An organization developing industry standards around security incident response has published the first iteration of a framework to help organizations share vulnerability data in a standard format.
With the use of CVRF, the producers of vulnerability reports will benefit from faster and more standardized reporting.
Linda Betz, president of ICASI and director of IT Policy and Information Security, IBM
The Industry Consortium for Advancement of Security on the Internet (ICASI) issued the Common Vulnerability Reporting Framework (CVRF) on Tuesday. Version 1 of the framework creates a common framework for reporting and sharing vulnerability information among multiple organizations.
The organization launched a new webpage outlining the CVRF and its goals. The new framework is XML-based and helps organizations located in different regions of the world share data in a standard format. ICASI said a common format could help speed up information exchange and processing.
"With the use of CVRF, the producers of vulnerability reports will benefit from faster and more standardized reporting,” Linda Betz, president of ICASI and director of IT Policy and Information Security at IBM said in a statement. “End users will be able to find, process and act upon relevant information more quickly and easily, with a higher level of confidence that the information is accurate and comprehensive.”
ICASI said the CVRF builds upon the Common Vulnerabilities and Exposures (CVE) dictionary and Common Vulnerability Scoring System (CVSS), both widely adopted standardized frameworks for vulnerability archiving and rating. Using the CVRF, vendors and researchers can use a standard format to embed security metric and vulnerability data inside response reports.
Core elements of the CVRF outline the publisher, issuing authority, status and revision history of a vulnerability; other fields include the title and type of flaw being addressed by the vendor or researcher. ICASI said it used XML to help organizations automate processing of vulnerability information and improve search and navigation of reports.
According to ICASI, “The CVRF specification also provides classification tags for data so document producers may deliver many levels of information that are destined for different target audiences. The processors of this information can then selectively create custom notifications, email messages, or reports that consist of only the information an executive, management or technical end user may need in a format that is familiar to those parties.”
The non-profit consortium was formed in 2008 to get vendors to work together to address security threats targeting multiple products or shared protocols. To develop the CVRF, ICASI said it used the Internet Engineering Task Force (IETF) draft Incident Object Description Exchange Format (IODEF) as a starting point. Organizations that contributed to the project included Cisco Systems, Intel, IBM, Juniper Networks, Microsoft and Nokia, as well as representatives from Oracle and Red Hat.