Welcome to Bugs Framework (BF) – Software Developers ‘Best Friend’!
Irena Bojanova, Primary Investigator and Lead, Bugs Framework (BF)

The Bugs Framework (BF) is a classification system of software security bugs and weaknesses that allows unambiguous descriptions of vulnerabilities exploiting such weaknesses; it is comprised by::

➢ A structured, complete, orthogonal, language and domain independent bug/fault/weakness taxonomy .

➢ A software security vulnerability formalmodel .

➢ A formal language for specification of software security weaknesses and vulnerabilities.

➢ A database and tools for generation and visualization of BF classes, CWE to BF mappings, BF CWE and BF CVE formal specifications.

Structured means a weakness is described via one cause, one operation, one consequence, and attributes from the lists defining a BF class (see BF concepts ).This assures precise causal descriptions as (bug, operation, error) and (fault, operation, error) triples. Complete means BF has the expressive power to describe precisely any software security bug and weakness. This assures the BF weakness types have no gaps in coverage. Orthogonal means the sets of operations of any two BF classes do not overlap. This assures the BF weakness types do not overlap, as there is no operation with different meanings. Language and domain independent means BF is applicable for source code in any programming language for any platform, operating environment, or application technology. This assures BF is context-free, as an operation cannot have different meanings depending on the context.

The BF vulnerability model defines how software security weaknesses chain via cause–consequence–cause transitions to form a vulnerability that ends with a software security failure. This assures back-tracking from the failure through the errors to the bug.

The BF formal language is generated by the BF LL(1) context-free formal grammar with lexicon defined by the BF Taxonomy , syntax defined by the BF Vulnerability Model . This assures the BF specifications are unambiguous!

BF Citation: I. Bojanova, NIST, The Bugs Framework (BF), Accessed: . [Online]. Available: https://samate.nist.gov/BF/.

Note: Any BF-application publication that lists classes not featured on this website is a misrepresentation of BF. If in doubt, please seek guidance from the BF PI .

BF Intro Presentations

BF Terminology and Existing Repositories:

BF Goals, Features, and Taxonomy
(contuniation of the previous presentation):

BF Hands On and Potential Impacts
(contuniation of the previous presentation):