This repository is used for the development of the CVE JSON record format. Releases of the CVE JSON record format will also be published here. This repository is managed by the CVE Quality Working Group.
We previously discussed including support for CVE level tags (which can be applied to the CNA or ADP containers) that assist in identification of root cause.
Tag
Definition
Hardware Root Cause
Tag this to a CVE if the primary root cause of the security vulnerability is originated from the hardware component of the affected product(s). The intent is to facilitate Hardware Designers to learn how to prevent similar weakness. Even when a hardware vulnerability can be addressed by a SW workaround, the “Hardware Root Cause” tag should still be applied, since the focus is on how the issue is introduced, not how it is remediated.
Software Root Cause
Tag this to a CVE if the primary root cause of the security vulnerability is originated from the software component of the affected product(s). The intent is to facilitate Software Developers to learn how to prevent similar weakness.
This could be expanded to include other concepts such as protocol or specification root causes. Ex:
Tag
Definition
Specification Root Cause
Tag this to a CVE if the primary root cause of the security vulnerability is originated from the industry specification that the affected product(s) comply with. The intent is to facilitate Industry Specification Groups to learn how to prevent similar weakness. If the root cause of the CVE is related to inappropriate adoption of an industry standard (e.g., use of an obsolete cryptographic algorithm) or incorrect implementation of an industry standard (e.g., product does not implement the error recovery flow as captured in the protocol specification) in the affected product(s), the appropriate “Hardware Root Cause” or “Software Root Cause” should be applied instead.
We previously discussed including support for CVE level tags (which can be applied to the CNA or ADP containers) that assist in identification of root cause.
This could be expanded to include other concepts such as protocol or specification root causes. Ex: