New CVE-ID Format as of January 1, 2014 — learn more
Industry News Coverage
Below is a comprehensive monthly review of the news and other media’s coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
MITRE Corporation Web Site, December 9, 2013
MITRE Corporation issued the news release below on December 9, 2013, which is available on the MITRE Web site at: http://www.mitre.org/news/press-releases/cve-vulnerability-dictionary-to-adopt-the-common-vulnerability-reporting.
CVE Vulnerability Dictionary to Adopt the Common Vulnerability Reporting Framework (CVRF) Standard
MCLEAN, Va., December 9, 2013 – The MITRE Corporation announced today that the Common Vulnerabilities and Exposures (CVE®) List will now publish data using the Common Vulnerability Reporting Framework (CVRF). The CVE List is a dictionary of common names for publicly known information security vulnerabilities in software.
"Presenting the CVE List in CVRF format will make it easier for people to access CVE content instead of having to use our custom format," said Steve Christey Coley, principal information security engineer at MITRE and editor of the CVE List. "We hope this will encourage others in the security community to share vulnerability information using a standardized machine-readable format."
Developed by the Industry Consortium for Advancement of Security on the Internet (ICASI), CVRF is an XML-based standard that enables software vulnerability information to be shared in a machine-parsable format between vulnerability information providers and consumers. Having vulnerability information in a single, standardized format speeds up information exchange and digestion, while also enabling automation. CVRF is currently used by major vendors, including Red Hat, Microsoft, Cisco Systems and Oracle Corporation, which issue their security advisories in CVRF format:
The CVE dictionary, sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security (DHS), contains more than 58,000 unique entries and is considered an international standard. Products, services and organizations around the world use CVE-IDs to help enhance information security, and CVE is formally recommended by the International Telecommunication Union (ITU-T) standards body for worldwide use.
"Because vulnerability information comes from many diverse sources, a common format makes it easier to analyze and import data without having to create custom tools or to do so manually," added Christey. "Encouraging the use of CVRF means CVE and other vulnerability information consumers can reduce the effort needed to support the wide variety of formats currently in use. And because of its adoption by major vendors, CVRF has a better chance of success compared to earlier efforts, particularly as the need grows for automated exchange of vulnerability data."
About The MITRE Corporation
The MITRE Corporation is a not-for-profit organization that provides systems engineering, research and development, and information technology support to the government. It operates federally funded research and development centers for the Department of Defense, the Federal Aviation Administration, the Internal Revenue Service and Department of Veterans Affairs, the Department of Homeland Security, the Administrative Office of the U.S. Courts, and the Centers for Medicare & Medicaid Services, with principal locations in Bedford, Mass., and McLean, Va. To learn more, visit www.mitre.org.