MITRE is hosting a lot of these sorts of frameworks. The Web Application Security Consortium “Threat” Classification should be renamed to be an attack classification, consistent with the MITRE CAPEC enumeration. SANS NewsBites said:We are planning for the 2007 Top20 Internet Security Threats report. If you have any experience with Top20 reports over the past six years, could you tell us whether you think an annual or semi-annual or quarterly summary report is necessary or valuable?”]
Source: https://taosecurity.blogspot.com/2007/05/security-language.html