Hello,
I think the below red part should be removed because: 1. It removes dependency of definition of Vulnerability on the next definition "Weakness", do we really want one definition to be dependent on another definition? this creates confusion because now in order to understand what a vulnerability, now I have to read the definition of Weakness. 2. Makes it clear that it can be any type of flaw. Vulnerability A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components (from CVE®) Sincerely Nazar Abdul SysIntellects LLC | Lead Success Manager/Principal Architect CMx Contract Experience Success Team M: 727-249-4238 | O: 1-844-433-3269 Extn:803 101 East Park Blvd, #600, Plano TX 75074 mailto:nazar.ab...@sysintellects.com | http://www.sysintellects.com Next Generation CLM Platform? Visit:https://www.contractexperience.comhttps://www.contractexperience.com CONFIDENTIALITY NOTICE: This e-mail and any files attached contain confidential information of SysIntellects LLC. If you are not the intended recipient, or a person responsible for delivering it, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please destroy the original transmission and its attachments without reading or saving in any manner and notify the sender.If you do not want to receive any further emails from us , please reply with text UNSUBSCRIBE in subject line. ---- On Wed, 13 Jul 2022 12:08:33 -0500 Alec J Summers <asumm...@mitre.org> wrote --- Dear CWE Research Community, I hope this email finds you well. Over the past few months, the CWE/CAPEC User Experience Working Group has been working to modernize our programs through a variety of activities. One such activity is harmonizing the definitions on our sites for some of our key terminology including weakness, vulnerability, and attack pattern. As CWE and CAPEC were developed separately and on a different timeline, some of the terms are not defined similarly, and we want to address that. We are seeking feedback on our working definitions: Vulnerability A flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components (from CVE®) Weakness A type of flaw or defect inserted during a product lifecycle that, under the right conditions, could contribute to the introduction of vulnerabilities in a range of products made by different vendors Attack Pattern The common approach and attributes related to the exploitation of a weakness, usually in cyber-enabled capabilities Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant community deliberation, and we are not looking to change it at this time. We are hoping to publish new, improved definitions on our websites at the end of the month. Please provide thoughts and comments by Tuesday, July 26. Cheers, Alec -- Alec J. Summers Center for Securing the Homeland (CSH) Cyber Security Engineer, Principal Group Lead, Cybersecurity Operations and Integration –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™
