Microsoft Adopts CVRF Format for Security Bulletins

Since the beginning of recorded time, security researchers, software vendors and hackers have been issuing security advisories in all kinds of nutty formats. Some feature excellent ASCII art, some have clever inside jokes and some come from Microsoft. Now, there's a effort underway, called the Common Vulnerability Reporting Framework, to standardize the way that vulnerabilities are reported so that they're in a common, machine-readable format. 

The CVRF is the product of a group called the Industry Consortium for Advancement of Security on the Internet, and Microsoft in May for the first time produced its monthly Patch Tuesday advisories in the CVRF format. The company said that while the CVRF itself is still in its initial stages and will continue to evolve, the current version should give enterprise customers a good option for automating bulletin deployment. 

"For many customers, a machine-readable markup framework for security releases might not be a pressing need. For instance, home-computer users or small businesses may choose to install security updates automatically. However, many business customers spend time “copying and pasting” our security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list," Microsoft's Mike Reavey said in a blog post on CVRF.