Contribute to CWE: A Guide to Enhancing Cybersecurity Standards Through GitHub Collaboration

Want to help improve cybersecurity? Contribute your expertise to the Common Weakness Enumeration (CWE) project, a community-driven effort to identify and classify software and hardware weaknesses. This guide explains how to submit, participate, and collaborate using the CWE Content Development Repository (CDR) on GitHub.

What is the CWE Content Development Repository?

The CWE Content Development Repository (CDR) is a public GitHub repository where the cybersecurity community collaborates on improving and expanding the CWE list. This open platform encourages contributions from developers, security researchers, and anyone passionate about creating more secure software. The CDR promotes transparency and shared knowledge in vulnerability management.

Why Contribute to CWE?

• Shape Industry Standards: Influence the de-facto standard for describing software and hardware weaknesses.
• Gain Recognition: Have your contributions recognized by the cybersecurity community.
• Improve Software Security: Help developers write more secure code by providing clear and comprehensive weakness descriptions.
• Enhance Your Skills: Deepen your understanding of software and hardware vulnerabilities.

How to Get Involved in CWE Content Development

There are three primary roles for contributors to the CWE Content Development Repository:

• Content Submitter: Propose new weaknesses or modifications to existing ones. Actively track your submissions, respond to feedback, and make necessary adjustments.
• Content Participant: Engage with the CDR by commenting on submissions, sharing insights, and participating in discussions. Track submissions of interest and contribute to the overall review process.
• Content Observer: Stay informed about the CDR's activities, understand its processes, and learn from the community's contributions.

Understanding the Roles

Each role offers a different level of involvement. Choose the role that best aligns with your interests, expertise, and available time.

Submitting Content to CWE: A Step-by-Step Guide

Want to propose a change to the CWE? Follow these steps to ensure your submission is complete and effective.

1. Consult the Guidelines: Thoroughly review the [Guidelines for Content Submissions](link to guidelines) for detailed instructions on content formatting, requirements, and the overall submission process.
2. Submit via the Submission Form: All new content proposals must be submitted through the official [CWE Submission Form](link to form).
3. Address Feedback: Be prepared to promptly and thoroughly address feedback from the CWE Team and the community. Your responsiveness is crucial for advancing your submission through the review process.

Key Considerations for Submissions

• Ensure your submission adheres to the [CWE Terms of Use](link to terms).
• Clearly articulate the weakness, its potential impact, and practical examples.
• Use precise language and follow the CWE style guide.

Navigating the External Content Submission Phases

Submissions go through a structured review process with several stages. Understanding these phases helps you track your submission’s progress.

The Four Main Stages

1. Initial Review: The CWE Team evaluates the submission for suitability and scope.
2. Technical Review: Experts assess the technical accuracy and completeness of the content.
3. Editorial Review: The submission is checked for clarity, consistency, and adherence to CWE style guidelines.
4. Publication: Approved submissions are integrated into the CWE list.

See Submission-phases.md for complete details.

Understanding "SCOPE" and scope exclusions

Certain labels will identify issues related to the scope of a submission, called scope exclusions. They are assigned during the initial review and will be removed once the exclusion has been addressed. These labels begin with SCOPE.

Solving Submission Problems: The "SUB" Labels

Labels starting with "SUB" indicate problems with a submission. These issues are identified during the initial review and must be resolved before the submission can proceed.

Using GitHub Issues for Content development

Each submission is assigned a unique GitHub issue. The issue title includes the submission ID and name.

• Locating Submissions: Search for submission issues using filters for "External-Submission," "Feedback," "Phase," "SCOPE," and "SUB."
• Providing Feedback: Share your feedback and insights by posting comments directly on the relevant GitHub issue.

Collaborating on CWE: Best Practices for Cybersecurity Professionals

Effective collaboration is essential for the CWE project's success. Follow these guidelines to ensure your contributions are constructive and respectful.

• Use Issue Comments: The primary method for collaboration is through commenting on GitHub issues. Share your insights, ask questions, and provide constructive feedback.
• Respect the Code of Conduct: Maintain a respectful and professional tone in all communications. Help foster a positive and inclusive environment.
• Leave Issue Management to MITRE: Do not modify issue labels or attempt to manage the review process.

What Not To Do

• Do not create new content submissions as issues on the CDR. Use the [CWE Submission Form](link to form) instead.
• Do not conduct your own independent reviews or instruct submitters on revisions.

Enhance Cybersecurity Standards Together

By actively contributing to the CWE Content Development Repository, you play a vital role in improving software security and strengthening cybersecurity standards. Submit your expertise, engage in discussions, and help create a more secure digital world. Take the first step by visiting the [CWE Submission Form](link to form) today!