CWE - About - CWE History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <?xml version="1.0"?> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="description" content="Common Weakness Enumeration (CWE) is a list of software and hardware weaknesses." /> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <link rel="shortcut icon" href="/favicon.ico" /> <link href="/css/main.css?version=4.16.111924" rel="stylesheet" type="text/css" /> <link href="/css/custom.css" rel="stylesheet" type="text/css" />  <script src="/includes/custom_filter.js" language="JavaScript" type="text/javascript"></script> <script src="/includes/browserheight.js" language="JavaScript" type="text/javascript"></script> <script src="/includes/jquery.js" language="JavaScript" type="text/javascript"></script> <script src="/includes/cwe_minimizer.js?version=4.12.062923" language="JavaScript" type="text/javascript"></script> <script src="/includes/cookie.js?version=4.12.062923" language="Javascript" type="text/javascript"></script> <script src="/includes/includeglossarydef.js" language="JavaScript" type="text/javascript"></script> <script src="/includes/custom.js" language="JavaScript" type="text/javascript"></script> <script src=https://cmp.osano.com/AzyhULTdPkqmy4aDN/318aa814-0420-45bb-857d-8fb5fac33ff8/osano.js></script> <link href="/css/print.css?version=1.11" rel="stylesheet" media="print" type="text/css" /> <link href="/css/mappingonly.css" rel="stylesheet" type="text/css" /> <noscript> <style type="text/css"> #script { visibility:collapse; visibility:hidden; font-size:0px; height:0px; width:0px } #noscript { visibility:visible; font-size:inherit; height:inherit; width:inherit} </style> </noscript> <title>CWE - About - CWE History</title> </head> <body onload="onloadCookie()"> <a name="top" id="top"></a> <div id="MastHead" style="width:100%"> <div style="width:60%;float:left;padding-top:15px;padding-left:10px;padding-bottom:2px;"> <a href="/index.html" style="color:#32498D; text-decoration:none"> <img src="/images/cwe_logo.jpg" width="153" height="55" style="float:left;border:0;margin-right:6px" alt="CWE" /> <h1 style="color:#314a8d;font-size:1.5em;font-family:'Verdana',sans-serif;#eee;margin: .1em auto">Common Weakness Enumeration</h1> <p style="color:#314a8d;font-family:'Times New Roman';font-style:italic;font-size:1em;#eee;margin:.1em auto 0 auto">A community-developed list of SW & HW weaknesses that can become vulnerabilities</p> </a> </div> <div style="float:right;padding-top:0px;text-align:right;padding-left:8px;padding-right:4px;padding-bottom:0px;"><a href="/about/new_to_cwe.html" title="New to CWE click here logo"><img src="/images/new_to_cwe/new_to_cwe_click_here.png" height="90" border="0" alt="New to CWE? click here!" style="text-align:center"/></a></div> <div style="float:right;padding-top:0px;text-align:right;padding-left:0px;padding-right:4px;padding-bottom:0px;"><a href="/scoring/lists/2021_CWE_MIHW.html" title="CWE Most Important Hardware Weaknesses"> <img src="/images/mihw_logo.svg" width="90" border="0" alt="CWE Most Important Hardware Weaknesses" style="vertical-align:bottom"/></a></div> <div style="float:right;padding-top:0px;text-align:right;padding-left:0px;padding-right:4px;padding-bottom:0px;"><a href="/top25/" title="CWE Top 25"><img src="/images/cwe_top_25_logo_simple.svg" width="90" border="0" alt="CWE Top 25 Most Dangerous Weaknesses" style="vertical-align:bottom"/></a></div> </div> <div id="HeaderBar" class="noprint"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td width="100%" align="left" style="padding-left:10px; font-size:75%;"> <a href="/" >Home</a> > <a href="/about/index.html" >About CWE</a> >   </td> <td align="right" nowrap="nowrap" style="padding-right:12px">  <div class="noprint"> <form action="/cgi-bin/jumpmenu.cgi" align="right" style="padding:0px; margin:0px"> ID <label for="id" style="padding-right:5px">Lookup:</label> <input id="id" name="id" type="text" style="width:50px; font-size:80%" maxlength="10" /> <input value="Go" style="padding: 0px; font-size:80%" type="submit"> </form> </div>  </td> </tr> </table> </div>  <div class="yesprint"> <hr width="100%" size="1" style="clear:both" color="#000000" /> </div> <div class="topnav"> <ul> <li><a href="/index.html">Home</a></li> <li> <div class="dropdown"> <a href="/about/index.html"><button class="dropbtn">About</button> ▼</a> <div class="dropdown-content"> <a href="/about/index.html">About</a> <a href="/about/new_to_cwe.html">New to CWE</a> <a href="/about/user_stories.html">User Stories</a> <a href="/about/cwe_videos.html">Videos</a> <a href="/about/history.html">History</a> <a href="/about/documents.html">Documents</a> <a href="/about/faq.html">FAQs</a> <a href="/documents/glossary/index.html">Glossary</a> </div> </div> </li> <li> <div class="dropdown"> <a href="/data/index.html"><button class="dropbtn">CWE List</button> ▼</a> <div class="dropdown-content"> <a href="/data/index.html">Latest Version</a> <a href="/data/downloads.html">Downloads</a> <a href="/data/reports.html">Reports</a> <a href="/data/pdfs.html">Visualizations</a> <a href="/data/archive.html">Archive</a> </div> </div> </li> <li> <div class="dropdown"> <a href="/documents/cwe_usage/guidance.html"><button class="dropbtn">Mapping</button> ▼</a> <div class="dropdown-content"> <a href="/documents/cwe_usage/guidance.html">Root Cause Mapping Guidance</a> <a href="/documents/cwe_usage/quick_tips.html">Root Cause Mapping Quick Tips</a> <a href="/documents/cwe_usage/mapping_examples.html">Root Cause Mapping Examples</a> </div> </div> </li> <li> <div class="dropdown"> <a href="/scoring/index.html#top_n_lists"><button class="dropbtn">Top-N Lists</button> ▼</a> <div class="dropdown-content"> <a href="/top25/">Top 25 Software</a> <a href="/scoring/lists/2021_CWE_MIHW.html">Top Hardware</a> <a href="/top25/archive/2023/2023_kev_list.html">Top 10 KEV Weaknesses</a> </div> </div> </li> <li> <div class="dropdown"> <a href="/community/index.html"><button class="dropbtn">Community</button> ▼</a> <div class="dropdown-content"> <a href="/community/index.html">Community</a> <a href="/community/working_groups.html">Working Groups & Special Interest Groups</a> <a href="/community/board.html">Board</a> <a href="/community/board.html#boardarchives">Board Meeting Minutes</a> <a href="/community/registration.html">CWE Discussion List</a> <a target="_blank" href="https://www.mail-archive.com/cwe-research-list@mitre.org/">CWE Discussion Archives</a> <a href="/community/submissions/overview.html">Contribute Weakness Content to CWE</a> </div> </div> </li> <li> <div class="dropdown"> <a href="/news/"><button class="dropbtn">News</button> ▼</a> <div class="dropdown-content"> <a href="/news/">Current News</a> <a href="https://twitter.com/CweCapec" target="_blank" rel="noopener noreferrer">X-Twitter <img src="/images/x-logo-black.png" width="12" height="12" style="position:relative; vertical-align:bottom; padding-left:3px; top:-1px" title="X-Twitter"></a> <a href="https://mastodon.social/@CWE_Program" target="_blank" rel="noopener noreferrer">Mastodon <img src="/images/mastodon-logo.png" width="14" height="14" style="position:relative; vertical-align:bottom; padding-left:3px; top:-1px" title="X (formerly Twitter)"></a> <a href="https://www.linkedin.com/showcase/cve-cwe-capec" target="_blank" rel="noopener noreferrer">LinkedIn <img src="/images/linkedin_sm.jpg" width="14" height="14" style="position:relative; vertical-align:bottom; padding-left:3px; top:-1px" title="LinkedIn"></a> <a href="https://www.youtube.com/channel/UCpY9VIpRmFK4ebD6orssifA" target="_blank" rel="noopener noreferrer">YouTube <img src="/images/youtube.png" width="14" height="14" style="position:relative; vertical-align:bottom; padding-left:3px; top:-1px" alt="YouTube"></a> <a href="/news/podcast.html">Podcast <img src="/images/out_of_bounds_read_logo.png" width="16" height="16" style="position:relative; vertical-align:bottom; padding-left:3px; top:-1px" alt="Out of Bounds Read Podcast"></a> <a href="https://medium.com/@CWE_CAPEC" target="_blank" rel="noopener noreferrer">Medium <img src="/images/medium_sm.png" width="14" height="14" style="position:relative; vertical-align:bottom; padding-left:3px; top:-1px" alt="Medium"></a> <a href="/news/archives/index.html">News Archive</a> </div> </li> <li style="border-color:#aaaaaa"><a href="/find/index.html">Search</a></li> </ul> </div> <table width="100%" border="0" cellspacing="0" cellpadding="0" id="MainPane"> <tr>  <td valign="top" rowspan="2" id="LeftPane">  <script type="text/javascript">browserheight();</script> </td>  <td style="height:1px"></td>  <td valign="top" align="center" rowspan="2" nowrap="nowrap" id="RightPane"> </td>  </tr> <tr>  <td valign="top" width="100%" id="Contentpane">  <div id="styled_popup" name="styled_popup" style="display:none; position:fixed; top:300; height:auto; width:300px; z-index:1000"> <table width="300" cellpadding="0" cellspacing="0" border="0" style="border:1px solid #32498D;"> <tr style="background-color:#32498D; color:#ffffff;"> <td width="100%" style="padding:1px 5px 1px 5px; border-bottom:1px solid #000000"><div width="100%" style="font-weight:bold;">CWE Glossary Definition</div></td> <td nowrap="nowrap" style="padding:1px; border-bottom:1px solid #000000" valign="top"><a href="javascript:styledPopupClose();"><img src="/images/layout/close.gif" border="0" alt="x"></a></td> </tr> <tr><td colspan="2" style="background: url(/images/layout/ylgradient.jpg); background-repeat: repeat-x repeat-y; padding:5px; background-color:#FFFFCC; " valign="top"> <div id="output" style="max-height:400px; overflow-y:auto"></div> </td></tr> </table> </div> <div class="historypage"> <h2 class="header">History</h2>  <p>MITRE began working on the issue of categorizing software weaknesses as early 1999 when it launched the <a href="http://cve.mitre.org/cve/">Common Vulnerabilities and Exposures (CVE®) List</a>. As part of the development of CVE, MITRE’s CVE Team developed a preliminary classification and categorization of vulnerabilities, attacks, faults, and other concepts to help define common software weaknesses. However, while sufficient for CVE, those groupings are too rough to be used to identify and categorize the functionality offered within the offerings of the code security assessment industry. To support that type of usage, additional fidelity and succinctness are needed as are additional details and description for each of the different nodes and groupings such as the effects, behaviors, and implementation details, etc.</p> <p>To do this, MITRE took a first cut at revising the internal CVE category work for usage in the code assessment industry in 2005 as part of MITRE’s participation in the <a href="https://www.dhs.gov/" target="_blank" rel="noopener noreferrer">U.S. Department of Homeland Security</a> (DHS) sponsored <a href="https://www.nist.gov/" target="_blank" rel="noopener noreferrer">National Institute of Standards and Technology</a> (NIST) <a href="https://samate.nist.gov" target="_blank" rel="noopener noreferrer">Software Assurance Metrics and Tool Evaluation</a> (SAMATE) project. Our resulting document, entitled <a href="/about/sources.html#plover">Preliminary List Of Vulnerability Examples for Researchers</a> (PLOVER), was a working document that lists over 1,500 diverse, real-world examples of vulnerabilities, identified by their CVE name. The vulnerabilities in PLOVER are organized within a detailed conceptual framework that currently enumerates 290 individual types of software weaknesses, idiosyncrasies, faults, and flaws, with a large number of real-world vulnerability examples for each. PLOVER represented the first attempt at a truly bottom-up effort to take real-world observed faults and flaws that do exist in code, abstract them and group them into common classes representing more general potential vulnerabilities that could exist in code, and then finally to organize them in an appropriate relative structure so as to make them accessible and useful to a diverse set of audiences for a diverse set of purposes.</p> <p>After PLOVER, the next step was to establish acceptable definitions and descriptions of these common weaknesses by the community under the NIST SAMATE project, which led to the creation and the first release of the <a href="/data/index.html">“Common Weakness Enumeration” List</a> and associated classification taxonomy in 2006. Not only did CWE encompass a large portion of the CVE List’s (now 130,000+) CVE Entries, but it also included detail, breadth, and classification structure from a diverse set of other industry and academic sources and examples including the McGraw/Fortify “Kingdoms” taxonomy; Howard, LeBlanc & Viega’s 19 Deadly Sins; and Secure Software’s CLASP project; among others.</p> <p>Follow-on releases over the years refined these software weakness types and their classification trees, while also adding new content such as in 2014 for mobile applications. In recent years, hardware security issues (e.g., LoJax, Rowhammer, Meltdown/Spectre) have become increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. For this reason, support for hardware weaknesses was added to the CWE List in 2020.</p> <p>Today, each new release of the <a href="/data/index.html">CWE List</a> continues to be a community effort. Creation of the list is an ongoing process as the <a href="/community/members.html">CWE Community</a> regularly refines existing software and hardware weakness types and their classification trees, develops and adds new weakness types definitions and related content as needed for new technologies, and discovers new ways for the community to leverage CWE content such as the new data-driven approach for generating the <a href="/top25/index.html">CWE Top 25</a>. <div align="right" style="padding-top:5px; padding-bottom:5px; clear:right" class="noprint"><a class="backtop" href="#top">Back to top</a></div> </div>  <div id="More_Message_Custom" style="display:none;"> <div style="padding:15px 0px 0px 0px;color:#ff0000;font-size:95%;font-weight:bold;text-align:center;" >More information is available — Please edit the custom filter or select a different filter.</div></div> </td>  </tr> </table> <div id="FootPane" class="noprint"> <div id="footbar"> <b>Page Last Updated: </b> September 27, 2022 </div> <div class="Footer noprint"> <a name="footer" id="footer"></a> <table width="100%" cellpadding="0" cellspacing="0" border="0" class="ltgreybackground" style="clear:both"> <tr> <td colspan="3" id="line"><div class="line"> </div></td> </tr> <tr> <td valign="middle" nowrap="nowrap"> <div id="footerlinks" class="footlogo"> <a href="http://www.mitre.org" target="_blank" rel="noopener noreferrer"><img src="/images/mitre_logo.gif" height="36" border="0" alt="MITRE" title="MITRE"/></a> </div> </td> <td width="100%" valign="top" style="padding:6px 0px;"> <div id="footerlinks"> <a href="/sitemap.html">Site Map</a> | <a href="/about/termsofuse.html">Terms of Use</a> | <a href="#" onclick="Osano.cm.showDrawer('osano-cm-dom-info-dialog-open')">Manage Cookies</a> | <a href="/about/cookie_notice.html">Cookie Notice</a> | <a href="/about/privacy_policy.html">Privacy Policy</a> | <a href="mailto:cwe@mitre.org">Contact Us</a> | <a target="_blank" href="https://twitter.com/CweCapec"><img src="/images/x-logo-black.png" width="18" height="18" style="border:0;vertical-align:right;" alt="CWE X-Twitter" title="CWE X-Twitter"></a> <a target="_blank" href="https://mastodon.social/@CWE_Program"><img src="/images/mastodon-logo.png" width="20" height="20" style="border:0;vertical-align:right;" alt="CWE Mastodon" title="CWE Mastodon"></a> <a target="_blank" href="https://www.linkedin.com/showcase/cve-cwe-capec"><img src="/images/linkedin_sm.jpg" width="20" height="20" style="border:0;vertical-align:right;" alt="CWE on LinkedIn" title="CWE on LinkedIn"></a> <a target="_blank" href="https://www.youtube.com/channel/UCpY9VIpRmFK4ebD6orssifA"><img src="/images/youtube.png" width="20" height="20" style="border:0;vertical-align:right;" alt="CWE YouTube channel" title="CWE YouTube Channel"></a> <a href="/news/podcast.html"><img src="/images/out_of_bounds_read_logo.png" width="22" height="22" style="border:0;vertical-align:right;" alt="CWE Out-of-Bounds-Read Podcast" title="CWE Out-of-Bounds-Read Podcast"></a> <a target="_blank" href="https://medium.com/@CWE_CAPEC"><img src="/images/medium.png" width="20" height="20" style="border:0;vertical-align:right;" alt="CWE Blog on Medium blog" title="CWE Blog on Medium"></a> </div> <p>Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the <a href="/about/termsofuse.html">Terms of Use</a>. CWE is sponsored by the <a target="_blank" rel="noopener noreferrer" href="https://www.dhs.gov/">U.S. Department of Homeland Security</a> (DHS) <a target="_blank" rel="noopener noreferrer" href="https://www.dhs.gov/cisa/cybersecurity-division">Cybersecurity and Infrastructure Security Agency</a> (CISA) and managed by the <a href="https://www.dhs.gov/science-and-technology/hssedi" target="_blank" rel="noopener noreferrer">Homeland Security Systems Engineering and Development Institute</a> (HSSEDI) which is operated by <a target="_blank" rel="noopener noreferrer" href="http://www.mitre.org/">The MITRE Corporation</a> (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.</p> </td> <td valign="middle" nowrap="nowrap"> <div id="footerlinks" class="footlogo"> <a href="https://www.dhs.gov/science-and-technology/hssedi" target="_blank" rel="noopener noreferrer"><img src="/images/hssedi.png" height="36" border="0" alt="HSSEDI" title="HSSEDI"/></a> </div> </td> </tr> </table> </div> </div>  <script async src="https://www.googletagmanager.com/gtag/js?id=G-TCLW30GNGV"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-TCLW30GNGV'); </script> </body> </html>

CINXE.COM

CWE - About - CWE History