CVE Vulnerability Dictionary to Adopt the Common Vulnerability Reporting Framework (CVRF) Standard
MCLEAN, Va., December 9, 2013—The MITRE Corporation announced today that the Common Vulnerabilities and Exposures (CVE®) List will now publish data using the Common Vulnerability Reporting Framework (CVRF). The CVE List is a dictionary of common names for publicly known information security vulnerabilities in software.
"Presenting the CVE List in CVRF format will make it easier for people to access CVE content instead of having to use our custom format," said Steve Christey Coley, principal information security engineer at MITRE and editor of the CVE List. "We hope this will encourage others in the security community to share vulnerability information using a standardized machine-readable format."
Developed by the Industry Consortium for Advancement of Security on the Internet (ICASI), CVRF is an XML-based standard that enables software vulnerability information to be shared in a machine-parsable format between vulnerability information providers and consumers. Having vulnerability information in a single, standardized format speeds up information exchange and digestion, while also enabling automation. CVRF is currently used by major vendors, including Red Hat, Microsoft, Cisco Systems and Oracle Corporation, which issue their security advisories in CVRF format:
- Mark Cox, senior director of Product Security at Red Hat: "Red Hat provides CVRF representations of our security advisories and we make heavy use of data provided by the MITRE CVE project. Having their data in a common standard format will help us and others consume it."
- Dustin Childs, group manager of Microsoft Trustworthy Computing: "Customer protection is a priority for Microsoft, and adoption of the new standardized CVRF format extends customer access to crucial information about CVEs. We are pleased to support an advance that makes it easier to understand and address vulnerabilities."
- Mike Schiffman, applied researcher, Cisco Systems and ICASI CVRF Working Group chair:"Cisco, a founding member of ICASI and CVRF working group chair, is happy to help MITRE deploy the de-facto standard for the automated creation and consumption of machine-readable vulnerability documentation."
- Mary Ann Davidson, chief security officer for Oracle Corporation: "Oracle has been publishing CVRF since early 2012 for all vulnerability communications. We are delighted that MITRE will be providing CVE information in CVRF format, as it will further enable the sharing of security information in a machine-readable format, thus allowing organizations to more quickly and efficiently react when security vulnerability information is published."
The CVE dictionary, sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security (DHS), contains more than 58,000 unique entries and is considered an international standard. Products, services and organizations around the world use CVE-IDs to help enhance information security, and CVE is formally recommended by the International Telecommunication Union (ITU-T) standards body for worldwide use.
"Because vulnerability information comes from many diverse sources, a common format makes it easier to analyze and import data without having to create custom tools or to do so manually," added Christey. "Encouraging the use of CVRF means CVE and other vulnerability information consumers can reduce the effort needed to support the wide variety of formats currently in use. And because of its adoption by major vendors, CVRF has a better chance of success compared to earlier efforts, particularly as the need grows for automated exchange of vulnerability data."
About The MITRE Corporation
The MITRE Corporation is a not-for-profit organization that operates research and development centers sponsored by the federal government. Learn more about MITRE.