CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > Community > Research > Short-Term Strategy for CWE Community Feedback  
ID

Short-Term Strategy for CWE Community Feedback
Short-Term Strategy for CWE Community Feedback

For Fall 2007, MITRE's short-term strategy for obtaining CWE community feedback is as follows.

Types of CWE Modifications

CWE modifications can occur at three different levels, based on their overall impact on CWE and its consumers.

  • Systemic Modifications: require active feedback from the community, because they affect many stakeholders and could force extensive modifications to a large number of CWE nodes. They could cause many nodes to be merged or split compared to the current CWE versions; other kinds of nodes might be excluded entirely.
  • Major Modifications: affect multiple nodes, but are localized to only one portion of CWE (such as path traversal and its variants) or involve significant additions or modifications (such as recording new relationships for a view, or changing the meaning of a particular field). Some discussion with the community would be fruitful to both the community and CWE.
  • Minor Modifications: small and localized, only affecting single nodes, such as: fixing typos and grammar errors, changing the name, clarifying the description and related commentary, filling out blank fields, providing examples, etc. Little or no discussion with he community is needed, although feedback is always welcome.

These modifications will have mixed priorities. For example, some minor modifications might be treated as high priority by MITRE, such as nodes that do not have descriptions, or changes that have active interest by our sponsors or the community at large.

General Community Review Process

  1. Identify stakeholders and invite to participate in CWE Researchers List
  2. Document the Systemic Issues that could impact a significant portion of CWE.
  3. Propose these Systemic Issues as "discussion points" to the Researcher list.
  4. Manage community feedback.
  5. Make final decisions regarding the discussion points.
  6. Determine required schema changes.
  7. Modify CWE nodes according to final decisions from step 5.
  8. Make other high-priority edits to CWE nodes based on prioritization and community interest.
  9. Release incremental drafts for each significant gain.
  10. Repeat steps 3 to 9 as needed, until CWE becomes stable.
  11. Add new nodes.
  12. Release CWE Version 1.0.
  13. Further extend the CWE Community as needed.

Milestones

Dates are estimated.

  • Complete: Identify stakeholders
  • September 13: Finish documentation and publication of Systemic issues.
  • September 17: Identify and define at least 2 views.
  • September 13-24: engage community on at least 2 Systemic Issues (discussion points) and manage feedback.
  • September 13-24: make high-priority Minor edits to CWE nodes that are not likely to be affected by Systemic changes.
  • September 17-21: Perform CWE schema modification.
  • September 24: Modify CWE Schema to support views and associated relationships.
  • September 24-28: Conduct Systemic edits.
  • September 24-28: Finish high-priority Major and Minor edits to nodes that have had Systemic Changes.
  • September 28: publish CWE Draft 7.
  • October 2: Announce CWE changes at DHS-DoD Software Assurance Forum.
  • October 4 and later: Continue Systemic and other modifications.

High-Priority Edits for Draft 7

High-priority edits for Draft 7 include:

  • Systemic: address at least two Systemic Issues.
  • Major: support at least 2 views.
  • Major/Minor: handle incoming Major and Minor edits from SAMATE, NSA, and DHS.
  • Minor: Ensure that each node has a definition.
  • Minor: modify CWE names/descriptions that are not sufficiently focused on the underlying weakness.
  • Minor: provide consistent naming (capitalization) and ensure that the name is consistent with the description.
  • Minor: Clarify node descriptions where needed.
  • Minor: fix spelling and typos.

Document version: 0.1    Date: September 13, 2007

This is a draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.

Page Last Updated: January 17, 2017