[AMD Official Use Only - AMD Internal Distribution Only] +1.
Regards, Bruce Bruce Monroe Security Researcher PE PSIRT Engineer | AMD AMD PSO/Security R&D O +(1) 503-863-1207 C +(1) 503-863-1207 ---------------------------------------------------------------------------------------------------------------------------------- Remote Office South Carolina LinkedIn<https://www.linkedin.com/company/amd> | Instagram<https://www.instagram.com/amd> | X<https://www.x.com/amd> | amd.com<http://www.amd.com/> [Logo, company name Description automatically generated] From: Fung, Jason M <jason.m.f...@intel.com> Sent: Tuesday, May 13, 2025 3:05 AM To: Jason Oberg <ja...@cycuity.com>; Bob Heinemann <rheinem...@mitre.org> Cc: HW CWE Special Interest Group SIG <hw-cwe-special-interest-group-sig-list@mitre.org> Subject: RE: Memory Related Weaknesses Caution: This message originated from an External Source. Use proper caution when opening attachments, clicking links, or responding. The CVE schema proposal was submitted more than 4 years ago at https://github.com/CVEProject/cve-schema/issues/22. Anyone knows how to give this the right boost of much needed attention? - Jason From: Jason Oberg <ja...@cycuity.com<mailto:ja...@cycuity.com>> Sent: Monday, May 12, 2025 2:31 PM To: Bob Heinemann <rheinem...@mitre.org<mailto:rheinem...@mitre.org>> Cc: HW CWE Special Interest Group SIG <hw-cwe-special-interest-group-sig-list@mitre.org<mailto:hw-cwe-special-interest-group-sig-list@mitre.org>> Subject: Re: Memory Related Weaknesses Hi All, Thanks for the productive discussion on Friday. I would advocate for: 1. Proposing some hardware-specific updates to the existing memory- and integer overflow-related CWEs that are currently not in the HW view. 2. Make these existing CWEs visible in the HW view (CWE-1194). The only nuance here is that a lot of publicly disclosed vulnerabilities (CVEs) will reference a lot of these memory related CWEs. There is a working group collecting data to create an update to the Most Important HW Weakness list. If many of these CWEs now appear in the HW CWE view, many CVEs will appear to have a root-cause in hardware when that is in fact not the case. This would incorrectly report many CWEs as important when in fact they may not be. In the past, Jason Fung, myself, and others proposed adding a root-cause field to CVE entries to distinguish whether the vulnerability's root cause was hardware or software. This would solve this issue but I don't think that change was implemented by CVE. Is there anything that can be done on the CWE side specifically to address this in lieu of a change by CVE? Thanks, Jason On Fri, May 9, 2025 at 10:51 AM Bob Heinemann <rheinem...@mitre.org<mailto:rheinem...@mitre.org>> wrote: Hi All: This is a reminder to think about what the best approach is to include memory weaknesses into the HW View. We’ll dedicate some time to this topic for the next meeting. However, please feel free to use this thread for discussion. Here is a link to the slides for today. https://github.com/CWE-CAPEC/hw-cwe-sig/blob/main/Slide_Decks/2025/20250509_hw_cwe_sig_meeting_slides.pdf Bob
