The CVRF1.1InstanceType provides an extension to the VulnerabilityType which imports and leverages the CVRF schema for structured characterization of Vulnerabilities. This could include characterization of 0-days or other vulnerabilities that do not have a CVE or OSVDB ID.
The @is_known field captures whether or not the vulnerability is known (i.e. not a 0-day) at the time of characterization.
The @is_publicly_acknowledged field captures whether or not the vulnerability is publicly acknowledged by the vendor.
The Title field provides a simple title for this vulnerability.
The Description field provides an unstructured, text description of this vulnerability.
The Short_Description field provides a short, unstructured, text description of this vulnerability.
The CVE_ID field specifies a CVE identifier for a particular vulnerability.
The OSVDB_ID field specifies an OSVDB identifier for a particular vulnerability.
The Source field describes the source of the CVE or OSVDB as a textual description or URL.
The CVSS_Score field captures the full CVSS v2.0 base, temporal, and environmental vectors in their string format.
The date and time that this vulnerability was first discovered.
The date and time that this vulnerability was first published.
The Affected_Software field captures the list of platforms and software that are affected by this vulnerability. It is implemented through the CybOX Observables, the suggested CybOX objects to use are the Product Object, the Device Object, the System Object, and the Code Object.
The References field captures a list of external references describing this vulnerability.
The CVRF field contains the structured characterization of Vulnerabilities utilizing the CVRF schema.