CWE - About CWE

Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weaknesses. A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. The CWE List and associated classification taxonomy identify and describe weaknesses in terms of CWEs.

Knowing the weaknesses that result in vulnerabilities means software developers, hardware designers, and security architects can eliminate them before deployment, when it is much easier and cheaper to do so.

CWE List

The CWE List is updated three to four times per year to add new and update existing weakness information. Before being published on the CWE website, weaknesses are developed in the CWE Content Development Repository (CDR) on GitHub.com. The CDR provides visibility into the CWE working queue and a platform for CWE community partners to collaborate on content development.

Using the CWE List

The CWE List is fully searchable and may be viewed or downloaded in its entirety. There is also a the CWE REST API to make CWE content available to community applications and websites in a more convenient way.

Weaknesses can be browsed within “Views” related to specific contexts or domains. The Software Development view organizes items by concepts that are frequently used or encountered during software development. The Hardware Design view organizes weaknesses around concepts that are frequently used or encountered in hardware design, and Research Concepts facilitates weakness type research by organizing items by behaviors.

Other views provide insight for a certain domain or use cases, such as weaknesses introduced during design or implementation; weaknesses with indirect security impacts; those in software written in C, C++, Java, and PHP; in mobile applications; and many more. Another useful feature is the external mappings of CWE content to related resources including the annual CWE Top 25; OWASP Top Ten; Seven Pernicious Kingdoms; Software Fault Pattern Clusters; and SEI CERT Coding Standards for C, Java, and Perl.

All of these unique viewpoints into CWE content enable you to quickly leverage CWE for your own specific needs. CWE List content is also free to incorporate into research, educational materials, processes, and tools, per the terms of use.

CWE Community

CWE Program partners are organizations from across government, industry, and academia. The CWE Program operates several working groups (WGs) and special interest groups (SIGs), all of which are public forums for discussing and working collaboratively to drive CWE Program adoption and increase CWE Program coverage.

Community members can actively participate in the CWE Program by:

Joining the conversation about weaknesses and vulnerabilities on our CWE Research Discussion List
Joining one of the CWE Program’s working groups or special interest groups
Submitting content suggestions for the CWE List
Engaging with the CWE Program and the community to help promote CWE on social media, including CWE on the X-Twitter, LinkedIn, YouTube, Medium, Mastodon, etc.
Adopting CWE-Compatible products and services
Advocating the expansion and active use of CWE, CWE Top Hardware, CWE Top KEV, and the CWE Top 25 by the community


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.