CVE Usage of CVRF

CVE content can be downloaded in CVRF format on the Download CVE page. A single download of all CVE entries in CVRF format is available, as are downloads for individual calendar years in CVRF format such as 2013, etc.

CVE in CVRF Format

CVE uses Common Vulnerability Reporting Framework (CVRF) Version 1.1, which is maintained by the Industry Consortium for Advancement of Security on the Internet (ICASI).

Please note that because CVE itself does not provide a rich set of data fields, many of the elements that are defined in CVRF are not actually used. Since CVRF was designed to be flexible, it does not require many elements, which allows even CVE's limited data model to be represented.

Benefits over Other CVE-Provided Formats

CVE's CVRF implementation has the following features with advantages compared to other CVE-provided formats:

Header Information

The following CVRF elements appear near the top of the document and have special meaning within CVE data.

Individual Vulnerability Information

Each CVE entry has its own Vulnerability element.

Information Not Captured in CVRF

The following information is made available for historical purposes in other CVE data, but is not captured in CVRF:

Potential CVRF Enhancements for Vulnerability Repositories

CVRF 1.1 and earlier was primarily developed to support publication of individual advisories that only contain a small number of vulnerabilities, such as vendor security announcements. After CVRF 1.0 was released, CVE personnel provided feedback to ICASI (the CVRF maintainer) to ensure that CVRF 1.1 would be better able to handle large vulnerability data repositories (often referred to as vulnerability databases). While CVRF 1.1 contains significant improvements based partly on this feedback, CVE's implementation has highlighted additional limitations, some of which are covered earlier in this document.

Suggestions for improvement will be sent to ICASI and to other maintainers of vulnerability data repositories (often referred to as vulnerability databases) upon request, so that future versions of CVRF could improve support for large vulnerability data repositories such as CVE.

Please send all comments and concerns to

Page Last Updated or Reviewed: September 13, 2016