What if a license has a clause that requires an insecure or problematic
setting/configuration/behavior? Someone did a parody licence called the
" Insecure License" but I wouldn't put it past sometime to have done this
for real. What about audit clauses (e.g. can I audit the NSA usage of my
product)
I think the main distinction that I want to be observed is that the CWEs are
about vulnerabilities that are intrinsic to a piece of software (firmware,
hardware) due to defects in its design or implementation, leading to unwanted
behavior of the software (firmware, hardware) itself. Licensing is
Hi Jon,
Thank you for accepting different opinions and I'm really happy that we
have this discussion here.
To be honest I never consider licensing issues as a potential problem that
could be considered as a software weakness.
But it seems that such a clarification is required.
Let me repeat what I
I understand the position better with this analogy; thank you.
I do believe that it is not a comparable analogy. Raising energy prices are not
a property of the software. A software license is a property of the software,
so the argument you make here is based off of an initial assertion that
Look at it this way:
Licensing issues are not a property of software, but of the society and economy
around the software.
A buffer overflow in a driver will crash your computer and make it unavailable
any time data passes through it in a particular way, no matter who is causing
that data to go
I respectfully disagree with this. Using a license incorrectly causes an
availability issue directly, and availability is one of the cybersecurity
principles that represent weaknesses and vulnerabilities by the definitions I
am aware of.
Can you please help me understand what definition CWE
