The Common Vulnerability Reporting Framework (CVRF)

The ICASI Common Vulnerability Reporting Framework (CVRF) is an XML-based language that enables different stakeholders across different organizations to share critical security-related information in a single format, speeding up information exchange and digestion. CVRF is a common and consistent framework for exchanging not just vulnerability information, but any security-related documentation. CVRF Version 1.0 was released in May 2011; the current version is CVRF 1.1, released in May 2012.

CVRF was created to fill a major gap in vulnerability standardization: the lack of a standard framework for the creation of vulnerability report documentation. Although the computer security community had made significant progress in several other areas, including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) dictionary and the Common Vulnerability Scoring System (CVSS), this lack of standardization was evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator.

Originally derived from the Internet Engineering Task Force (IETF) draft Incident Object Description Exchange Format (IODEF), CVRF replaces the many nonstandard reporting formats previously in use, thus speeding up information exchange and processing.

ICASI maintains CVRF as a living framework that will be enhanced and revised as necessary. ICASI will continue supporting CVRF to ensure that it will remain both stable and free for use by all. Implementers are encouraged to submit their suggestions for improvements to contactcvrf@memberws.org.

CVRF 1.1
CVRF 1.0 Archive
CVRF 1.1 White Paper
External References
CVRF Licensing