PRESS RELEASE

WAKEFIELD, Mass. – May 17, 2012 – The Industry Consortium for Advancement of Security on the Internet (ICASI), a nonprofit association dedicated to enhancing global IT security by proactively driving excellence and innovation in security response, today announced the publication of the latest version of its Common Vulnerability Reporting Framework (CVRF), Version 1.1. Enhancements in CVRF 1.1 offer users a more comprehensive and flexible format, while reducing duplication and the possibility of errors.

CVRF is an XML-based framework that enables stakeholders across different organizations to share critical vulnerability-related information in an open and common machine-readable format. CVRF replaces the many nonstandard reporting formats previously in use, thus speeding up information exchange and processing. CVRF is available to the public free of charge, along with additional information, at ICASI.org/cvrf.

A brief webcast about CVRF, which will describe the enhancements in Version 1.1 and offer a Q & A session to attendees, is scheduled for Wednesday, May 30 at noon EDT. There is no cost to attend, but advance registration is required.

"CVRF 1.1 is a significant step forward in our efforts to broaden awareness of security vulnerabilities and simplify their reporting," said Russell Smoak, president of ICASI and director and general manager of Security Research and Operations at Cisco Systems. "The new features and enhancements make CVRF both more user-friendly and more applicable to a broader set of requirements. We are grateful to the project team members who have worked so conscientiously to develop these additions and improvements."

Key changes in CVRF 1.1 include:

A completely revamped method for specifying products in a hierarchical manner, dubbed the "Product Tree," has been created. It has been separated from the vulnerability section, which reduces the duplication of XML, and it is much more flexible, powerful, and machine readable The Product Tree supports the construction of logical groups to further cut down on redundant XML by allowing logical groups to be referenced using a single identifier When possible, a consistent type/value construct has been implemented across CVRF. Given that type is an enumerated list, this enables future updates or modifications without much change to CVRF parsers. Using a more generic construct also reduces the overall number of elements, by combining existing (similar) containers into one CVRF has been made less vendor-centric: it is now friendlier to the research and coordination community To ensure a consistent look and feel, many of the optional meta-containers that use a plural term as the top-level identifier (e.g., Threats) are now followed by a container that uses the singular version of the same identifier (e.g., Threat) More constraints ensure that it is harder to build invalid documents A better use of optional elements makes CVRF more flexible for different document producers Whenever possible, elements that were similar and existed in several areas of the document have been aligned (e.g., Note, Acknowledgement, Reference, etc.)

CVRF Background Although the computer security community has made significant progress in several other areas in recent years, including categorizing and ranking the severity of vulnerabilities in information systems, there was no standard framework for creating vulnerability report documentation. Methods such as embedding security metric and vulnerability data inside response reports are all vendor-specific, non-standard and time consuming to decipher manually.

Through its CVRF Project, ICASI undertook to remedy this lack of standardization. The project team expanded existing security documentation formats and integrated a best-of-breed solution into a common, open XML-based framework ‒ CVRF ‒ that brings consolidation and consistency to the security vulnerability documentation space, and its use has grown organically among stakeholders since its launch in May 2011.

The XML-based framework of CVRF predefines a large number of fields, with extensibility and robustness in mind. These fields are consistent in naming and data type, so that any organization that adopts and understands CVRF can easily produce documents or read the ones that another CVRF-equipped organization has produced. Independent discoverers of bugs, large vendors, security coordinators and end users of security response efforts worldwide can all write CVRF documents to share critical vulnerability-related information. Widespread use of CVRF will accelerate information dissemination and exchange and incident resolution as a result.

ICASI maintains CVRF as a living framework that will be enhanced and revised as necessary. ICASI will continue supporting CVRF to ensure that it will remain both stable and free for use by all. Implementers are encouraged to submit their suggestions for improvements to [email protected].

About ICASI The Industry Consortium for Advancement of Security on the Internet (ICASI) provides a unique forum of trust through which global companies can collaborate to actively address complex, multi-product security threats to better protect the critical IT infrastructures that support the world’s enterprises, governments and citizens. ICASI Founding Members include Cisco Systems, IBM, Intel Corporation, Juniper Networks, Microsoft Corporation, and Nokia Corporation. For more information, visit www.ICASI.org, or send an inquiry regarding membership structure, benefits, and dues to [email protected].