Target Prioritization Section: Design Spec¶

Date: 2026-03-15 Status: Draft

Purpose¶

Add a new top-level section to the Vulnerability Research Tool Landscape site that identifies and ranks high-priority software targets for vulnerability discovery. This section serves as a bridge between the analysis sections (SWOT, Gaps & Opportunities) and the forward-looking sections (Future Frameworks, CVE & Bug Bounty Ecosystem).

While existing sections cover what tools exist, where gaps lie, and what could be built, this section answers: where should vulnerability research resources be focused to produce the largest security impact?

The section uses a reproducible, semi-quantitative scoring methodology to evaluate software targets across deployment scale, exposure, privilege level, dependency footprint, and other dimensions. It produces a prioritized target list that can inform fuzzing campaigns, static/dynamic analysis efforts, and AI/LLM-assisted vulnerability research.

Audience¶

Security researchers choosing targets for vulnerability discovery. Tool builders deciding which software ecosystems to support. Organizations prioritizing security investments. Designers of future LLM-assisted vulnerability research frameworks selecting candidate inputs.

Structure¶

New top-level nav section "Target Prioritization" with 11 pages (1 index + 1 methodology + 7 category pages + 1 target list + 1 under-researched).

Nav Placement¶

After "Gaps & Opportunities", before "Future Frameworks". Full surrounding nav context:

  # ... (preceding sections unchanged)
  - Gaps & Opportunities:
      - gaps/index.md
      - Logic Bugs: gaps/logic-bugs.md
      - Stateful Fuzzing: gaps/stateful-fuzzing.md
      - LLM Integration: gaps/llm-integration.md
      - Patch Generation: gaps/patch-generation.md
  - Target Prioritization:
      - target-prioritization/index.md
      - Methodology: target-prioritization/methodology.md
      - OS Components: target-prioritization/os-components.md
      - Networking: target-prioritization/networking.md
      - Security Libraries: target-prioritization/security-libraries.md
      - Data Parsers: target-prioritization/data-parsers.md
      - Browsers: target-prioritization/browsers.md
      - Cloud Infrastructure: target-prioritization/cloud-infrastructure.md
      - Embedded & IoT: target-prioritization/embedded-iot.md
      - Target List: target-prioritization/target-list.md
      - Under-Researched: target-prioritization/under-researched.md
  - Future Frameworks:
      - future-frameworks/index.md
      # ... (remaining sections unchanged)

Directory: docs/target-prioritization/

Pages¶

Page	Focus	Depth	Est. Words
`index.md`	Section overview, bridge narrative, key findings, reading guide	Overview	600-800
`methodology.md`	Scoring criteria, weights, rubric, worked example	Deep analysis	1000-1200
`os-components.md`	Kernels, filesystems, drivers, memory management, syscalls	Deep analysis	1200-1500
`networking.md`	HTTP, TLS, DNS, SSH, email, VPN, QUIC implementations	Deep analysis	1200-1500
`security-libraries.md`	Crypto, auth, certificates, key management libraries	Deep analysis	1200-1500
`data-parsers.md`	Image, video, archive, document, compression parsers	Deep analysis	1200-1500
`browsers.md`	JS engines, renderers, WebAssembly, media decoders	Deep analysis	1200-1500
`cloud-infrastructure.md`	Containers, hypervisors, orchestration, service meshes	Deep analysis	1200-1500
`embedded-iot.md`	Firmware, industrial protocols, automotive, RTOS	Deep analysis	1200-1500
`target-list.md`	Scored prioritized table, cross-industry analysis, recommendations	Synthesis	1500-2000
`under-researched.md`	High-opportunity/low-coverage targets, barriers, recommendations	Synthesis	1000-1200

Tags¶

All pages: target-prioritization. Per-page additional tags:

Page	Additional Tags
`index.md`	(none, section tag only)
`methodology.md`	`methodology`
`os-components.md`	`os`, `kernel`
`networking.md`	`networking`, `protocols`
`security-libraries.md`	`cryptography`, `security`
`data-parsers.md`	`parsers`, `data-formats`
`browsers.md`	`browsers`, `web`
`cloud-infrastructure.md`	`cloud`, `containers`
`embedded-iot.md`	`embedded`, `iot`
`target-list.md`	`prioritization`
`under-researched.md`	`gaps`, `opportunities`

Scoring Methodology¶

Criteria¶

7 dimensions, each rated 1-5:

Criterion	Weight	1 (Low)	5 (High)
Deployment Scale	3x	Niche/specialized	Billions of installations
Cross-Platform Presence	1x	Single OS/arch	All major platforms + embedded
Protocol/Input Exposure	3x	No external input	Directly network-facing
Privilege Level	2x	Unprivileged userspace	Kernel/root/hypervisor
Dependency Footprint	2x	Standalone, few consumers	Foundational library, thousands of dependents
Codebase Complexity	1x	Small, simple	Large, complex, legacy
Historical CVE Density	2x	Few known CVEs	Frequent high-severity CVEs

Composite Score¶

Weighted sum, maximum 70 (minimum 14). Priority tiers:

Critical: 55-70
High: 40-54
Medium: 25-39
Low: <25

Note: Since this section covers security-critical software by definition, the "Low" tier is expected to be sparsely populated. Most targets will score Medium or above. The recalibrated thresholds ensure meaningful distribution across tiers.

Methodology Page Content¶

Rationale for each criterion and its weight
Why deployment scale and exposure are weighted highest (they determine blast radius)
How to apply the rubric to new targets not covered in this section
Limitations and caveats (scores are best-effort estimates)
A worked example scoring one target step by step
Mermaid flowchart showing the scoring workflow

Page Designs¶

Section Index (`index.md`)¶

Intro paragraph: Bridge narrative framed around the knowledge base's narrative arc: What tools exist (tool sections) and what's missing (gaps) determines capability. Where to focus (this section) determines allocation. What to build (future frameworks) determines investment. How discovery is incentivized (CVE ecosystem) determines sustainability. This section fills the allocation layer.
Scoring Overview: Brief summary of the 7-criteria methodology with link to full methodology page.

Key Findings Table:

Finding	Detail	Page
OS kernels and crypto libraries score highest	Combination of privilege, deployment, and exposure	Target List
Parser libraries are systematically under-fuzzed	High dependency footprint, varied input formats	Data Parsers
Embedded/IoT has lowest research coverage	Proprietary code and specialized hardware create barriers	Embedded & IoT
Cross-industry impact concentrates in ~15 targets	A small set of foundational libraries spans all sectors	Target List

Reading Guide: Suggested paths for researchers, tool builders, organizational decision-makers.
Section Diagram: Mermaid flowchart showing how this section connects to SWOT, Gaps, Future Frameworks, and CVE Ecosystem.
Cross-references to other sections.

Category Pages (7 pages)¶

Each category page follows a consistent template. Target 5-8 software targets per category, ~50-60 total across all categories.

!!! abstract "At a Glance" -- what this category covers, why it matters, number of targets analyzed.
Category Overview -- what makes this class of software security-critical, common vulnerability patterns.
Target Analysis -- each significant software target gets:
Description and deployment context
Scoring against the 7 criteria (inline table)
Known vulnerability history (with sources)
Current fuzzing/analysis coverage status
Cross-references to relevant tool pages
Category Summary Table -- all targets in the category with composite scores and priority tier.
Implications -- guidance for researchers, tool builders, and organizations.

Category Scope¶

os-components.md: Linux kernel subsystems (networking, filesystem, drivers, memory management, BPF), Windows kernel and system services, macOS XNU kernel and system frameworks. Emphasis on privilege level and deployment scale.

networking.md: HTTP servers/clients (nginx, Apache, curl/libcurl), TLS libraries (OpenSSL, GnuTLS, BoringSSL, wolfSSL), DNS (BIND, Unbound, systemd-resolved), SSH (OpenSSH), email (Postfix, Exim, Dovecot), VPN (OpenVPN, WireGuard, strongSwan), QUIC (quiche, msquic, ngtcp2). Emphasis on network exposure and protocol complexity.

security-libraries.md: Crypto libraries (libsodium, Bouncy Castle, OpenSSL libcrypto), authentication frameworks (PAM, SSPI, Kerberos implementations), certificate handling (NSS, GnuTLS certtool), key management. Emphasis on dependency footprint and impact of compromise. Note: TLS libraries (OpenSSL, GnuTLS, etc.) are scored in networking.md as their primary category; security-libraries.md cross-references those entries when discussing the dependency angle but does not re-score them. Targets appearing in multiple categories are scored once in their primary category and cross-referenced elsewhere. The master target table in target-list.md deduplicates.

data-parsers.md: Image (libpng, libjpeg-turbo, libwebp, ImageMagick), video (FFmpeg, libav, GStreamer), archive (libarchive, zlib, bzip2, xz/liblzma), document (Poppler, PDFium, libxml2, Expat), compression (zstd, lz4, snappy). Emphasis on processing untrusted input and wide embedding in downstream applications.

browsers.md: JavaScript engines (V8, SpiderMonkey, JavaScriptCore), rendering engines (Blink, Gecko, WebKit), WebAssembly runtimes, browser networking stacks, media decoders within browsers. Emphasis on codebase complexity and attack surface breadth.

cloud-infrastructure.md: Container runtimes (containerd, CRI-O, runc), hypervisors (KVM/QEMU, Xen, Hyper-V), orchestration (Kubernetes, Nomad), service meshes (Envoy, Istio, Linkerd), API gateways (Kong, NGINX Plus, Traefik). Emphasis on deployment in critical infrastructure and privilege boundaries.

embedded-iot.md: Firmware (U-Boot, EDK II/UEFI), industrial protocols (Modbus, OPC UA, DNP3), automotive (AUTOSAR, CAN bus implementations), router/firewall firmware (OpenWrt, pfSense, vendor firmware), RTOS (FreeRTOS, Zephyr, VxWorks). Emphasis on under-researched status, real-world impact, and barriers to research.

Target List Page (`target-list.md`)¶

!!! abstract "At a Glance" -- total targets scored, distribution across priority tiers.
Master Target Table -- all targets from all category pages, sorted by composite score:

Rank Software Category Deploy Platform Exposure Privilege Deps Complexity CVE History Score Priority
Cross-Industry Analysis -- table mapping targets to industries (finance, healthcare, telecom, manufacturing, cloud, consumer). Cells contain checkmarks indicating the target is deployed in that industry, or are empty if not applicable. Identifies software where a single discovery protects multiple sectors.
Priority Tier Breakdown -- Vega-Lite bar chart showing distribution of targets across Critical/High/Medium/Low, grouped by category.
Recommendations -- top 10-15 highest-priority targets with brief rationale, organized by:
For fuzzing campaigns
For static/dynamic analysis
For AI/LLM-assisted research
Connection to Future Frameworks -- maps priority targets to framework architectures in Future Frameworks section.

Under-Researched Page (`under-researched.md`)¶

!!! abstract "At a Glance" -- focus on high-value targets with disproportionately low security research coverage.
Identification Criteria -- signals of under-research: few published CVEs despite complexity, limited fuzzing harness availability, no OSS-Fuzz integration, complex codebases with minimal security audit history.
Under-Researched Target Catalog -- each as !!! opportunity admonition with:
The software and why it's under-researched
Its composite score from the methodology
Estimated difficulty of researching it
Potential impact of findings
Barriers to Research -- why targets get less attention: proprietary code, specialized hardware, niche expertise, legal concerns.
Recommendations -- where research investment would have outsized returns.

Diagrams¶

Page	Type	Subject
`index.md`	Mermaid flowchart	Section relationship to SWOT, Gaps, Future Frameworks, CVE Ecosystem
`methodology.md`	Mermaid flowchart	Scoring workflow (identify, score criteria, compute composite, assign tier)
`target-list.md`	Vega-Lite bar chart	Target distribution across priority tiers by category
`target-list.md`	Vega-Lite heatmap	Cross-industry impact matrix (x-axis: industries, y-axis: targets sorted by score, binary color encoding for presence/absence)

Glossary Additions¶

New terms to add to docs/glossary.md (both table entries and *[TERM]: definitions):

Term	Definition
RTOS	Real-Time Operating System, OS designed for real-time applications with deterministic timing
OPC UA	Open Platform Communications Unified Architecture, industrial automation protocol
DNP3	Distributed Network Protocol, used in SCADA and utility systems
AUTOSAR	Automotive Open System Architecture, standardized software framework for automotive ECUs
CAN	Controller Area Network, vehicle bus standard for microcontroller communication
EDK II	EFI Development Kit II, open-source UEFI firmware development environment

Check existing glossary before adding; skip terms already defined.

Bidirectional Cross-References¶

After creating the section, update these existing pages with backlinks:

gaps/index.md -- reference Target Prioritization as the "where to focus" complement
swot/opportunities.md -- reference the prioritized target list
future-frameworks/index.md -- reference as input for framework target selection
cve-ecosystem/opportunities.md -- reference target prioritization for directing AI-assisted research (only if page exists; CVE ecosystem section may be built concurrently)
overview/landscape.md -- reference as the target selection layer of the landscape

Content Standards¶

Same as existing site:

YAML frontmatter with tags: on every page
No emojis, no em dashes (use colons, commas, parentheses instead)
Inline citations with markdown links for factual claims
!!! warning "Knowledge Gap" for uncertain data
Cross-references using relative links to existing pages
Custom admonitions (opportunity, gap, threat, pain-point) used where appropriate
Best-effort real data with Knowledge Gap flags where uncertain
All "At a Glance" blocks use !!! abstract "At a Glance" consistently
Index page uses default template (no template: frontmatter)

Content Boundary: Category Pages vs. Target List¶

Category pages own the detailed analysis of each target (description, scoring breakdown, vulnerability history, fuzzing coverage). The target list page is a synthesis that consolidates scores into a single ranked table and adds cross-industry analysis. The target list should not duplicate category-page analysis; it references back to category pages for details.

Content Boundary: Under-Researched vs. Category Pages¶

Category pages note current research coverage for each target as part of the analysis. The under-researched page pulls out and highlights the subset of targets where coverage is disproportionately low relative to their score, adds analysis of barriers, and makes investment recommendations. It is a curated view, not a repeat.

Differentiation from Existing Sections¶

Section	Focus
SWOT Analysis	Evaluates strengths, weaknesses, opportunities, threats of the tool landscape
Gaps & Opportunities	Identifies technical gaps in tooling and underserved areas
Target Prioritization	Identifies and ranks specific software where vulnerability research should focus
Future Frameworks	Proposes complete system architectures for next-gen tools
CVE & Bug Bounty Ecosystem	Analyzes economic, institutional, operational context of vulnerability discovery

The narrative connection: What tools exist (tool sections) and what's missing (gaps) determines capability. Where to focus (this section) determines allocation. What to build (future frameworks) determines investment. How discovery is incentivized (CVE ecosystem) determines sustainability.

Estimated Total Output¶

11 new pages
~12,000-15,000 words total
4 diagrams (2 Mermaid, 2 Vega-Lite)
Cross-references to 15+ existing pages
6+ new glossary entries

tags: - glossary

Glossary¶

Term	Definition
AFL	American Fuzzy Lop, coverage-guided fuzzer
ASan	AddressSanitizer, memory error detector
CVE	Common Vulnerabilities and Exposures
AFL++	Community-maintained successor to AFL, the de facto standard coverage-guided fuzzer
AEG	Automatic Exploit Generation, automated creation of working exploits from vulnerability information
ANTLR	ANother Tool for Language Recognition, parser generator used by grammar-aware fuzzers like Superion
AST	Abstract Syntax Tree, tree representation of source code structure used by static analyzers
BOD	Binding Operational Directive, mandatory cybersecurity directives issued by CISA
BOF	Buffer Overflow, writing data beyond allocated memory bounds, a common memory safety vulnerability
CFG	Control Flow Graph, directed graph representing all possible execution paths through a program
CGC	Cyber Grand Challenge, DARPA competition for autonomous vulnerability detection and patching
ClusterFuzz	Google's distributed fuzzing infrastructure that powers OSS-Fuzz
CodeQL	GitHub's query-based static analysis engine that treats code as a queryable database
CFAA	Computer Fraud and Abuse Act, US federal law governing computer security violations
CNA	CVE Numbering Authority, organization authorized to assign CVE IDs
CNNVD	China National Vulnerability Database of Information Security
CNVD	China National Vulnerability Database
Concolic	Concrete + Symbolic, execution that runs concrete values while tracking symbolic constraints
Corpus	Collection of seed inputs used by a coverage-guided fuzzer as the basis for mutation
Coverity	Synopsys commercial static analysis platform with deep interprocedural analysis
CPG	Code Property Graph, unified representation combining AST, CFG, and data-flow graph, used by Joern
CVSS	Common Vulnerability Scoring System, standard for rating vulnerability severity
CWE	Common Weakness Enumeration, categorization of software weakness types
DAST	Dynamic Application Security Testing, testing running applications for vulnerabilities
DBI	Dynamic Binary Instrumentation, modifying program behavior at runtime without recompilation
DFG	Data Flow Graph, graph representing how data values propagate through a program
DPA	Differential Power Analysis, extracting cryptographic keys by analyzing power consumption variations
Frida	Dynamic instrumentation toolkit for injecting scripts into running processes
Harness	Glue code connecting a fuzzer to its target, defining how fuzzed input is delivered
HWASAN	Hardware-assisted AddressSanitizer, ARM-based variant of ASan with lower overhead
IAST	Interactive Application Security Testing, combines elements of SAST and DAST during testing
Infer	Meta's open-source static analyzer based on separation logic and bi-abduction
JVN	Japan Vulnerability Notes, Japanese vulnerability information portal
KLEE	Symbolic execution engine built on LLVM for automatic test generation
LLM	Large Language Model, neural network trained on text/code, used for bug detection and code generation
LSAN	LeakSanitizer, detector for memory leaks, often used alongside AddressSanitizer
Meltdown	CPU vulnerability exploiting out-of-order execution to read kernel memory from user space
MITRE	Non-profit organization that maintains CVE, CWE, and ATT&CK frameworks
MTTR	Mean Time to Remediate, average duration from vulnerability disclosure to patch deployment
MSan	MemorySanitizer, detector for reads of uninitialized memory
NVD	National Vulnerability Database, NIST-maintained repository of vulnerability data
NIST	National Institute of Standards and Technology, US agency maintaining security standards and NVD
OpenSSF	Open Source Security Foundation, Linux Foundation project for open-source security
OSS-Fuzz	Google's free continuous fuzzing service for open-source software
OWASP	Open Worldwide Application Security Project, community producing security guides and tools
RCE	Remote Code Execution, vulnerability allowing an attacker to run arbitrary code on a target system
RL	Reinforcement Learning, ML paradigm where agents learn through reward-based feedback
S2E	Selective Symbolic Execution, whole-system analysis platform combining QEMU with KLEE
SARIF	Static Analysis Results Interchange Format, standard for exchanging static analysis findings
SAST	Static Application Security Testing, analyzing source code for vulnerabilities without execution
SCA	Software Composition Analysis, identifying known vulnerabilities in third-party dependencies
Seed	Initial input provided to a fuzzer as the starting point for mutation
Semgrep	Lightweight open-source static analysis tool using pattern-matching rules
Side-channel	Attack vector exploiting physical implementation artifacts rather than algorithmic flaws
SMT	Satisfiability Modulo Theories, solver used by symbolic execution to find inputs satisfying path constraints
Spectre	Family of CPU vulnerabilities exploiting speculative execution to leak data across security boundaries
SQLi	SQL Injection, injecting malicious SQL into queries via unsanitized user input
SSRF	Server-Side Request Forgery, tricking a server into making requests to unintended destinations
SymCC	Compilation-based symbolic execution tool that is 2--3 orders of magnitude faster than KLEE
Taint analysis	Tracking the flow of untrusted data from sources to security-sensitive sinks
VDP	Vulnerability Disclosure Program, formal process for receiving vulnerability reports
TOCTOU	Time-of-Check-Time-of-Use, race condition between validating a resource and using it
TSan	ThreadSanitizer, detector for data races in multithreaded programs
UAF	Use-After-Free, accessing memory after it has been deallocated
UBSan	UndefinedBehaviorSanitizer, detector for undefined behavior in C/C++
Valgrind	Dynamic binary instrumentation framework for memory debugging and profiling
XSS	Cross-Site Scripting, injecting malicious scripts into web pages viewed by other users
Fine-tuning	Adapting a pre-trained ML model to a specific task using additional training data
AUTOSAR	Automotive Open System Architecture, standardized software framework for automotive ECUs
CAN	Controller Area Network, vehicle bus standard for microcontroller communication
DNP3	Distributed Network Protocol, used in SCADA and utility systems
EDK II	EFI Development Kit II, open-source UEFI firmware development environment
OPC UA	Open Platform Communications Unified Architecture, industrial automation protocol
RTOS	Real-Time Operating System, OS designed for real-time applications with deterministic timing
Abstract interpretation	Mathematical framework for approximating program behavior using abstract domains
Dataflow analysis	Tracking how values propagate through a program to detect bugs like taint violations