Welcome to BF!

The Bugs Framework (BF)* organizes software weaknesses (bugs) into distinct classes, such as Buffer Overflow (BOF), Injection (INJ), and Control of Interaction Frequency (CIF). Each BF class has an accurate and precise definition and comprises:

BF provides a superior, unified approach that allows us to:

With BF practitioners and researchers can more accurately, precisely and clearly:

Those concerned with software quality, the reliability of programs and digital systems, or cybersecurity will be able to make more rapid progress by more clearly labeling the results of errors in software. Those responsible for designing, operating and maintaining computer complexes can communicate with more exactness about threats, attacks, patches and exposures.

As BF covers more classes:

Types of Attributes


*The BF is being created by factoring and restructuring of information contained in CWE, SFP, NSA CAS, SOAR, SEI-CERT, and others, and thus benefits from the community's experience with their use. Instead of trying to match weakness classes that tools find to CWEs, usually far over- or under-generalizing, the BF can describe tool classes much more accurately, precisely and succinctly. We believe that as CWEs migrate to using this kind of taxonomy, they will be easier to comprehend and avoid.