Programming Language Vulnerabilities

Maintained by
Jim Moore,

If you don't see two frames, click here.
Formerly called the "OWGV" 


ISO/IEC Project 22.24772:
Programming Language Vulnerabilities

All programming languages have constructs that are undefined, imperfectly defined, implementation-dependent, or difficult to use correctly. As a result, software programs can execute differently than intended by the writer. In some cases, these vulnerabilities can be exploited by an attacker to compromise the security of a system, or lead to unanticipated situations where safety or privacy are compromised.

ISO/IEC JTC 1/SC 22/WG 23 prepares comparative guidance spanning multiple programming languages, so that application developers will be better able to avoid the programming errors that lead to vulnerabilities in these languages and their attendant consequences. This guidance can also be used by developers to select source code processing tools that can discover and eliminate coding errors that lead to vulnerabilities. Finally the guidance can be used by the developers of the language specifications themselves to improve language design.

The project has prepared an ISO/IEC Technical Report containing guidance to users of programming languages on how to avoid the vulnerabilities that exist in the programming language selected for a particular project. The first edition of the Technical Report was published in 2010 and is available for free. Unlike many ISO/IEC documents, single-user copies are licensed at no charge.

The project is now preparing a second edition describing additional vulnerabilities and providing annexes that describe how the vulnerabilities manifest themselves in different languages.

Currently, the group enjoys the participation of representatives from many of the important programming languages and hopes to attract more. The group plans to obtain information about vulnerabilities and their treatment from initiatives such as MISRA (C and C++), the Common Weakness Enumeration dictionary, and the CERT Secure Coding Initiative.

[ Project Organization ] [ Project Status ]

The work of WG23 is supplemented by an archived mailer.

You can use Google to search this web site:

Entire WebWG 23 Web Site

Project Organization

ISO/IEC JTC1/SC22 has the scope of "programming languages and their environments". WG 23 (Vulnerabilities) is a working group reporting to SC 22. It has been assigned responsibility for project 22.24772 to write an ISO/IEC Technical Report, "Programming Language Vulnerabilities." More information regarding the project can be found in our FAQ.


(All email addresses have been altered to discourage automatic harvesting of them):

SC 22 Officers
 Chair  Rex Jaeschke rex at RexJaeschke dot com
 Secretariat ANSI  Marisa Peacock mpeacock at ansi dot org
 WG 23 Officers
 Convener  John Benito benito at bluepilot dot com
 Secretary  Jim Moore James dot W dot Moore at IEEE dot org

Identified Participants:

Many individuals have attended meetings or participated via email. The following persons are officers of WG 23 or identified points of contact for participating organizations:

 Individual Participant  Point of contact for a National Body (see below)  Liaison with a Working Group of ISO / IEC JTC1 / SC22  Liaison with another Organization
 John Benito (convener)   .  
 Ben Brosgol      Java Community: JSR 282: RTSJ and JSR 302: Safety Critical Java Technology
 Paul Caseley      UK MOD
 Rod Chapman      SPARK
 Douglas Crockford     ECMA TC39 (ECMAScript)
 Franco Gasperoni  France    
 Cesar Gonzalez-Perez      ISO/IEC JTC1 / SC7 / WG19
 Roman Grahle  Germany    
 Chris Hills     MISRA Languages L (Category C Liaison)
 Kiyoshi Ishihata  Japan    
 Rex Jaeschke      
 Derek Jones  UK    
 Stephen Michell [1]  Canada, SCC    
 Ed de Moel      MDC (MUMPS)
 Jim Moore (secretary)      
 Dan Nagle    WG5 (Fortran)  PL22.3 (Fortran)
 Erhard Ploedereder    WG9 (Ada)  Ada-Europe
 Tom Plum  US, INCITS PL22  WG14 (C)
WG21 (C++) [2]
 ECMA TC49 / TG2 (C#)
 Clive Pygott      MISRA C++
 Robert Seacord      CERT
 Bill Spees      US FDA
 Nick Stoughton . SC22 (POSIX) Austin Group
 Barry Tauber    WG4 (Cobol)  PL22.4 (Cobol)
 Tullio Vardanega  Italy    
[1] Additional designated experts from Canada include: Robert Klarer and Michell Wong.
[2] Additional liaison representatives from WG21 include: Matt Austern, Steve Clamage, Richard Corden, Gabriel Dos Reis, Nick Maclaren, Thorsten Ottosen, P. J. Plauger, PremAnand Rao, Mike Spertus, Bjarne Stroustrup, and Detlef Vollman.

Those interested in representing their national body or participating in a national "shadow group" should contact the standards body of the nation in which they reside or work. In the case of the following nations, a point of contact has been identified. (All email addresses have been altered to discourage automatic harvesting of them):

 Canada SCC  Steve Michell stephen dot michell at maurya dot on dot ca
 France AFNOR  Franco Gasperoni gasperon at act-europe dot fr
 Germany DIN  Roman Grahle roman dot grahle at din dot de
 Italy UNI  Tullio Vardanega tullio dot vardanega at math dot unipd dot it
 Japan JSA  Kiyoshi Ishihata ishihata at cs dot meiji dot ac dot jp
 Netherlands NEN  Willem Wakker willemw at ace dot nl 
 UK BSI IST-5  Derek Jones derek at knosof dot co dot uk
 USA INCITS PL22  Tom Plum tplum at plumhall dot com

Status of Formal Standards Process


Jun-Sep 2005  New Work Item Proposal, "Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use," was balloted by SC22 and JTC1 to authorize project. [N0001
2 Oct 2005 SC22 created OWG:Vulnerabilities to perform project [N0003]. Jim Moore was named as convener.
5 Oct 2005

SC22 Secretariat announced balloting results, assigned project number and directed OWG:Vulnerability to begin work [N0002]:

Please note that this project has been assigned the ISO/IEC designation "24772". The OWG: Vulnerabilities is instructed to begin work on this project and prepare a disposition of comments for those National Body comments received on the SC 22 ballot.

6 Oct 2005 Plan for "Moving Forward" [N0004]
13 Mar 2006 Prepared disposition of the comments received on New Work Item Proposal [N0007]
21 Sep 2006 SC22 renewed the OWGV for another year of work [N0045]. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat.
28 Sep 2007  SC22 plenary: Resolution 07-09 renewed the OWGV for another year of work. It named John Benito as convener and The MITRE Corporation (Jim Moore) as Secretariat. Resolution 07-10 registered PDTR 24772. [N0110
24 Sep 2008 SC22 plenary: Resolution 08-03 established WG 23 to carry on the work of OWGV. It named John Benito as convener. Resolution 08-06 renamed the document as "Programming Language Vulnerabilities".
First Edition
9 Dec 2008 Draft of 24772 [N0170] prepared for PDTR ballot.
11 Feb 2009 Balloting of PDTR 24772 was completed with 11 nations voting in favor, 1 nation voting against, and 5 nations abstaining. [N0176]
2 Jun 2009 Draft of 24772 [N0191] prepared for 2nd PDTR ballot.
23 Jun 2009 2nd PDTR ballot of 24772 [N0191] initiated. Ballot closes 23 Sep 2009.
27 Sept 2009 Balloting of PDTR 24772 was completed with 8 nations voting in favor, 1 nation voting against, and 8 nations abstaining [N0224]
23 Nov 2009 Draft of 24772 [N0238] prepared for DTR ballot.
15 Dec 2009 DTR ballot of 24772 [N0238] initiated. Ballot closes 16 March 2010.
16 Mar 2010 Balloting of DTR 24772 was completed with 18 nations voting in favor, 0 nations voting against and 13 nations abstaining [N0243]
3 June 2010 Draft submitted for publication [N0257]
23 July 2010 Draft revised and resubmitted [N0267]
23 Sep 2010 Publication proof reviewed and approved [N0285]
29 Sep 2010 ISO/IEC TR 24772:2010 published
July 2011 Technical Report made publicly available here
Second Edition
24 Jan 2012 Draft prepared for PDTR ballot
24 Apr 2012 Balloting of PDTR completed with 15 nations voting in favor, 0 voting against, and 5 abstentions
11 Jul 2012 Draft prepared for PDTR.2 ballot
10 Sep 2012 Scheduled completion of PDTR.2 ballot


The work of the study group leading to creation of the OWGV and, ultimately, WG 23, is summarized on the History page.

Disclaimer  Most of the items contained in this web site and its associated files and directories are preliminary working material of ISO/IEC JTC 1/SC 22, subject to review and correction.  

The web site is maintained for the convenience of the participants in SC 22/WG 23 by:

James W. Moore,