Root cause mapping is the identification of the underlying cause of a vulnerability. This is best done by correlating CVE Records with CWE entries. Root cause mapping is not done accurately at scale by the vulnerability management ecosystem.

Root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers. Additionally, it enables:

• Driving the removal of classes of vulnerabilities: Root cause mapping saves vendors money through encouraging a valuable feedback loop into an SDLC or architecture design planning (i.e., the more weaknesses avoided in product development, the less vulnerabilities to manage after deployment)
• Trend analysis (e.g., how big of a problem is memory safety compared to other problems like injection)
• Further insight to potential “exploitability” based on root cause (e.g., command injection vulnerabilities will tend to see increased adversary attention, be targeted by certain actors)
• Facilitate industry competition on security; organizations can demonstrate transparency to customers how they are targeting and tackling problems in their products

The Root Cause Mapping Working Group (RCM WG) was established by CVE® and CWE™ community stakeholders (e.g., Intel, Microsoft, Red Hat, Rapid 7, CISA, HSSEDI) with the purpose of determining how to improve and scale accurate root cause mapping. Specifically, the working group is exploring the feasibility of an effective decentralized root cause mapping ecosystem.

This would mean instead of an intermediary being responsible (e.g., NIST's National Vulnerability Database [NVD] team, the CWE team), root cause mapping is taken on by those that know the vulnerabilities and products best. The initial targets are CVE Numbering Authorities (CNAs) because they:

• Participate in both the CVE and CWE programs
• Demonstrate responsible disclosure of vulnerability information
• Provide a basis of measurement for CVE-to-CWE correlation accuracy
• Are a proxy for the broader vulnerability management ecosystem

If CNAs can’t do root cause mapping accurately, there should be no expectation that it can be done at scale.

The working group is initially focused on identifying the capabilities, processes, and information needed to improve and scale accurate root cause mapping by:

• Identifying and describing the current challenges in performing and reporting accurate root cause mapping
• Defining how the CWE hierarchy and content must improve to facilitate better root cause mapping which will have the effect of better achieving CWE program adoption and coverage goals
• Developing new capabilities to simplify the root cause mapping process

The RCM WG established the following goals for the working group:

1. Define the business case for doing accurate root cause mapping

• (Objective 1) Socialize and confirm with the broader community

3. Determine the feasibility of accurate, decentralized root cause mapping

• (Objective 1) Identify the capabilities, processes, and information needed to make root cause mapping easier

The RCM has also established communication channels, began recruiting additional members, and is close to finalizing a charter. Initial members have begun sharing what they are currently doing to fill gaps in the existing CWE structure to make it more adoptable.

The RCM WG is accepting new members. If you are interested in participating, please email us at cwe@mitre.org