Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry
CVE/FIRST VulnCon 2025 · Main Stage
In this insightful talk, Steve Christey Coley, the **CWE technical lead** and **co-founder** from the MITRE Corporation, delved into the persistent challenges faced by the **Common Weakness Enumeration (CWE)** project. Established in 2005, CWE has become a cornerstone in the cybersecurity landscape, providing a standardized list of software and hardware weakness types. Coley's presentation explored the historical context of CWE, its evolving organization, the complexities of weakness mapping, and the ongoing efforts to modernize its coverage to address contemporary security issues.
AI review
Steve Christey Coley is one of the few people on the planet who can speak with genuine authority on why weakness classification is hard, and he delivers. This isn't a research talk dropping novel exploits — it's a meta-level infrastructure talk about the epistemological foundations of how the industry categorizes what's wrong with software. At VulnCon specifically, that's exactly the right lane. The content is substantive, self-critical in ways that most standards-body talks never are, and packed with practical signal for CNAs, vulnerability analysts, and anyone who has ever rage-quit trying…