What is the Common Vulnerability Reporting Framework (CVRF)? How is it used?


This Ask the Experts session stems from a question originally posted on Quora titled “What is the Common Vulnerability Reporting Framework (CVRF)? How is it used?

The Common Vulnerability Reporting Framework, or CVRF, is a reporting framework which is used to share information pertaining to security-related events in a standardized fashion. CVRF is XML-based, which allows it to be easily read by machines. By standardizing the reporting framework, security advisories can be produced faster, and shared with a broader audience as the framework doesn’t make use of any proprietary or closed-source software.

The following are several elements that appear in a security advisory adhering to the CVRF:

  1. Title: cvrf:DocumentTitle
  2. Type: cvrf:DocumentType
  3. Publisher: cvrf:DocumentPublisher
  4. Tracking: cvrf:DocumentTracking
  5. Notes: cvrf:DocumentNotes
  6. Distribution: cvrf:DocumentDistribution
  7. Aggregate Severity: cvrf:AggregateSeverity
  8. References: cvrf:DocumentReferences
  9. Acknowledgements: cvrf:Acknowledgements
  10. Product Tree: prod:ProductTree
  11. Vulnerability: vuln:Vulnerability

*Elements 1–4 make up the minimum required attribute set of an advisory adhering to the CVRF however, these four elements fail to provide any useful information regarding security related events.

Additional information regarding the latest version of CVRF (version 1.2), as well as previous versions, can be found here.

Have any questions regarding standards and frameworks in the information security domain? Contact us and we will be glad continue the dialog! Do not forget to click here to subscribe to our weekly newsletter for more information security related tips and tricks.

Additional Resources

Common standards:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.