Security vulnerability reporting framework upgraded for researchers

The security industry’s Common Vulnerability Reporting Framework (CVRF) framework for reporting and sharing security vulnerabilities in a machine-readable format has been given a promised revamp to make it easier to use for third-party researchers.

Managed by industry body, the Industry Consortium for Advancement of Security on the Internet (ICASI), version 1.1 features a new hierarchy for defining products as well as tweaks to ensures that the data entered into it in XML format is less vendor-centric.

It also debuts a range of smaller changes that iron out the pitfalls of version 1.0, released a year ago to allow vendors and enterprises to receive vulnerability data in an automated, standardised way. It replaced a multitude of formats used by individual companies.

That work continues with 1.1 being presented as another step to vendor-independent standardisation, the lack of which had risked shutting out anyone not acquainted with each approach, mostly independent researchers.

"CVRF 1.1 is a significant step forward in our efforts to broaden awareness of security vulnerabilities and simplify their reporting," said ICASI president and Cisco general manager of security research, Russell Smoak.

"The new features and enhancements make CVRF both more user-friendly and more applicable to a broader set of requirements. We are grateful to the project team members who have worked so conscientiously to develop these additions and improvements."

Another influence on the development of CVRF, Microsoft, was supportive.

“Many business customers spend time copying and pasting our security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list,” said Mike Reavey, of the Microsoft Security Response Center (MSRC).

“For these customers, this machine-readable format may enable more efficiency and automation,” he said.