
   /vulnerabilities[]/remediations[]
 ```
 
-*Example 1 (which fails the test):*<a id='remediation-without-product-reference-eg-1'></a><a id='sec-6-1-29-eg-1'></a><a id='example-89'></a>
+*Example 1 (which fails the test):*<a id='remediation-without-product-reference-eg-1'></a><a id='sec-6-1-29-eg-1'></a><a id='example-90'></a>
 
 ```
       "remediations": [
@@ -5381,7 +5457,7 @@ The relevant paths for this test are:
   /document/tracking/version
 ```
 
-*Example 1 (which fails the test):*<a id='mixed-integer-and-semantic-versioning-eg-1'></a><a id='sec-6-1-30-eg-1'></a><a id='example-90'></a>
+*Example 1 (which fails the test):*<a id='mixed-integer-and-semantic-versioning-eg-1'></a><a id='sec-6-1-30-eg-1'></a><a id='example-91'></a>
 
 ```
     "tracking": {
@@ -5436,7 +5512,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/name
 ```
 
-*Example 1 (which fails the test):*<a id='version-range-in-product-version-eg-1'></a><a id='sec-6-1-31-eg-1'></a><a id='example-91'></a>
+*Example 1 (which fails the test):*<a id='version-range-in-product-version-eg-1'></a><a id='sec-6-1-31-eg-1'></a><a id='example-92'></a>
 
 ```
             "branches": [
@@ -5460,7 +5536,7 @@ The relevant path for this test is:
   /vulnerabilities[]/flags[]
 ```
 
-*Example 1 (which fails the test):*<a id='flag-without-product-reference-eg-1'></a><a id='sec-6-1-32-eg-1'></a><a id='example-92'></a>
+*Example 1 (which fails the test):*<a id='flag-without-product-reference-eg-1'></a><a id='sec-6-1-32-eg-1'></a><a id='example-93'></a>
 
 ```
       "flags": [
@@ -5487,7 +5563,7 @@ The relevant path for this test is:
   /vulnerabilities[]/flags
 ```
 
-*Example 1 (which fails the test):*<a id='multiple-flags-with-vex-justification-codes-per-product-eg-1'></a><a id='sec-6-1-33-eg-1'></a><a id='example-93'></a>
+*Example 1 (which fails the test):*<a id='multiple-flags-with-vex-justification-codes-per-product-eg-1'></a><a id='sec-6-1-33-eg-1'></a><a id='example-94'></a>
 
 ```
   "product_tree": {
@@ -5541,6 +5617,287 @@ The relevant path for this test is:
 
 > There are two flags given for `CSAFPID-9080700` - one indirect through `CSAFGID-0001` and one direct.
 
+### 6.1.34 Branches Recursion Depth <a id='mandatory-tests--branches-recursion-depth'></a>
+
+For each product defined under `/product_tree/branches[]` it MUST be tested that the complete JSON path
+does not contain more than 30 instances of `branches`.
+
+The relevant path for this test is:
+
+```
+  /product_tree/branches[](/branches[])*/product
+```
+
+*Example 1 (which fails the test):*<a id='mandatory-tests--branches-recursion-depth-eg-1'></a><a id='sec-6-1-34-eg-1'></a><a id='example-95'></a>
+
+```
+  "product_tree": {
+    "branches": [
+      {
+        "branches": [
+          {
+            "branches": [
+              {
+                "branches": [
+                  {
+                    "branches": [
+                      {
+                        "branches": [
+                          {
+                            "branches": [
+                              {
+                                "branches": [
+                                  {
+                                    "branches": [
+                                      {
+                                        "branches": [
+                                          {
+                                            "branches": [
+                                              {
+                                                "branches": [
+                                                  {
+                                                    "branches": [
+                                                      {
+                                                        "branches": [
+                                                          {
+                                                            "branches": [
+                                                              {
+                                                                "branches": [
+                                                                  {
+                                                                    "branches": [
+                                                                      {
+                                                                        "branches": [
+                                                                          {
+                                                                            "branches": [
+                                                                              {
+                                                                                "branches": [
+                                                                                  {
+                                                                                    "branches": [
+                                                                                      {
+                                                                                        "branches": [
+                                                                                          {
+                                                                                            "branches": [
+                                                                                              {
+                                                                                                "branches": [
+                                                                                                  {
+                                                                                                    "branches": [
+                                                                                                      {
+                                                                                                        "branches": [
+                                                                                                          {
+                                                                                                            "branches": [
+                                                                                                              {
+                                                                                                                "branches": [
+                                                                                                                  {
+                                                                                                                    "branches": [
+                                                                                                                      {
+                                                                                                                        "branches": [
+                                                                                                                          {
+                                                                                                                            "branches": [
+                                                                                                                              {
+                                                                                                                                "category": "product_name",
+                                                                                                                                "name": "branches",
+                                                                                                                                "product": {
+                                                                                                                                  "name": "<<generate Product name>>",
+                                                                                                                                  "product_id": "CSAFPID-9080700"
+                                                                                                                                }
+                                                                                                                              }
+                                                                                                                            ],
+                                                                                                                            "category": "product_family",
+                                                                                                                            "name": "31"
+                                                                                                                          }
+                                                                                                                        ],
+                                                                                                                        "category": "product_family",
+                                                                                                                        "name": "with"
+                                                                                                                      }
+                                                                                                                    ],
+                                                                                                                    "category": "product_family",
+                                                                                                                    "name": "test"
+                                                                                                                  }
+                                                                                                                ],
+                                                                                                                "category": "product_family",
+                                                                                                                "name": "the"
+                                                                                                              }
+                                                                                                            ],
+                                                                                                            "category": "product_family",
+                                                                                                            "name": "fail"
+                                                                                                          }
+                                                                                                        ],
+                                                                                                        "category": "product_family",
+                                                                                                        "name": "and"
+                                                                                                      }
+                                                                                                    ],
+                                                                                                    "category": "product_family",
+                                                                                                    "name": "limits"
+                                                                                                  }
+                                                                                                ],
+                                                                                                "category": "product_family",
+                                                                                                "name": "the"
+                                                                                              }
+                                                                                            ],
+                                                                                            "category": "product_family",
+                                                                                            "name": "testing"
+                                                                                          }
+                                                                                        ],
+                                                                                        "category": "product_family",
+                                                                                        "name": "are"
+                                                                                      }
+                                                                                    ],
+                                                                                    "category": "product_family",
+                                                                                    "name": "they"
+                                                                                  }
+                                                                                ],
+                                                                                "category": "product_family",
+                                                                                "name": "but"
+                                                                              }
+                                                                            ],
+                                                                            "category": "product_family",
+                                                                            "name": "unrealistic"
+                                                                          }
+                                                                        ],
+                                                                        "category": "product_family",
+                                                                        "name": "less"
+                                                                      }
+                                                                    ],
+                                                                    "category": "product_family",
+                                                                    "name": "or"
+                                                                  }
+                                                                ],
+                                                                "category": "product_family",
+                                                                "name": "more"
+                                                              }
+                                                            ],
+                                                            "category": "product_family",
+                                                            "name": "and"
+                                                          }
+                                                        ],
+                                                        "category": "product_family",
+                                                        "name": "unnecessary"
+                                                      }
+                                                    ],
+                                                    "category": "product_family",
+                                                    "name": "seem"
+                                                  }
+                                                ],
+                                                "category": "product_family",
+                                                "name": "which"
+                                              }
+                                            ],
+                                            "category": "product_family",
+                                            "name": "product"
+                                          }
+                                        ],
+                                        "category": "product_family",
+                                        "name": "hypothetical"
+                                      }
+                                    ],
+                                    "category": "product_family",
+                                    "name": "this"
+                                  }
+                                ],
+                                "category": "product_family",
+                                "name": "for"
+                              }
+                            ],
+                            "category": "product_family",
+                            "name": "structure"
+                          }
+                        ],
+                        "category": "product_family",
+                        "name": "nested"
+                      }
+                    ],
+                    "category": "product_family",
+                    "name": "deeply"
+                  }
+                ],
+                "category": "product_family",
+                "name": "a"
+              }
+            ],
+            "category": "product_family",
+            "name": "uses"
+          }
+        ],
+        "category": "vendor",
+        "name": "Example Company"
+      }
+    ]
+  }
+```
+
+> The complete JSON path contains 31 times `branches`.
+
+### 6.1.35 Contradicting Remediations <a id='contradicting-remediations'></a>
+
+For each item in `/vulnerabilities[]/remediations` it MUST be tested that a product is not member of contradicting remediation categories.
+This takes indirect relations through product groups into account.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/remediations[]
+```
+
+*Example 1 (which fails the test):*<a id='contradicting-remediations-eg-1'></a><a id='sec-6-1-35-eg-1'></a><a id='example-96'></a>
+
+```
+      "remediations": [
+        {
+          "category": "no_fix_planned",
+          "details": "The product is end-of-life. Therefore, no fix will be provided.",
+          "product_ids": [
+            "CSAFPID-9080700"
+          ]
+        },
+        {
+          "category": "vendor_fix",
+          "details": "Update to version >=14.3 to fix the vulnerability.",
+          "product_ids": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+```
+
+> The two remediations given for the product with product ID `CSAFPID-908070` contradict each other.
+
+> A tool MAY apply the conversion rules from the conformance target CSAF 2.0 to CSAF 2.1 converter if applicable or
+> remove the product from the remediation with the lower priority.
+> The priority MAY be defined as follows:
+> `vendor_fix` > `mitigation` > `workaround` > `fix_planned` > `no_fix_planned` > `optional_patch` > `none_available`
+
+### 6.1.36 Contradicting Product Status Remediation Combination <a id='contradicting-product-status-remediation-combination'></a>
+
+For each item in `/vulnerabilities[]/remediations` it MUST be tested that a product is not member of a contradicting product status group.
+This takes indirect relations through product groups into account.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/remediations[]
+```
+
+*Example 1 (which fails the test):*<a id='contradicting-product-status-remediation-combination-eg-1'></a><a id='sec-6-1-36-eg-1'></a><a id='example-97'></a>
+
+```
+      "product_status": {
+        "known_not_affected": [
+          "CSAFPID-9080700"
+        ]
+      },
+      "remediations": [
+        {
+          "category": "vendor_fix",
+          "details": "Update to version >=14.3 to fix the vulnerability.",
+          "product_ids": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+```
+
+> For the product with product ID `CSAFPID-908070` a `vendor_fix` is given but the product was not affected at all.
+
 ## 6.2 Optional Tests <a id='optional-tests'></a>
 
 Optional tests SHOULD NOT fail at a valid CSAF document without a good reason. Failing such a test does not make the CSAF document invalid.
@@ -5562,7 +5919,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_id
 ```
 
-*Example 1 (which fails the test):*<a id='unused-definition-of-product-id-eg-1'></a><a id='sec-6-2-1-eg-1'></a><a id='example-94'></a>
+*Example 1 (which fails the test):*<a id='unused-definition-of-product-id-eg-1'></a><a id='sec-6-2-1-eg-1'></a><a id='example-98'></a>
 
 ```
   "product_tree": {
@@ -5595,7 +5952,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/product_status/under_investigation[]
 ```
 
-*Example 1 (which fails the test):*<a id='missing-remediation-eg-1'></a><a id='sec-6-2-2-eg-1'></a><a id='example-95'></a>
+*Example 1 (which fails the test):*<a id='missing-remediation-eg-1'></a><a id='sec-6-2-2-eg-1'></a><a id='example-99'></a>
 
 ```
   "product_tree": {
@@ -5632,7 +5989,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/product_status/last_affected[]
 ```
 
-*Example 1 (which fails the test):*<a id='missing-metric-eg-1'></a><a id='sec-6-2-3-eg-1'></a><a id='example-96'></a>
+*Example 1 (which fails the test):*<a id='missing-metric-eg-1'></a><a id='sec-6-2-3-eg-1'></a><a id='example-100'></a>
 
 ```
   "product_tree": {
@@ -5666,7 +6023,7 @@ The relevant path for this test is:
     /document/tracking/revision_history[]/number
 ```
 
-*Example 1 (which fails the test):*<a id='build-metadata-in-revision-history-eg-1'></a><a id='sec-6-2-4-eg-1'></a><a id='example-97'></a>
+*Example 1 (which fails the test):*<a id='build-metadata-in-revision-history-eg-1'></a><a id='sec-6-2-4-eg-1'></a><a id='example-101'></a>
 
 ```
     "revision_history": [
@@ -5691,7 +6048,7 @@ The relevant path for this test is:
     /document/tracking/initial_release_date
 ```
 
-*Example 1 (which fails the test):*<a id='older-initial-release-date-than-revision-history-eg-1'></a><a id='sec-6-2-5-eg-1'></a><a id='example-98'></a>
+*Example 1 (which fails the test):*<a id='older-initial-release-date-than-revision-history-eg-1'></a><a id='sec-6-2-5-eg-1'></a><a id='example-102'></a>
 
 ```
     "tracking": {
@@ -5727,7 +6084,7 @@ The relevant path for this test is:
     /document/tracking/current_release_date
 ```
 
-*Example 1 (which fails the test):*<a id='older-current-release-date-than-revision-history-eg-1'></a><a id='sec-6-2-6-eg-1'></a><a id='example-99'></a>
+*Example 1 (which fails the test):*<a id='older-current-release-date-than-revision-history-eg-1'></a><a id='sec-6-2-6-eg-1'></a><a id='example-103'></a>
 
 ```
     "tracking": {
@@ -5762,7 +6119,7 @@ The relevant path for this test is:
     /vulnerabilities[]/involvements
 ```
 
-*Example 1 (which fails the test):*<a id='missing-date-in-involvements-eg-1'></a><a id='sec-6-2-7-eg-1'></a><a id='example-100'></a>
+*Example 1 (which fails the test):*<a id='missing-date-in-involvements-eg-1'></a><a id='sec-6-2-7-eg-1'></a><a id='example-104'></a>
 
 ```
   "vulnerabilities": [
@@ -5794,7 +6151,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
 ```
 
-*Example 1 (which fails the test):*<a id='use-of-md5-as-the-only-hash-algorithm-eg-1'></a><a id='sec-6-2-8-eg-1'></a><a id='example-101'></a>
+*Example 1 (which fails the test):*<a id='use-of-md5-as-the-only-hash-algorithm-eg-1'></a><a id='sec-6-2-8-eg-1'></a><a id='example-105'></a>
 
 ```
   "product_tree": {
@@ -5837,7 +6194,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes
 ```
 
-*Example 1 (which fails the test):*<a id='use-of-sha-1-as-the-only-hash-algorithm-eg-1'></a><a id='sec-6-2-9-eg-1'></a><a id='example-102'></a>
+*Example 1 (which fails the test):*<a id='use-of-sha-1-as-the-only-hash-algorithm-eg-1'></a><a id='sec-6-2-9-eg-1'></a><a id='example-106'></a>
 
 ```
   "product_tree": {
@@ -5865,27 +6222,10 @@ The relevant paths for this test are:
 
 > The hash algorithm `sha1` is used in one item of hashes without being accompanied by a second hash algorithm.
 
-### 6.2.10 Missing TLP label (deprecated) <a id='missing-tlp-label'></a>
-
-It MUST be tested that `/document/distribution/tlp/label` is present and valid.
+### 6.2.10 Missing TLP label (obsolete) <a id='missing-tlp-label'></a>
 
-> TLP labels support the machine-readability and automated distribution.
-
-The relevant path for this test is:
-
-```
-  /document/distribution/tlp/label
-```
-
-*Example 1 (which fails the test):*<a id='missing-tlp-label-eg-1'></a><a id='sec-6-2-10-eg-1'></a><a id='example-103'></a>
-
-```
-    "distribution": {
-      "text": "Distribute freely."
-    }
-```
-
-> The CSAF document has no TLP label.
+> The TLP label is now required by the schema. Therefore, the optional test is obsolete.
+> This section is kept to document that change and keep the numbering of the remaining sections stable.
 
 ### 6.2.11 Missing Canonical URL <a id='missing-canonical-url'></a>
 
@@ -5903,7 +6243,7 @@ The relevant path for this test is:
   /document/references
 ```
 
-*Example 1 (which fails the test):*<a id='missing-canonical-url-eg-1'></a><a id='sec-6-2-11-eg-1'></a><a id='example-104'></a>
+*Example 1 (which fails the test):*<a id='missing-canonical-url-eg-1'></a><a id='sec-6-2-11-eg-1'></a><a id='example-108'></a>
 
 ```
   "document": {
@@ -5938,7 +6278,7 @@ The relevant path for this test is:
   /document/lang
 ```
 
-*Example 1 (which fails the test):*<a id='missing-document-language-eg-1'></a><a id='sec-6-2-12-eg-1'></a><a id='example-105'></a>
+*Example 1 (which fails the test):*<a id='missing-document-language-eg-1'></a><a id='sec-6-2-12-eg-1'></a><a id='example-109'></a>
 
 ```
   "document": {
@@ -5968,7 +6308,7 @@ The relevant path for this test is:
   /
 ```
 
-*Example 1 (which fails the test):*<a id='optional-tests--sorting-eg-1'></a><a id='sec-6-2-13-eg-1'></a><a id='example-106'></a>
+*Example 1 (which fails the test):*<a id='optional-tests--sorting-eg-1'></a><a id='sec-6-2-13-eg-1'></a><a id='example-110'></a>
 
 ```
   "document": {
@@ -5993,7 +6333,7 @@ The relevant paths for this test are:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*<a id='use-of-private-language-eg-1'></a><a id='sec-6-2-14-eg-1'></a><a id='example-107'></a>
+*Example 1 (which fails the test):*<a id='use-of-private-language-eg-1'></a><a id='sec-6-2-14-eg-1'></a><a id='example-111'></a>
 
 ```
   "lang": "qtx"
@@ -6014,7 +6354,7 @@ The relevant paths for this test are:
   /document/source_lang
 ```
 
-*Example 1 (which fails the test):*<a id='use-of-default-language-eg-1'></a><a id='sec-6-2-15-eg-1'></a><a id='example-108'></a>
+*Example 1 (which fails the test):*<a id='use-of-default-language-eg-1'></a><a id='sec-6-2-15-eg-1'></a><a id='example-112'></a>
 
 ```
   "lang": "i-default"
@@ -6036,7 +6376,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name
 ```
 
-*Example 1 (which fails the test):*<a id='missing-product-identification-helper-eg-1'></a><a id='sec-6-2-16-eg-1'></a><a id='example-109'></a>
+*Example 1 (which fails the test):*<a id='missing-product-identification-helper-eg-1'></a><a id='sec-6-2-16-eg-1'></a><a id='example-113'></a>
 
 ```
     "full_product_names": [
@@ -6061,7 +6401,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/ids[]
 ```
 
-*Example 1 (which fails the test):*<a id='cve-in-field-ids-eg-1'></a><a id='sec-6-2-17-eg-1'></a><a id='example-110'></a>
+*Example 1 (which fails the test):*<a id='cve-in-field-ids-eg-1'></a><a id='sec-6-2-17-eg-1'></a><a id='example-114'></a>
 
 ```
       "ids": [
@@ -6094,7 +6434,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/name
 ```
 
-*Example 1 (which fails the test):*<a id='product-version-range-without-vers-eg-1'></a><a id='sec-6-2-18-eg-1'></a><a id='example-111'></a>
+*Example 1 (which fails the test):*<a id='product-version-range-without-vers-eg-1'></a><a id='sec-6-2-18-eg-1'></a><a id='example-115'></a>
 
 ```
             "branches": [
@@ -6122,7 +6462,7 @@ The relevant path for this test is:
   /vulnerabilities[]/product_status/fixed[]
 ```
 
-*Example 1 (which fails the test):*<a id='cvss-for-fixed-products-eg-1'></a><a id='sec-6-2-19-eg-1'></a><a id='example-112'></a>
+*Example 1 (which fails the test):*<a id='cvss-for-fixed-products-eg-1'></a><a id='sec-6-2-19-eg-1'></a><a id='example-116'></a>
 
 ```
   "product_tree": {
@@ -6178,7 +6518,7 @@ The relevant path for this test is:
 > To implement this test it is deemed sufficient to validate the CSAF document against a "strict" version schema that
 > sets `additionalProperties` to `false` for every key of type `object`.
 
-*Example 1 (which fails the test):*<a id='additional-properties-eg-1'></a><a id='sec-6-2-20-eg-1'></a><a id='example-113'></a>
+*Example 1 (which fails the test):*<a id='additional-properties-eg-1'></a><a id='sec-6-2-20-eg-1'></a><a id='example-117'></a>
 
 ```
   "document": {
@@ -6204,7 +6544,7 @@ The relevant path for this test is:
   /document/tracking/revision_history[]/date
 ```
 
-*Example 1 (which fails the test):*<a id='same-timestamps-in-revision-history-eg-1'></a><a id='sec-6-2-21-eg-1'></a><a id='example-114'></a>
+*Example 1 (which fails the test):*<a id='same-timestamps-in-revision-history-eg-1'></a><a id='sec-6-2-21-eg-1'></a><a id='example-118'></a>
 
 ```
   "revision_history": [
@@ -6233,7 +6573,7 @@ The relevant path for this test is:
   /document/title
 ```
 
-*Example 1 (which fails the test):*<a id='document-tracking-id-in-title-eg-1'></a><a id='sec-6-2-22-eg-1'></a><a id='example-115'></a>
+*Example 1 (which fails the test):*<a id='document-tracking-id-in-title-eg-1'></a><a id='sec-6-2-22-eg-1'></a><a id='example-119'></a>
 
 ```
     "title": "OASIS_CSAF_TC-CSAF_2.1-2024-6-2-22-01: Optional test: Document Tracking ID in Title (failing example 1)",
@@ -6259,7 +6599,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*<a id='usage-of-deprecated-cwe-eg-1'></a><a id='sec-6-2-23-eg-1'></a><a id='example-116'></a>
+*Example 1 (which fails the test):*<a id='usage-of-deprecated-cwe-eg-1'></a><a id='sec-6-2-23-eg-1'></a><a id='example-120'></a>
 
 ```
      "cwes": [
@@ -6286,7 +6626,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*<a id='usage-of-non-latest-cwe-version-eg-1'></a><a id='sec-6-2-24-eg-1'></a><a id='example-117'></a>
+*Example 1 (which fails the test):*<a id='usage-of-non-latest-cwe-version-eg-1'></a><a id='sec-6-2-24-eg-1'></a><a id='example-121'></a>
 
 ```
   "document": {
@@ -6326,7 +6666,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*<a id='usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1'></a><a id='sec-6-2-25-eg-1'></a><a id='example-118'></a>
+*Example 1 (which fails the test):*<a id='usage-of-cwe-not-allowed-for-vulnerability-mapping-eg-1'></a><a id='sec-6-2-25-eg-1'></a><a id='example-122'></a>
 
 ```
       "cwes": [
@@ -6353,7 +6693,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwes[]
 ```
 
-*Example 1 (which fails the test):*<a id='usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1'></a><a id='sec-6-2-26-eg-1'></a><a id='example-119'></a>
+*Example 1 (which fails the test):*<a id='usage-of-cwe-allowed-with-review-for-vulnerability-mapping-eg-1'></a><a id='sec-6-2-26-eg-1'></a><a id='example-123'></a>
 
 ```
       "cwes": [
@@ -6367,6 +6707,39 @@ The relevant path for this test is:
 
 > The usage of CWE-1023 is allowed with review as the "CWE entry is a Class and might have Base-level children that would be more appropriate". [cite](https://cwe.mitre.org/data/definitions/1023.html#Vulnerability_Mapping_Notes_1023)
 
+### 6.2.27 Discouraged Product Status Remediation Combination <a id='discouraged-product-status-remediation-combination'></a>
+
+For each item in `/vulnerabilities[]/remediations` it MUST be tested that a Product is not member of a discouraged product status group
+remediation category combination.
+This takes indirect relations through Product Groups into account.
+
+The relevant path for this test is:
+
+```
+  /vulnerabilities[]/remediations[]
+```
+
+*Example 1 (which fails the test):*<a id='discouraged-product-status-remediation-combination-eg-1'></a><a id='sec-6-2-27-eg-1'></a><a id='example-124'></a>
+
+```
+      "product_status": {
+        "known_not_affected": [
+          "CSAFPID-9080700"
+        ]
+      },
+      "remediations": [
+        {
+          "category": "fix_planned",
+          "details": "The fix should be available in Q4 2024.",
+          "product_ids": [
+            "CSAFPID-9080700"
+          ]
+        }
+      ]
+```
+
+> For the product with product ID `CSAFPID-908070` a fix is planned but the product was not affected at all.
+
 ## 6.3 Informative Test <a id='informative-test'></a>
 
 Informative tests provide insights in common mistakes and bad practices.
@@ -6389,7 +6762,7 @@ The relevant path for this test is:
     /vulnerabilities[]/metrics
 ```
 
-*Example 1 (which fails the test):*<a id='use-of-cvss-v2-as-the-only-scoring-system-eg-1'></a><a id='sec-6-3-1-eg-1'></a><a id='example-120'></a>
+*Example 1 (which fails the test):*<a id='use-of-cvss-v2-as-the-only-scoring-system-eg-1'></a><a id='sec-6-3-1-eg-1'></a><a id='example-125'></a>
 
 ```
   "product_tree": {
@@ -6437,7 +6810,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/metrics[]/content/cvss_v3/vectorString
 ```
 
-*Example 1 (which fails the test):*<a id='use-of-cvss-v3-0-eg-1'></a><a id='sec-6-3-2-eg-1'></a><a id='example-121'></a>
+*Example 1 (which fails the test):*<a id='use-of-cvss-v3-0-eg-1'></a><a id='sec-6-3-2-eg-1'></a><a id='example-126'></a>
 
 ```
   "cvss_v3": {
@@ -6469,7 +6842,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cve
 ```
 
-*Example 1 (which fails the test):*<a id='missing-cve-eg-1'></a><a id='sec-6-3-3-eg-1'></a><a id='example-122'></a>
+*Example 1 (which fails the test):*<a id='missing-cve-eg-1'></a><a id='sec-6-3-3-eg-1'></a><a id='example-127'></a>
 
 ```
   "vulnerabilities": [
@@ -6497,7 +6870,7 @@ The relevant path for this test is:
   /vulnerabilities[]/cwe
 ```
 
-*Example 1 (which fails the test):*<a id='missing-cwe-eg-1'></a><a id='sec-6-3-4-eg-1'></a><a id='example-123'></a>
+*Example 1 (which fails the test):*<a id='missing-cwe-eg-1'></a><a id='sec-6-3-4-eg-1'></a><a id='example-128'></a>
 
 ```
   "vulnerabilities": [
@@ -6522,7 +6895,7 @@ The relevant paths for this test are:
   /product_tree/relationships[]/full_product_name/product_identification_helper/hashes[]/file_hashes[]/value
 ```
 
-*Example 1 (which fails the test):*<a id='use-of-short-hash-eg-1'></a><a id='sec-6-3-5-eg-1'></a><a id='example-124'></a>
+*Example 1 (which fails the test):*<a id='use-of-short-hash-eg-1'></a><a id='sec-6-3-5-eg-1'></a><a id='example-129'></a>
 
 ```
   "product_tree": {
@@ -6583,7 +6956,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/remediations[]/url
 ```
 
-*Example 1 (which fails the test):*<a id='use-of-non-self-referencing-urls-failing-to-resolve-eg-1'></a><a id='sec-6-3-6-eg-1'></a><a id='example-125'></a>
+*Example 1 (which fails the test):*<a id='use-of-non-self-referencing-urls-failing-to-resolve-eg-1'></a><a id='sec-6-3-6-eg-1'></a><a id='example-130'></a>
 
 ```
     "references": [
@@ -6612,7 +6985,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/references[]/url
 ```
 
-*Example 1 (which fails the test):*<a id='use-of-self-referencing-urls-failing-to-resolve-eg-1'></a><a id='sec-6-3-7-eg-1'></a><a id='example-126'></a>
+*Example 1 (which fails the test):*<a id='use-of-self-referencing-urls-failing-to-resolve-eg-1'></a><a id='sec-6-3-7-eg-1'></a><a id='example-131'></a>
 
 ```
     "references": [
@@ -6673,7 +7046,7 @@ The relevant paths for this test are:
   /vulnerabilities[]/title
 ```
 
-*Example 1 (which fails the test):*<a id='spell-check-eg-1'></a><a id='sec-6-3-8-eg-1'></a><a id='example-127'></a>
+*Example 1 (which fails the test):*<a id='spell-check-eg-1'></a><a id='sec-6-3-8-eg-1'></a><a id='example-132'></a>
 
 ```
   "document": {
@@ -6705,7 +7078,7 @@ The relevant paths for this test are:
   /product_tree/branches
 ```
 
-*Example 1 (which fails the test):*<a id='branch-categories-eg-1'></a><a id='sec-6-3-9-eg-1'></a><a id='example-128'></a>
+*Example 1 (which fails the test):*<a id='branch-categories-eg-1'></a><a id='sec-6-3-9-eg-1'></a><a id='example-133'></a>
 
 ```
     "branches": [
@@ -6747,7 +7120,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/category
 ```
 
-*Example 1 (which fails the test):*<a id='usage-of-product-version-range-eg-1'></a><a id='sec-6-3-10-eg-1'></a><a id='example-129'></a>
+*Example 1 (which fails the test):*<a id='usage-of-product-version-range-eg-1'></a><a id='sec-6-3-10-eg-1'></a><a id='example-134'></a>
 
 ```
                 "category": "product_version_range",
@@ -6772,7 +7145,7 @@ The relevant paths for this test are:
   /product_tree/branches[](/branches[])*/name
 ```
 
-*Example 1 (which fails the test):*<a id='usage-of-v-as-version-indicator-eg-1'></a><a id='sec-6-3-11-eg-1'></a><a id='example-130'></a>
+*Example 1 (which fails the test):*<a id='usage-of-v-as-version-indicator-eg-1'></a><a id='sec-6-3-11-eg-1'></a><a id='example-135'></a>
 
 ```
             "branches": [
@@ -6796,7 +7169,7 @@ The relevant path for this test is:
     /vulnerabilities[]/metrics[]/content
 ```
 
-*Example 1 (which fails the test):*<a id='missing-cvss-v4-0-eg-1'></a><a id='sec-6-3-12-eg-1'></a><a id='example-131'></a>
+*Example 1 (which fails the test):*<a id='missing-cvss-v4-0-eg-1'></a><a id='sec-6-3-12-eg-1'></a><a id='example-136'></a>
 
 ```
   "product_tree": {
@@ -6884,6 +7257,8 @@ Redirects SHOULD NOT be used. If they are inevitable only HTTP Header redirects
 
 > Reasoning: Clients should not parse the payload for navigation and some, as e.g. `curl`, do not follow any other kind of redirects.
 
+If any redirects are used, there SHOULD not be more than 5 and MUST NOT be more than 10 consecutive redirects.
+
 ### 7.1.7 Requirement 7: provider-metadata.json <a id='requirement-7-provider-metadata-json'></a>
 
 The party MUST provide a valid `provider-metadata.json` according to the schema
@@ -6904,7 +7279,7 @@ CSAF aggregator SHOULD display over any individual `publisher` values in the CSA
 > * https://psirt.domain.tld/advisories/csaf/provider-metadata.json
 > * https://domain.tld/security/csaf/provider-metadata.json
 
-*Example 1 (minimal with ROLIE document):*<a id='requirement-7-provider-metadata-json-eg-1'></a><a id='sec-7-1-7-eg-1'></a><a id='example-132'></a>
+*Example 1 (minimal with ROLIE document):*<a id='requirement-7-provider-metadata-json-eg-1'></a><a id='sec-7-1-7-eg-1'></a><a id='example-137'></a>
 
 ```
   {
@@ -6962,10 +7337,10 @@ In the security.txt there MUST be at least one field `CSAF` which points to the
 If this field indicates a web URI, then it MUST begin with "https://" (as per section 2.7.2 of \[[RFC7230](#RFC7230)\]).
 See \[[SECURITY-TXT](#SECURITY-TXT)\] for more details.
 
-> The security.txt was published as \[[RFC9116](#RFC9116)\] in April 2022. At the time of this writing,
-> the `CSAF` field is in the process of being officially added.
+> The security.txt was published as \[[RFC9116](#RFC9116)\] in April 2022.
+> The `CSAF` field was officially added through the IANA registry.
 
-*Examples 1:*<a id='requirement-8-security-txt-eg-1'></a><a id='sec-7-1-8-eg-1'></a><a id='example-133'></a>
+*Examples 1:*<a id='requirement-8-security-txt-eg-1'></a><a id='sec-7-1-8-eg-1'></a><a id='example-138'></a>
 
 ```
 CSAF: https://domain.tld/security/data/csaf/provider-metadata.json
@@ -6982,10 +7357,10 @@ If one of the URLs fulfills requirement 9, this MUST be used as the first CSAF e
 ### 7.1.9 Requirement 9: Well-known URL for provider-metadata.json <a id='requirement-9-well-known-url-for-provider-metadata-json'></a>
 
 The URL path `/.well-known/csaf/provider-metadata.json` under the main domain of the issuing authority serves directly
-the `provider-metadata.json` according to requirement 7.
+the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
 The use of the scheme "HTTPS" is required. See \[[RFC8615](#RFC8615)\] for more details.
 
-*Example 1:*<a id='requirement-9-well-known-url-for-provider-metadata-json-eg-1'></a><a id='sec-7-1-9-eg-1'></a><a id='example-134'></a>
+*Example 1:*<a id='requirement-9-well-known-url-for-provider-metadata-json-eg-1'></a><a id='sec-7-1-9-eg-1'></a><a id='example-139'></a>
 
 ```
   https://www.example.com/.well-known/csaf/provider-metadata.json
@@ -6994,7 +7369,7 @@ The use of the scheme "HTTPS" is required. See \[[RFC8615](#RFC8615)\] for more
 ### 7.1.10 Requirement 10: DNS path <a id='requirement-10-dns-path'></a>
 
 The DNS record `csaf.data.security.domain.tld` SHALL resolve as a web server which serves directly
-the `provider-metadata.json` according to requirement 7.
+the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
 The use of the scheme "HTTPS" is required.
 
 ### 7.1.11 Requirement 11: One folder per year <a id='requirement-11-one-folder-per-year'></a>
@@ -7002,7 +7377,7 @@ The use of the scheme "HTTPS" is required.
 The CSAF documents MUST be located within folders named `<YYYY>` where `<YYYY>` is the year given in the
 value of `/document/tracking/initial_release_date`.
 
-*Examples 1:*<a id='requirement-11-one-folder-per-year-eg-1'></a><a id='sec-7-1-11-eg-1'></a><a id='example-135'></a>
+*Examples 1:*<a id='requirement-11-one-folder-per-year-eg-1'></a><a id='sec-7-1-11-eg-1'></a><a id='example-140'></a>
 
 ```
 2024
@@ -7013,7 +7388,7 @@ value of `/document/tracking/initial_release_date`.
 
 The index.txt file within MUST provide a list of all filenames of CSAF documents which are located in the sub-directories with their filenames.
 
-*Example 1:*<a id='requirement-12-index-txt-eg-1'></a><a id='sec-7-1-12-eg-1'></a><a id='example-136'></a>
+*Example 1:*<a id='requirement-12-index-txt-eg-1'></a><a id='sec-7-1-12-eg-1'></a><a id='example-141'></a>
 
 ```
 2023/esa-2023-09953.json
@@ -7029,7 +7404,7 @@ The index.txt file within MUST provide a list of all filenames of CSAF documents
 The file changes.csv MUST contain the filename as well as the value of `/document/tracking/current_release_date` for each
 CSAF document in the sub-directories without a heading; lines MUST be sorted by the `current_release_date` timestamp with the latest one first.
 
-*Example 1:*<a id='requirement-13-changes-csv-eg-1'></a><a id='sec-7-1-13-eg-1'></a><a id='example-137'></a>
+*Example 1:*<a id='requirement-13-changes-csv-eg-1'></a><a id='sec-7-1-13-eg-1'></a><a id='example-142'></a>
 
 ```
 "2023/esa-2023-09953.json","2023-07-01T10:09:07Z"
@@ -7056,7 +7431,7 @@ At least one of the feeds
 MUST exist.
 Each ROLIE feed document MUST be a JSON file that conforms with \[[RFC8322](#RFC8322)\].
 
-*Example 1:*<a id='requirement-15-rolie-feed-eg-1'></a><a id='sec-7-1-15-eg-1'></a><a id='example-138'></a>
+*Example 1:*<a id='requirement-15-rolie-feed-eg-1'></a><a id='sec-7-1-15-eg-1'></a><a id='example-143'></a>
 
 ```
   {
@@ -7125,7 +7500,7 @@ If it is used, each ROLIE service document MUST be a JSON file that conforms wit
 Additionally, it can also list the corresponding ROLIE category documents.
 The ROLIE service document SHOULD use the filename `service.json` and reside next to the `provider-metadata.json`.
 
-*Example 1:*<a id='requirement-16-rolie-service-document-eg-1'></a><a id='sec-7-1-16-eg-1'></a><a id='example-139'></a>
+*Example 1:*<a id='requirement-16-rolie-service-document-eg-1'></a><a id='sec-7-1-16-eg-1'></a><a id='example-144'></a>
 
 ```
   {
@@ -7169,7 +7544,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
   * `product_version`
 * type of product
 
-  *Examples 1:*<a id='requirement-17-rolie-category-document-eg-1'></a><a id='sec-7-1-17-eg-1'></a><a id='example-140'></a>
+  *Examples 1:*<a id='requirement-17-rolie-category-document-eg-1'></a><a id='sec-7-1-17-eg-1'></a><a id='example-145'></a>
 
   ```
     CPU
@@ -7184,7 +7559,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
 
 * areas or sectors, the products are used in
 
-  *Examples 2:*<a id='requirement-17-rolie-category-document-eg-2'></a><a id='sec-7-1-17-eg-2'></a><a id='example-141'></a>
+  *Examples 2:*<a id='requirement-17-rolie-category-document-eg-2'></a><a id='sec-7-1-17-eg-2'></a><a id='example-146'></a>
 
   ```
     Chemical
@@ -7199,7 +7574,7 @@ ROLIE categories SHOULD be used for to further dissect CSAF documents by one or
 
 * any other categorization useful to the consumers
 
-*Example 3:*<a id='requirement-17-rolie-category-document-eg-3'></a><a id='sec-7-1-17-eg-3'></a><a id='example-142'></a>
+*Example 3:*<a id='requirement-17-rolie-category-document-eg-3'></a><a id='sec-7-1-17-eg-3'></a><a id='example-147'></a>
 
 ```
   {
@@ -7223,7 +7598,7 @@ to ensure their integrity. The filename is constructed by appending the file ext
 
 MD5 and SHA1 SHOULD NOT be used.
 
-*Example 1:*<a id='requirement-18-integrity-eg-1'></a><a id='sec-7-1-18-eg-1'></a><a id='example-143'></a>
+*Example 1:*<a id='requirement-18-integrity-eg-1'></a><a id='sec-7-1-18-eg-1'></a><a id='example-148'></a>
 
 ```
 File name of CSAF document: esa-2022-02723.json
@@ -7234,7 +7609,7 @@ File name of SHA-512 hash file: esa-2022-02723.json.sha512
 The file content SHALL start with the first byte of the hexadecimal hash value.
 Any subsequent data (like a filename) which is optional SHALL be separated by at least one space.
 
-*Example 2:*<a id='requirement-18-integrity-eg-2'></a><a id='sec-7-1-18-eg-2'></a><a id='example-144'></a>
+*Example 2:*<a id='requirement-18-integrity-eg-2'></a><a id='sec-7-1-18-eg-2'></a><a id='example-149'></a>
 
 ```
 ea6a209dba30a958a78d82309d6cdcc6929fcb81673b3dc4d6b16fac18b6ff38  esa-2022-02723.json
@@ -7247,7 +7622,7 @@ If a ROLIE feed exists, each hash file MUST be listed in it as described in requ
 All CSAF documents SHALL have at least one OpenPGP signature file which is provided under the same filename which is
 extended by the appropriate extension. See \[[RFC4880](#RFC4880)\] for more details.
 
-*Example 1:*<a id='requirement-19-signatures-eg-1'></a><a id='sec-7-1-19-eg-1'></a><a id='example-145'></a>
+*Example 1:*<a id='requirement-19-signatures-eg-1'></a><a id='sec-7-1-19-eg-1'></a><a id='example-150'></a>
 
 ```
 File name of CSAF document: esa-2022-02723.json
@@ -7292,7 +7667,7 @@ It MUST NOT be stored adjacent to a `provider-metadata.json`.
 
 The file `aggregator.json` SHOULD only list the latest version of the metadata of a CSAF provider.
 
-*Example 1:*<a id='requirement-21-list-of-csaf-providers-eg-1'></a><a id='sec-7-1-21-eg-1'></a><a id='example-146'></a>
+*Example 1:*<a id='requirement-21-list-of-csaf-providers-eg-1'></a><a id='sec-7-1-21-eg-1'></a><a id='example-151'></a>
 
 ```
   {
@@ -7348,7 +7723,7 @@ Each such folder MUST at least:
 * provide a `provider-metadata.json` for the current issuing party.
 * provide the ROLIE feed document according to requirement 15 which links to the local copy of the CSAF document.
 
-*Example 1:*<a id='requirement-23-mirror-eg-1'></a><a id='sec-7-1-23-eg-1'></a><a id='example-147'></a>
+*Example 1:*<a id='requirement-23-mirror-eg-1'></a><a id='sec-7-1-23-eg-1'></a><a id='example-152'></a>
 
 ```
   {
@@ -7622,6 +7997,7 @@ This document defines requirements for the CSAF file format and for certain soft
 The entities ("conformance targets") for which this document defines requirements are:
 
 * **CSAF document**: A security advisory text document in the format defined by this document.
+* **CSAF downloader**: A program that retrieves CSAF documents in an automated fashion.
 * **CSAF producer**: A program which emits output in the CSAF format.
 * **CSAF direct producer**: An analysis tool which acts as a CSAF producer.
 * **CSAF converter**: A CSAF producer that transforms the output of an analysis tool from its native output format into the CSAF format.
@@ -7655,6 +8031,7 @@ The entities ("conformance targets") for which this document defines requirement
 
 A text file or data stream satisfies the "CSAF document" conformance profile if it:
 
+* conforms to the syntax and semantics defined in section [2.2](#date-and-time)
 * conforms to the syntax and semantics defined in section [3](#schema-elements).
 * satisfies at least one profile defined in section [4](#profiles).
 * does not fail any mandatory test defined in section [6.1](#mandatory-tests).
@@ -7739,10 +8116,26 @@ Secondly, the program fulfills the following for all items of:
   * If a `vuln:CWE` instance refers to a CWE category or view, the CVRF CSAF converter MUST omit this instance and output a
     warning that this CWE has been removed as its usage is not allowed in vulnerability mappings.
 * `/vulnerabilities[]/ids`: If a `vuln:ID` element is given, the CVRF CSAF converter converts it into the first item of the `ids` array.
-* `/vulnerabilities[]/remediation[]`: If no `product_ids` or `group_ids` is given,
-  the CVRF CSAF converter appends all Product IDs which are listed under `../product_status` in the arrays `known_affected`,
-  `first_affected` and `last_affected` into `product_ids`.
-  If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
+* `/vulnerabilities[]/remediations[]`:
+  * If neither `product_ids` nor `group_ids` are given, the CVRF CSAF converter appends all Product IDs which are listed under
+    `../product_status` in the arrays `known_affected`, `first_affected` and `last_affected` into `product_ids`.
+    If none of these arrays exist, the CVRF CSAF converter outputs an error that no matching Product ID was found for this remediation element.
+  * The CVRF CSAF converter MUST convert any remediation with the type `Vendor Fix` into the category `optional_patch` if the product in
+    question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.
+    Otherwise, the category `vendor_fix` MUST be set.
+    If multiple products are associated with the remediation - either directly or through a product group - and the products belong to
+    different product status groups, the CVRF CSAF converter MUST duplicate the remediation, change the category in one instance
+    to `optional_patch` and distribute the products accordingly as stated by the conversion rule.
+  * The CVRF CSAF converter MUST convert any remediation with the type `None Available` into the category `fix_planned`
+    if the product in question is also listed in a remediation of the type `Vendor Fix` with a `Date` in the future or no `Date` at all.
+    Consequently, the product MUST be removed from the remediation of the category `vendor_fix`.
+    If it was the last product in that remediation, the remediation MUST be removed.
+  * The CVRF CSAF converter MUST remove any product from a remediation with the type `None Available`
+    if the product in question is also listed in a remediation of the type `Vendor Fix` with a `Date` in the past or to the exact same time.
+    If it was the last product in that remediation, the remediation MUST be removed.
+  * In any other case, the CVRF CSAF converter MUST preserve the product in the remediation of the category `none_available`.
+  * The CVRF CSAF converter MUST output a warning if a remediation was added, deleted or the value of the category was changed,
+    including the products it was changed for.
 * `/vulnerabilities[]/metrics[]`:
   * For any CVSS v4 element, the CVRF CSAF converter MUST compute the `baseSeverity` from the `baseScore` according to
     the rules of the applicable CVSS standard. (CSAF CVRF v1.2 predates CVSS v4.0.)
@@ -7760,7 +8153,7 @@ Secondly, the program fulfills the following for all items of:
     the CVRF CSAF converter uses the following steps:
     1. Retrieve the CVSS version from the CVSS vector, if present.
 
-        *Example 1:*<a id='conformance-clause-5-cvrf-csaf-converter-eg-1'></a><a id='sec-9-1-5-eg-1'></a><a id='example-148'></a>
+        *Example 1:*<a id='conformance-clause-5-cvrf-csaf-converter-eg-1'></a><a id='sec-9-1-5-eg-1'></a><a id='example-153'></a>
 
         ```
           CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H => 3.1
@@ -7769,7 +8162,7 @@ Secondly, the program fulfills the following for all items of:
     2. Retrieve the CVSS version from the CVSS element's namespace, if present.
        The CVRF CSAF converter outputs a warning that this value was guessed from the element's namespace.
 
-        *Example 2:*<a id='conformance-clause-5-cvrf-csaf-converter-eg-2'></a><a id='sec-9-1-5-eg-2'></a><a id='example-149'></a>
+        *Example 2:*<a id='conformance-clause-5-cvrf-csaf-converter-eg-2'></a><a id='sec-9-1-5-eg-2'></a><a id='example-154'></a>
 
         ```
           xmlns:cvssv31="https://www.first.org/cvss/cvss-v3.1.xsd"
@@ -7779,7 +8172,7 @@ Secondly, the program fulfills the following for all items of:
 
         is handled the same as
 
-        *Example 3:*<a id='conformance-clause-5-cvrf-csaf-converter-eg-3'></a><a id='sec-9-1-5-eg-3'></a><a id='example-150'></a>
+        *Example 3:*<a id='conformance-clause-5-cvrf-csaf-converter-eg-3'></a><a id='sec-9-1-5-eg-3'></a><a id='example-155'></a>
 
         ```
           <ScoreSetV3 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd">
@@ -7790,7 +8183,7 @@ Secondly, the program fulfills the following for all items of:
        If more than one CVSS namespace is present and the element is not clearly defined via the namespace,
        this step MUST be skipped without a decision.
 
-        *Example 4:*<a id='conformance-clause-5-cvrf-csaf-converter-eg-4'></a><a id='sec-9-1-5-eg-4'></a><a id='example-151'></a>
+        *Example 4:*<a id='conformance-clause-5-cvrf-csaf-converter-eg-4'></a><a id='sec-9-1-5-eg-4'></a><a id='example-156'></a>
 
         ```
           xmlns:cvssv3="https://www.first.org/cvss/cvss-v3.0.xsd" => 3.0
@@ -8129,7 +8522,7 @@ Secondly, the program fulfills the following for all items of:
   option to use this label instead. If the TLP label changes through such conversion in a way that is not reflected in the table above, the
   the CSAF 2.0 to CSAF 2.1 converter MUST output a warning that the TLP label was taken from the distribution text. Such a warning MUST include
   both values: the converted one based on the table and the one from the distribution text.
-  > This is a common case for CSAF 2.0 documents labeled as TLP:RED but actually intended to be TLP:AMBER+STRICT.
+  > This is a common case for CSAF 2.0 documents labeled as `TLP:RED` but actually intended to be `TLP:AMBER+STRICT`.
 
   If no TLP label was given, the CSAF 2.0 to CSAF 2.1 converter SHOULD assign `TLP:CLEAR` and output a warning that the default TLP has been set.
 * `/document/publisher/category`: If the value is `other`, the CSAF 2.0 to CSAF 2.1 converter SHOULD output a warning that some parties have
@@ -8145,6 +8538,24 @@ Secondly, the program fulfills the following for all items of:
 
   The tool SHOULD implement an option to use the latest available CWE version at the time of the conversion that still matches.
 
+* `/vulnerabilities[]/remediations[]`:
+  * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `vendor_fix` into the category `optional_patch`
+    if the product in question is in one of the product status groups "Not Affected" or "Fixed" for this vulnerability.
+    Otherwise, the category `vendor_fix` MUST stay the same.
+    If multiple products are associated with the remediation - either directly or through a product group - and the products belong to different
+    product status groups, the CSAF 2.0 to CSAF 2.1 converter MUST duplicate the remediation, change the category in one instance to `optional_patch`
+    and distribute the products accordingly as stated by the conversion rule.
+  * The CSAF 2.0 to CSAF 2.1 converter MUST convert any remediation with the category `none_available` into the category `fix_planned`
+    if the product in question is also listed in a remediation of the category `vendor_fix` with a `date` in the future or no `date` at all.
+    Consequently, the product MUST be removed from the remediation of the category `vendor_fix`.
+    If it was the last product in that remediation, the remediation MUST be removed.
+  * The CSAF 2.0 to CSAF 2.1 converter MUST remove any product from a remediation with the category `none_available`
+    if the product in question is also listed in a remediation of the category `vendor_fix` with a `date` in the past or to the exact same time.
+    If it was the last product in that remediation, the remediation MUST be removed.
+  * In any other case, the CSAF 2.0 to CSAF 2.1 converter MUST preserve the product in the remediation of the category `none_available`.
+  * The CSAF 2.0 to CSAF 2.1 converter MUST output a warning if a remediation was added, deleted or the value of the category was changed,
+    including the products it was changed for.
+
 > A tool MAY implement options to convert other Markdown formats to GitHub-flavored Markdown.
 
 > A tool MAY implement an additional, non-default option to output an invalid document that can be fixed afterwards. Solely in this case, any
@@ -8222,6 +8633,17 @@ A CSAF library satisfies the "CSAF library with extended validation" conformance
 A CSAF library does not satisfies the "CSAF library with full validation" conformance profile if the CSAF library uses an external library or
 program for the "CSAF full validator" part and does not enforce its presence.
 
+### 9.1.23 Conformance Clause 23: CSAF downloader <a id='conformance-clause-23-csaf-downloader'></a>
+
+A program satisfies the "CSAF downloader" conformance profile if the program:
+
+* conforms to the process defined in section [7.3](#retrieving-rules) by executing all parts that are applicable to the given role.
+* supports directory-based and ROLIE-based retrieval.
+* is able to execute both steps from section [7.3](#retrieving-rules) separately.
+* uses a program-specific HTTP User Agent, e.g. consisting of the name and version of the program.
+
+> A tool MAY implement an option to store CSAF documents that fail any of the steps in section [7.3.2](#retrieving-csaf-documents).
+
 -------
 
 # Appendix A. Acknowledgments <a id='acknowledgments'></a>
@@ -8362,6 +8784,8 @@ The following individuals were members of the OASIS CSAF Technical Committee dur
 | csaf-v2.0-wd20240626-dev | 2024-06-26 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20240731-dev | 2024-07-31 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
 | csaf-v2.0-wd20240828-dev | 2024-08-28 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
+| csaf-v2.0-wd20241030-dev | 2024-10-30 | Stefan Hagen and Thomas Schmidt | Next Editor Revision |
+
 -------
 
 # Appendix C. Guidance on the Size of CSAF Documents <a id='guidance-on-the-size-of-csaf-documents'></a>