Adam Shostack  1d ago

Please nitpick the following (or suggest an authority, such as NIST or CISA )

A vulnerability is a weakness that can be exploited to gain some goal or milestone for an attacker, such as the ability to run code. Vulnerabilities are usually bugs which get patched, and weaknesses are a broader set that includes susceptibility to threats. Code which demonstrates that a vulnerability is exploitable is called “proof-of-concept” or PoC. A PoC may be developed into an exploit, which is code that actually achieves that goal. Weaponized exploit code has been made production-ready with reliability or integration into some attack framework. The attackers may be not be malicious, for example external researchers or penetration testers.

Show threadMatt Blaze

@adamshostack Nitpick: This seems to imply a progression from a PoC demo (something generally produced with the aim demonstrating a bug so it can be fixed) to actual exploit code. While that can certainly happen, we don't know that that distinction is always present for malicious exploits (it's only one path).

Also, people react to the term "weaponize". It carries some baggage. It doesn't particularly bother me, but some people dislike it.

Apr 4 at 8:09pmWeb
Show threadAdam Shostack  1d ago
@mattblaze thanks! I thought about productize, bit not all 'fully developed' exploits are in products. do you have a better term handy?
Show threadMatt Blaze1d ago
@adamshostack "Fieldable"
Show threadDoug Everson1d ago

@adamshostack Another nitpick: consider changing “gain” to “reach” or “achieve”.

I agree with Prof. @mattblaze about “weaponize”. It’s my preferred alternative, but his suggestion “fieldable” works fine. Also consider “operational” or “operationalized” as alternatives closer to “weaponized”.