Microsoft Adopts CVRF Format for Security Bulletins

Since the beginning of recorded time, security researchers, software vendors and hackers have been issuing security advisories in all kinds of nutty formats. Some feature excellent ASCII art, some have clever inside jokes and some come from Microsoft. Now, there’s a effort underway, called the Common Vulnerability Reporting Framework, to standardize the way that vulnerabilities are reported so that they’re in a common, machine-readable format.

The CVRF is the product of a group called the Industry Consortium for Advancement of Security on the Internet, and Microsoft in May for the first time produced its monthly Patch Tuesday advisories in the CVRF format. The company said that while the CVRF itself is still in its initial stages and will continue to evolve, the current version should give enterprise customers a good option for automating bulletin deployment.

“For many customers, a machine-readable markup framework for security releases might not be a pressing need. For instance, home-computer users or small businesses may choose to install security updates automatically. However, many business customers spend time “copying and pasting” our security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list,” Microsoft’s Mike Reavey said in a blog post on CVRF.

“For these customers, this machine-readable format may enable more efficiency and automation. Faster and more efficient guidance for these customers means they can more quickly ensure protection, which is always our goal. For those that do not require automation, we will continue to offer our bulletins in the current format.”

ICASI members include IBM, Cisco, Juniper, Nokia and Amazon, among other companies. The current version of CVRF is 1.1, the second iteration, and the framework will continue to change as users provide feedback and requirements evolve.

“CVRF was created to fill a major gap in vulnerability standardization: the lack of a standard framework for the creation of vulnerability report documentation. Although the computer security community had made significant progress in several other areas, including categorizing and ranking the severity of vulnerabilities in information systems with the widespread adoption of the Common Vulnerabilities and Exposures (CVE) dictionary and the Common Vulnerability Scoring System (CVSS), this lack of standardization was evident in every vulnerability report, best practice document, or security bulletin released by any vendor or coordinator,” the CVRF documentation says.