Welcome!

The Bugs Framework (BF)* organizes software weaknesses (bugs) into distinct classes, such as Buffer Overflow (BOF), Injection (INJ), and Control of Interaction Frequency (CIF). Each BF class has an accurate and precise definition and comprises:

BF provides a superior, unified approach that allows us to:

With BF practitioners and researchers can more accurately, precisely and clearly:

Those concerned with software quality, the reliability of programs and digital systems, or cybersecurity will be able to make more rapid progress by more clearly labeling the results of errors in software. Those responsible for designing, operating and maintaining computer complexes can communicate with more exactness about threats, attacks, patches and exposures.

As BF covers more classes:

Approach

To achieve higher levels of security, reliability and availability of digital systems, we need to answer questions such as:

To be able to answer these questions, we need a vastly improved way to describe classes of vulnerabilities and chains of failures.

For that we are developing the Bugs Framework (BF) by factoring and restructuring of information contained in Common Weakness Enumeration (CWE), Software Fault Patterns (SFP), Semantic Templates (ST) and numerous other sources on software vulnerabilities and attacks (see the Enlightenment link). The goal is to categorize unambiguously the types of weaknesses, allowing similarities and differences to be easily explored and examined.

The BF organizes software weaknesses (bugs) into distinct classes, such as Buffer Overflow (BOF), Injection (INJ), and Control of Interaction Frequency (CIF). It is an hierarchy of abstract & concrete classes of bugs with:

________________________________________________

*The BF is being created by factoring and restructuring of information contained in CWE, SFP, NSA CAS, SOAR, SEI-CERT, and others, and thus benefits from the community's experience with their use. Instead of trying to match weakness classes that tools find to CWEs, usually far over- or under-generalizing, the BF can describe tool classes much more accurately, precisely and succinctly. We believe that as CWEs migrate to using this kind of taxonomy, they will be easier to comprehend and avoid.