Or for that matter non-vendors. Software composition, as an example, Open Source, etc.
Best Regards, Joe Baum Director, Threat Management Group On Wed, Jul 13, 2022 at 3:18 PM Kurt Seifried <k...@seifried.org> wrote: > Also, it excludes services. So yeah, I vote drop the " in a range of > products made by different vendors" > > On Wed, Jul 13, 2022 at 2:12 PM SJ Jazz <sjoeja...@gmail.com> wrote: > >> I still recommend deleting at the end of the definition of weakness >> "... in a range of products made by different vendors. >> >> It adds no value, and actually unintentionally limits applicability by >> implying weaknesses only apply to products made by vendors. >> >> Regards, >> >> Joe >> >> On Wed, Jul 13, 2022, 12:08 Alec J Summers <asumm...@mitre.org> wrote: >> >>> Dear CWE Research Community, >>> >>> >>> >>> I hope this email finds you well. >>> >>> >>> >>> Over the past few months, the CWE/CAPEC User Experience Working Group >>> has been working to modernize our programs through a variety of activities. >>> One such activity is harmonizing the definitions on our sites for some of >>> our key terminology including weakness, vulnerability, and attack pattern. >>> As CWE and CAPEC were developed separately and on a different timeline, >>> some of the terms are not defined similarly, and we want to address that. >>> >>> >>> >>> We are seeking feedback on our working definitions: >>> >>> >>> >>> *Vulnerability* >>> >>> *A flaw in a software, firmware, hardware, or service component >>> resulting from a weakness that can be exploited, causing a negative impact >>> to the confidentiality, integrity, or availability of an impacted component >>> or components (from CVE®)* >>> >>> *Weakness* >>> >>> *A type of flaw or defect inserted during a product lifecycle that, >>> under the right conditions, could contribute to the introduction of >>> vulnerabilities in a range of products made by different vendors* >>> >>> *Attack Pattern* >>> >>> *The common approach and attributes related to the exploitation of a >>> weakness, usually in cyber-enabled capabilities* >>> >>> >>> >>> *Note*: CVE’s definition for ‘vulnerability’ was agreed upon after >>> significant community deliberation, and we are not looking to change it at >>> this time. >>> >>> >>> >>> We are hoping to publish new, improved definitions on our websites at >>> the end of the month. Please provide thoughts and comments by Tuesday, July >>> 26. >>> >>> >>> >>> Cheers, >>> >>> Alec >>> >>> >>> >>> -- >>> >>> *Alec J. Summers* >>> >>> Center for Securing the Homeland (CSH) >>> >>> Cyber Security Engineer, Principal >>> >>> Group Lead, Cybersecurity Operations and Integration >>> >>> *––––––––––––––––––––––––––––––––––––* >>> >>> *MITRE - Solving Problems for a Safer World™* >>> >>> >>> >>> >>> >> > > -- > Kurt Seifried (He/Him) > k...@seifried.org > -- *For more information on how and why we collect your personal information, please visit our Privacy Policy <https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*