Common Weakness Enumeration

CWE Program Technical Lead Steve Christey Coley discusses CWE’s most important problems and where they fit within the challenges faced by the broader vulnerability management/software security ecosystem. Topics include: supporting multiple users/personas, which have changed over the years; CWE organization and representation, including quality expectations and hierarchical organization; mapping problems, including usage recommendations, reasons for discouraged mappings, conflicting terminology, and real-world limitations; and modernizing CWE coverage to address difficult classification gaps, relevance and recognizability of content to users, and managing quality versus speed in CWE content changes.

This talk was presented at CVE/FIRST VulnCon 2025 on April 10, 2025.

CWE Program Lead Alec Summers discusses the CWE Program’s ongoing efforts to implement its federation strategy to increase program coverage and adoption. Topics include modernizing the CWE Program infrastructure, federating CWE content development, and the purpose and objectives of the CWE community working groups and special interest groups.

This talk was presented at CVE/FIRST VulnCon 2024 on March 26, 2024.

CWE Program Lead Alec Summers and Yahoo’s Chris Madden discuss the value of CWE Root Cause Mapping (RCM) and the recent adoption of RCM in the CVE Numbering Authority community, before exploring what is being done to address existing challenges and develop practical solutions. The performance of a grounded large language model (LLM) tool against the “CWE Top 25 Most Dangerous Software Weaknesses” dataset is discussed, particularly how the comparative analysis sheds light on the viability of advancements in LLM capabilities in helping to scale decentralized RCM throughout the vulnerability management ecosystem, offering actionable insights for practitioners and researchers alike.

This talk was presented at CVE/FIRST VulnCon 2025 on April 7, 2025.

Red Hat’s Alexander Bushkin and Jeremy West discuss how to better leverage CVE root cause mapping along with CWE data in order to prevent new vulnerabilities from occurring.

This talk was presented at CVE/FIRST VulnCon 2024 on April 8, 2025.

Scott Constable of Intel Labs discuses microarchitectural weaknesses in the CWE List that relate to transient execution, especially the four new microarchitectural weakness entries added with the release of CWE Version 4.14:

• CWE-1420: Exposure of Sensitive Information during Transient Execution
• CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
• CWE-1422: Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution
• CWE-1423: Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

This talk was presented to the Hardware CWE Special Interest Group (HW CWE SIG) on March 8, 2024.