References¶
This page contains the complete bibliography for the Vendor-Specific CWE Analysis research. References are organized by category and formatted for academic citation.
Foundational Works¶
Common Weakness Enumeration (CWE) Framework¶
CWE Foundation Studies
@article{martin2007common,
title={Common Weakness Enumeration (CWE) Status Update},
author={Martin, Robert A and Barnum, Sean},
journal={Ada Letters},
volume={27},
number={3},
pages={88--91},
year={2007},
publisher={ACM}
}
@inproceedings{martin2007advancing,
title={Advancing Software Security Through Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC)},
author={Martin, Robert A and Barnum, Sean and Christey, Steve},
booktitle={Proceedings of the 2007 Workshop on Software Security for Anti-Tamper Applications},
pages={38--51},
year={2007},
organization={Software Engineering Institute},
doi={10.1184/R1/6571826.v1}
}
Vulnerability Analysis and Lifecycle Studies¶
Vulnerability Analysis Research
@article{FreiLifecycle,
title={Security Econometrics The Dynamics of (In)Security},
author={Stefan Frei},
journal={ETH ZURICH},
year={2009},
url={http://www.techzoom.net/publications}
}
@inproceedings{frei2006vulnerabilities,
title={Large-scale vulnerability analysis},
author={Frei, Stefan and May, Martin and Fiedler, Ulrich and Plattner, Bernhard},
booktitle={Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense},
year={2006},
month={09},
doi={10.1145/1162666.1162671}
}
@article{Shahzad2020,
author={Shahzad, Muhammad and Shafiq, M. Zubair and Liu, Alex X.},
title={Large Scale Characterization of Software Vulnerability Life Cycles},
journal={IEEE Transactions on Dependable and Secure Computing},
year={2020},
month={07}
}
@article{iannone2023secret,
title={The Secret Life of Software Vulnerabilities: A Large-Scale Empirical Study},
author={Iannone, E. and Guadagni, R. and Ferrucci, F. and Lucia, A. D. and Palomba, F.},
journal={IEEE Transactions on Software Engineering},
year={2023},
doi={10.1109/TSE.2022.3140868}
}
Contemporary Vulnerability Research¶
Machine Learning and Automated Analysis¶
ML/AI in Vulnerability Analysis
@article{HannuTapani_Turtiainen_2024,
author={Hannu-Tapani Turtiainen and André A Costin},
title={VulnBERTa: On Automating CWE Weakness Assignment and Improving the Quality of Cybersecurity CVE Vulnerabilities Through ML/NLP},
doi={10.1109/eurospw61312.2024.00075},
pages={618--625},
year={2024}
}
@article{MarkOliver_Stehr_2023,
author={Mark-Oliver Stehr and Minyoung Kim},
title={Vulnerability Clustering and other Machine Learning Applications of Semantic Vulnerability Embeddings},
journal={arXiv preprint arXiv:2310.05935},
volume={abs/2310.05935},
year={2023},
url={https://export.arxiv.org/pdf/2310.05935v1.pdf}
}
@article{Mohammad_W_Elbes_2023,
author={Mohammad W. Elbes and Samar Hendawi and Shadi AlZu'bi and Tarek Kanan and Ala Mughaid},
title={Unleashing the Full Potential of Artificial Intelligence and Machine Learning in Cybersecurity Vulnerability Management},
doi={10.1109/icit58056.2023.10225910},
pages={276--283},
year={2023}
}
@article{access2023systematic,
title={A Systematic Literature Review on Software Vulnerability Prediction Models},
author={Bassi, Deepali and Singh, Hardeep},
journal={IEEE Access},
volume={11},
pages={98765--98789},
year={2023},
doi={10.1109/access.2023.3312613},
publisher={IEEE}
}
@article{Sonawane2024,
title={Predicting Software Vulnerabilities with Advanced Computational Models},
author={Sonawane, A. P. V. D. and Bhandari, P. G. M.},
journal={Advances in Nonlinear Variational Inequalities},
year={2024},
doi={10.52783/anvi.v27.1501}
}
@inproceedings{Ganz2023,
title={PAVUDI: Patch-based Vulnerability Discovery using Machine Learning},
author={Ganz, T. and Imgrund, E. and Härterich, M. and Rieck, K.},
booktitle={ACM Conference on Computer and Communications Security},
pages={1--14},
year={2023},
doi={10.1145/3627106.3627188}
}
Patch Management and Vulnerability Response¶
Patch Management Studies
@article{Dissanayake_2022,
title={Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector},
volume={6},
number={CSCW2},
journal={Proceedings of the ACM on Human-Computer Interaction},
publisher={Association for Computing Machinery (ACM)},
author={Dissanayake, Nesara and Zahedi, Mansooreh and Jayatilaka, Asangi and Babar, Muhammad Ali},
year={2022},
month={nov},
pages={1--29},
doi={10.1145/3555087}
}
@article{miller2022,
title={Why, How and Where of Delays in Software Security Patch Management},
author={Miller, J. and Smith, A.},
journal={arXiv preprint arXiv:2202.09016},
year={2022},
url={https://arxiv.org/pdf/2202.09016.pdf}
}
@article{Mehri2023,
title={Automated Patch Management: An Empirical Evaluation Study},
author={Mehri, V. A. and Arlos, P. and Casalicchio, E.},
journal={IEEE Computer Security Foundations Symposium},
year={2023},
doi={10.1109/csr57506.2023.10224970}
}
Vulnerability Management Frameworks¶
Academic and Industry Frameworks¶
Management Frameworks
@book{Foreman2009,
title={Vulnerability Management},
author={Foreman, Park},
year={2009},
publisher={CRC Press},
address={Boca Raton, FL}
}
@inproceedings{Syed2018,
title={Cybersecurity Vulnerability Management: An Ontology-Based Conceptual Model},
author={Syed, R. and Zhong, H.},
booktitle={Americas Conference on Information Systems},
year={2018}
}
Data Sources and Standards¶
Official Vulnerability Databases¶
Primary Data Sources
@misc{nvd,
title={National Vulnerability Database},
author={{ NIST }},
url={https://nvd.nist.gov/},
note={Primary source for CVE metadata and classifications}
}
@misc{MSRC_API,
title={Microsoft Security Update Guide Dataset},
author={{ Microsoft }},
year={2024},
url={https://msrc.microsoft.com/update-guide/}
}
@misc{RedHat2023,
title={Severity ratings},
author={{ RedHat }},
year={2023},
url={https://access.redhat.com/security/updates/classification/}
}
@misc{GitHub2023,
author={{ GitHub }},
title={About the GitHub Advisory Database},
year={2023},
url={https://docs.github.com/en/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database}
}
Exploit Prediction and Analysis¶
Exploitability Research¶
Exploit Analysis Studies
@inproceedings{suciu2022expected,
title={Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits},
author={Suciu, Octavian and Nelson, Connor and Lyu, Zhuoer and Bao, Tiffany and Dumitras, Tudor},
booktitle={31st USENIX Security Symposium (USENIX Security 22)},
pages={377--394},
year={2022},
url={https://www.usenix.org/conference/usenixsecurity22/presentation/suciu}
}
@inproceedings{jacobs2019epss,
title={Exploit Prediction Scoring System (EPSS)},
author={Jacobs, Jay and Romanosky, Sasha and Edwards, Ben and Roytman, Michael and Adjerid, Idris},
booktitle={Black Hat USA 2019},
year={2019},
url={https://arxiv.org/pdf/1908.04856}
}
@misc{cyntia_jacobs2021github,
author={Jay Jacobs},
title={GitHub: A Source for Exploits},
organization={Cyentia Institute},
year={2021},
url={https://www.cyentia.com/github-a-source-for-exploits/}
}
Large-Scale Empirical Studies¶
Contemporary Empirical Research¶
Recent Empirical Studies
@inproceedings{akhoundali2024morefixes,
author={J. Akhoundali and S. R. Nouri and K. Rietveld},
title={MoreFixes: A large-scale dataset of CVE fix commits mined through enhanced repository discovery},
booktitle={Proceedings of Models and Data, 2024},
year={2024},
publisher={ACM},
doi={10.1145/3663533.3664036},
url={https://dl.acm.org/doi/abs/10.1145/3663533.3664036}
}
@article{Shi2023UncoveringCR,
title={Uncovering CWE-CVE-CPE Relations with Threat Knowledge Graphs},
author={Zhenpeng Shi and Nikolay Matyunin and Kalman Graffi and David Starobinski},
journal={ACM Transactions on Privacy and Security},
year={2023},
volume={27},
pages={1--26},
url={https://api.semanticscholar.org/CorpusID:258427113}
}
@article{sun2023aspect,
title={Aspect-Level Information Discrepancies across Heterogeneous Vulnerability Reports: Severity, Types and Detection Methods},
author={Sun, J. and Xing, Z. and Xia, X. and Lu, Q. and Xu, X. and Zhu, L.},
journal={ACM Transactions on Software Engineering and Methodology},
year={2023},
doi={10.1145/3624734}
}
Supply Chain and Industry Reports¶
Industry and Government Reports¶
Industry Intelligence
@misc{enisa2022supply,
title={Threat Landscape for Supply Chain Attacks},
author={European Union Agency for Cybersecurity},
journal={ENISA Threat Landscape},
year={2022},
url={https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks}
}
@techreport{microsoft2024intelligence,
title={Microsoft Digital Defense Report 2024},
author={{ Microsoft }},
institution={Microsoft Corporation},
year={2024}
}
Government Standards and Guidelines¶
Official Security Guidelines¶
Government Standards
@techreport{Souppaya2022,
title={Guide to Enterprise Patch Management Planning},
author={Souppaya, Murugiah and Scarfone, Karen},
institution={National Institute of Standards and Technology},
type={Special Publication},
number={800-40r4},
year={2022},
url={https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf}
}
@techreport{mell2007guide,
title={Creating a patch and vulnerability management program},
author={Mell, Peter and Kent, Karen and Nusbaum, Joseph},
year={2007},
institution={National Institute of Standards and Technology},
type={Special Publication},
number={800-40 Version 2.0},
address={Gaithersburg, MD}
}
How to Cite This Research¶
Citation Format
APA Style:
AlBedah, E. (2024). Comparative Analysis of Vendor-Specific Common Weakness
Enumeration Patterns: A Large-Scale Empirical Study. City, University of London.
IEEE Style:
E. AlBedah, "Comparative Analysis of Vendor-Specific Common Weakness
Enumeration Patterns: A Large-Scale Empirical Study," City, University
of London, 2024.
BibTeX:
Last Updated: August 2025