The Common Vulnerability Reporting Framework (CVRF) Version 1.1 was released in May 2012. CVRF is an XML-based language that enables different stakeholders across different organizations to share critical security-related information in a single format, speeding up information exchange and digestion. Enhancements in CVRF 1.1 offer users a more comprehensive and flexible format, while reducing duplication and the possibility of errors.

Key changes in CVRF 1.1 include:

  • A completely revamped method for specifying products in a hierarchical manner, the Product Tree, has been created. It has been separated from the vulnerability section, which reduces the duplication of XML, and it is much more flexible, powerful, and machine readable
  • The Product Tree supports the construction of logical groups to further cut down on redundant XML by allowing logical groups to be referenced using a single identifier
  • When possible, a consistent type/value construct has been implemented across CVRF. Given that type is an enumerated list, this enables future updates or modifications without much change toCVRF parsers.  Using a more generic construct also reduces the overall number of elements, by combining existing (similar) containers into one
  • To ensure a consistent look and feel, many of the optional meta-containers that use a plural term as the top-level identifier (e.g., Threats) are now followed by a container that uses the singular version of the same identifier (e.g., Threat)
  • More constraints ensure that it is harder to build invalid documents
  • A better use of optional elements makes CVRF more flexible for different document producers
  • Whenever possible, elements that were similar and existed in several areas of the document have been aligned (e.g., Note, Acknowledgement, Reference, etc.)

In November 2016, ICASI transferred all CVRF work to OASIS.  For further information, please see

CVRF White Paper 1.1 CVRF Schemas 1.1
CVRF Dictionary 1.1 CVRF Mindmap 1.1