Industry News Coverage

Below is a comprehensive monthly review of the news and other media’s coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

December 2013

MITRE Corporation Web Site, December 9, 2013

MITRE Corporation issued the news release below on December 9, 2013, which is available on the MITRE Web site at: http://www.mitre.org/news/press-releases/cve-vulnerability-dictionary-to-adopt-the-common-vulnerability-reporting.

CVE Vulnerability Dictionary to Adopt the Common Vulnerability Reporting Framework (CVRF) Standard

MCLEAN, Va., December 9, 2013 – The MITRE Corporation announced today that the Common Vulnerabilities and Exposures (CVE®) List will now publish data using the Common Vulnerability Reporting Framework (CVRF). The CVE List is a dictionary of common names for publicly known information security vulnerabilities in software.

"Presenting the CVE List in CVRF format will make it easier for people to access CVE content instead of having to use our custom format," said Steve Christey Coley, principal information security engineer at MITRE and editor of the CVE List. "We hope this will encourage others in the security community to share vulnerability information using a standardized machine-readable format."

Developed by the Industry Consortium for Advancement of Security on the Internet (ICASI), CVRF is an XML-based standard that enables software vulnerability information to be shared in a machine-parsable format between vulnerability information providers and consumers. Having vulnerability information in a single, standardized format speeds up information exchange and digestion, while also enabling automation. CVRF is currently used by major vendors, including Red Hat, Microsoft, Cisco Systems and Oracle Corporation, which issue their security advisories in CVRF format:

  • Mark Cox, senior director of Product Security at Red Hat: "Red Hat provides CVRF representations of our security advisories and we make heavy use of data provided by the MITRE CVE project. Having their data in a common standard format will help us and others consume it."

  • Dustin Childs, group manager of Microsoft Trustworthy Computing: "Customer protection is a priority for Microsoft, and adoption of the new standardized CVRF format extends customer access to crucial information about CVEs. We are pleased to support an advance that makes it easier to understand and address vulnerabilities."

  • Mike Schiffman, applied researcher, Cisco Systems and ICASI CVRF Working Group chair: "Cisco, a founding member of ICASI and CVRF working group chair, is happy to help MITRE deploy the de-facto standard for the automated creation and consumption of machine-readable vulnerability documentation."

  • Mary Ann Davidson, chief security officer for Oracle Corporation: "Oracle has been publishing CVRF since early 2012 for all vulnerability communications. We are delighted that MITRE will be providing CVE information in CVRF format, as it will further enable the sharing of security information in a machine-readable format, thus allowing organizations to more quickly and efficiently react when security vulnerability information is published."

The CVE dictionary, sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security (DHS), contains more than 58,000 unique entries and is considered an international standard. Products, services and organizations around the world use CVE-IDs to help enhance information security, and CVE is formally recommended by the International Telecommunication Union (ITU-T) standards body for worldwide use.

"Because vulnerability information comes from many diverse sources, a common format makes it easier to analyze and import data without having to create custom tools or to do so manually," added Christey. "Encouraging the use of CVRF means CVE and other vulnerability information consumers can reduce the effort needed to support the wide variety of formats currently in use. And because of its adoption by major vendors, CVRF has a better chance of success compared to earlier efforts, particularly as the need grows for automated exchange of vulnerability data."

About The MITRE Corporation

The MITRE Corporation is a not-for-profit organization that provides systems engineering, research and development, and information technology support to the government. It operates federally funded research and development centers for the Department of Defense, the Federal Aviation Administration, the Internal Revenue Service and Department of Veterans Affairs, the Department of Homeland Security, the Administrative Office of the U.S. Courts, and the Centers for Medicare & Medicaid Services, with principal locations in Bedford, Mass., and McLean, Va. To learn more, visit www.mitre.org.

 
Page Last Updated: March 17, 2014