Internet Security Systems - AlertCon(TM)

Common Vulnerability Reporting Format (CVRF) is announced!

Posted by Tom Cross on May 19, 2011 at 3:51 AM EDT.

We are very excited to see the public announcement of the Common Vulnerability Reporting Format (CVRF) by the Industry Consortium for the Advancement of Security on the Internet (ICASI). CVRF is an XML standard for publishing security vulnerability advisories.

Since 1997, X-Force has been manually keeping track of every public computer security vulnerability disclosure in the X-Force Database. In our view, a machine readable format for advisories will significantly improve the efficiency of this process as well as the consistency and reliability of this data. This automation will be one of the important technical underpinnings of a future in which the enterprise will have total endpoint configuration control; wherein network control systems are aware of every software revision running on every endpoint and can instantly respond to security vulnerability disclosures that impact those software revisions.

X-Force has contributed directly to the development of the CVRF standard and we plan to be an early adopter. As a first step, we will be building tools to parse and validate CVRF documents as a part of our vulnerability tracking efforts and we will begin importing data that software vendors are publishing in this format. If you'd like to publish advisories in CVRF, please see the detailed documentation that has been published by ICASI. 

If you do publish in CVRF, please notify us. We would be happy to provide independent validation that your documents are parsing properly.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.