Software Anomalies Classification

The fact is, there is no software that is free of anomalies, we either know them and fix them, know them and accept them or we are still to find them later.

The increased complexity of software nowadays makes it almost guaranteed that your software is released with bugs, Trillion dollar corporations like Apple and Microsoft are continuously releasing updates to fix software bugs and close security Vulnerability, the famous Boeing 737 Max deadly crash is another reminder of the fact and how undiscovered software anomalies can disrupt businesses and revenues, defining how to classify defects in a software organization is critical and helps prioritize efforts and the software release decision making.

It is always a challenge to classify software defects and prioritize them, many software organizations adopted their own methodology to deal with the subject, however, this is always a subjective matter and an open-ended debate among testers/developers. You can look at the ISTQB definition of the software defect classification on the link below, you can clearly see the caution at the end about how subjective the matter is. https://softwaretestingfundamentals.com/defect-severity/

On the other hand, For Security defects or as famously known as security vulnerabilities, there is a well-known standard for classification and that is the Common Vulnerability Scoring System (CVSS). https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System

The CVSS is based on the famous risk assessment equation “Risk=Impact X Probability”,  it takes that concept and formalize the process of calculating the score, each organization then would set its acceptable bug bar based on the calculated score and the desired risk tolerance, there are multiple articles, guidelines, and courses that can cover this topic in much more detail.

Nowadays,  the software industry is in need of a widely adopted standard for non-security software anomalies classification which is likely to be also built on the risk assessment equation but would require a formalized process to calculate a score, many might be aware of the “1044-2009 - IEEE Standard Classification for Software Anomalies”, but I am not sure about how widely adopted is this standard, and if it really meets each organization needs. Are you aware of any other standards for software anomalies classification? please share it with me or let me know your thoughts in the comments, do you agree that the software industry could be behind in this subject or it is hard to standardize and it will be up to each Industry/organization to define its own way of handling the subject? I would love to learn more from anyone in the software Industry.