A major gap has existed for years in vulnerability standardization: there is no standard framework for the creation of vulnerability reporting documentation.
The information security community has made significant progress in areas including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) database and the Common Vulnerability Scoring System (CVSS), a lack of standardization is evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator.
This white paper proposes CVRF version 1.0, a common and consistent framework for exchanging any security-related documentation. The Common Vulnerability Reporting Framework is an XML-based language that will enable different stakeholders across different organizations to share critical security-related information in a common format, speeding up information exchange and digestion.
The XML-based framework of CVRF predefines a large number of fields, with extensibility and robustness in mind. These fields are consistent in naming and data type, so any organization that adopts and understands CVRF can produce documents easily, or read documents that another CVRF-equipped organization has produced.
Vulnerability researchers, vendors, security analysts and incident responders worldwide can all write CVRF documents to share critical information. Widespread adoption of CVRF will accelerate information exchange and incident resolution as a result.