The Common Vulnerability Reporting Framework (CVRF) v1.0

Mike Schiffman, Cisco Systems, Inc., mschiffm@cisco.com

To date, a major gap exists in vulnerability standardization: there is no standard framework for the creation of vulnerability report documentation. Although the computer security community has made significant progress in several other areas, including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) [1] dictionary and the Common Vulnerability Scoring System (CVSS) [2], this lack of standardization is evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator. In this white paper, a common and consistent framework is proposed for exchanging not just vulnerability information, but any security-related documentation. Originally derived from the Internet Engineering Task Force (IETF) draft Incident Object Description Exchange Format (IODEF) [3], The Common Vulnerability Reporting Framework (CVRF) is an XML-based language that will enable different stakeholders across different organizations to share critical security-related information in a single format, speeding up information exchange and digestion.

1. Introduction and Impetus

1.1 Problem Statement

1.2 Vulnerability Report Differences

1.2.1 Multiple Formats Mean More Complexity

1.2.2 Organizational Compatibility Issues

1.2.3 Stunted Extensibility

2. Proposed Solution

2.1 From Standardization Comes Cohesion

2.2 CVRF Roles

2.2.1 Document Producer

2.2.2 Document Consumer

2.3 Approach