Common Weakness Enumeration

Scoring CWEs

The publicly available methodologies below help the community leverage the information in the CWE List in actionable ways to improve the quality of their products and/or the security of their enterprises.

Scoring Methodologies

• Prioritizing Weaknesses Based Upon Your Organization's Mission
  The CWE project offers several approaches for prioritizing weaknesses so that you can focus on an appropriate subset for your organization's needs. Learn how to utilize these methods to benefit from the most improvement in the resilience, reliability, and integrity of your software as soon as possible.

• Common Weakness Scoring System (CWSS™)
  CWSS provides a mechanism for scoring weaknesses in a consistent, flexible, open manner while accommodating context for various business domains. CWSS can also be used by individual developers to prioritize unfixed weaknesses within their own software.

• Common Weakness Risk Analysis Framework (CWRAF™)
  CWRAF, used in conjunction with CWSS, will provide your organization with a tailored "Top XX" list of common weaknesses.

• CWE Top 25 Most Dangerous Software Errors
  The CWE Top 25 Most Dangerous Software Errors is a periodically updated list of the most prevalent and easily exploited software common weaknesses as assessed by over 20 industry experts.

• CWE Most Important Hardware Weaknesses
  The CWE Most Important Hardware Weaknesses is a periodically updated list of common hardware weaknesses, compiled through collaboration with the Hardware CWE Special Interest Group (SIG).

Feedback

Please send any comments or questions about scoring, prioritizing, and/or mitigating CWEs to cwe@mitre.org so that we may assist you in deploying these tools.