Red Hat and CVRF compatibility

Updated -

CVRF will be considered deprecated at the end of the CSAF beta on January 1st, 2023. We will remove the CVRF files from on September 1st, 2023.

Archived CVRF content will be made available the same day under in a compressed form, but we will not update the archived files.

Going forward, you should use the CSAF files, as these are designed to replace CVRF. See the CSAF blog post for more information about the availability of Common Security Advisory Framework beta files.

Q: What is CVRF?

The goal of the Common Vulnerability Reporting Framework (CVRF) is to provide a way to share information about security updates in an XML machine-readable format. Refer to for further information.

Q: What is Red Hat doing with CVRF?

Red Hat Product Security is providing CVRF representations of Red Hat Security Advisories (RHSA).

Red Hat joined the Industry Consortium for Advancement of Security on the Internet (ICASI) CVRF working group in 2011. CVRF 1.0 was released in May 2011 and we published sample advisories in CVRF 1.0 format, but it was not widely adopted by the industry. CVRF 1.1 was released in May 2012 and we believe is now ready for wider adoption.

Red Hat Product Security helps customers evaluate and manage risk by tracking and investigating all security issues affecting Red Hat customers, and providing timely and concise patches and security advisories via Red Hat® Network®.

Q: How does this differ from OVAL?

Red Hat has been providing machine-readable XML versions of our Red Hat Enterprise Linux security advisories since 2006, as OVAL (Open Vulnerability and Assessment Language) definitions. Our OVAL definitions are designed for use by automated test tools to determine the patch state of a machine.

CVRF is not designed as being a way to determine the patch state of a machine, instead, it provides
an alternative machine-readable version of all our security advisories.

Red Hat was a founding board member of OVAL in 2002. We will continue to produce OVAL definitions for
selected products.

Q: Which Red Hat products will get CVRF documents?

Starting May 1st 2012, Red Hat is providing CVRF documents for all Red Hat Security Advisories across all products.

Q: How do I obtain the CVRF documents?

The CVRF documents are provided as XML files, and a separate file is created for each security advisory. Advisories are grouped by year in a simple directory listing, without registration requirements, to aid automatic downloading. Our CVRF documents are created automatically and should usually be accessible within an hour of a new security advisory being made available via the Red Hat Network.

Our CVRF documents are created and published automatically and therefore may contain errors or ommissions. Our web based advisories remain the authoritative source.

Q: Will Red Hat provide tools to parse these files?

At this time, Red Hat does not ship a CVRF parser. As CVRF is an open XML standard, we expect third-parties and customers will create their own parsers.

Q: Will you still continue to publish Red Hat Security Advisories?

Our advisories will continue to be available on the web, by email, and displayed via various in-product tools. The CVRF documents provide an alternative way to consume our security advisories which some customers and researchers may find useful.

Q: How is CVRF different from Red Hat Network?

The Red Hat Network is an enterprise system management tool that keeps Red Hat Enterprise Linux systems up-to-date with the latest errata, and reports which systems need which updates. Red Hat support for CVRF provides an alternative machine-readable view of Red Hat security advisories.

Q: Will the format of your CVRF documents change?

It is expected that the CVRF format will evolve over time and we may choose to update our past or future documents to reflect this. We continue to be a part of the CVRF working group.

We have produced a guide showing the design decisions we made in the markup of our advisories in CVRF 1.1.

Q: Where can I go for more information?

The ICASI CVRF website contains more detailed information, including the full schema. If you wish to submit corrections, ask questions, or get more information about the Red Hat implementation of CVRF, contact Red Hat Product Security at

Connect: Facebook Twitter RSS


CVRF surely sounds like a great step forward.

However it only covers "forward" entries (starting from 2012 May I assume). Is there a plan to get "backward" entries in (i.e. entries from before 2012) ?

Another thing: it would be nice if CVRF index was published as well - mixing HTML-scraping with proper processing is not necessarily the most convenient form for third-party tools.

Hi Dmitry, we didn't plan on adding in older entries (although our internal tool certainly works for the older entries).

We've added an index.txt file which gets automatically updated containing the path for each published cvrf, one per line.

What is the cvrf.db file format and content?