What is CVRF?

The Common Vulnerability Reporting Format (CVRF) is a industry standard format for publishing security advisories in machine readable form.

It is slightly different to the OVAL format, which goal is to be able to machine verify state of a system in regards to security.

The CVRF format is targeted for machine based import into ticket systems and bug trackers for vulnerability response.

The governance of CVRF has been transitioned from the ICASI to OASIS and it will be renamed to CSAF (Common Security Advisory Format).:


SUSE has started generating CVRF data begin of 2017 for SUSE security update notices that we have released since 2015 and going forward.


The data is currently available on the SUSE ftp site.

How to use

The CVRF format is a verbose and simple XML format, so it can be hooked into other tools pretty easily even without additional libraries.

There is a reference python parser available at github.