Mastodawn

Please nitpick the following (or suggest an authority, such as NIST or CISA )

A vulnerability is a weakness that can be exploited to gain some goal or milestone for an attacker, such as the ability to run code. Vulnerabilities are usually bugs which get patched, and weaknesses are a broader set that includes susceptibility to threats. Code which demonstrates that a vulnerability is exploitable is called “proof-of-concept” or PoC. A PoC may be developed into an exploit, which is code that actually achieves that goal. Weaponized exploit code has been made production-ready with reliability or integration into some attack framework. The attackers may be not be malicious, for example external researchers or penetration testers.

Alerta! Alerta!1d ago

@adamshostack Is a vulnerability something that benefits the attacker? Or something that hurts the attacked? (and being the IP-source of an attack on someone else *is* hurting the attacked)

@heiglandreas I think that in this context, the vulnerability is a more specific concept than the wider English term.

Alerta! Alerta!1d ago

@adamshostack I know. I was asking myself that question every time I answer Bug-Bounty reports.

NIST defines it quite well in https://nvd.nist.gov/vuln - but that definition focuses on the attacked party and the impact on them.

Which is why I asked....

NVD - Vulnerabilities

@heiglandreas Yeah, I looked at that, and frankly, respond really negatively to "a negative impact to confidentiality, integrity, or availability" ; I've never found C/I/A to be that useful around RCE

Alerta! Alerta!1d ago

@adamshostack well does RCE not negatively influence integrity and confidentiality?

I mean... when someone can execurlte anything on a server, then integrity is compromised and confidentiality can't be guaranteed... 🤷

@heiglandreas It absolutely does, but in a nuanced way that's far less salient than say, "pwned."

Matt Blaze 1d ago

@adamshostack Nitpick: This seems to imply a progression from a PoC demo (something generally produced with the aim demonstrating a bug so it can be fixed) to actual exploit code. While that can certainly happen, we don't know that that distinction is always present for malicious exploits (it's only one path).

Also, people react to the term "weaponize". It carries some baggage. It doesn't particularly bother me, but some people dislike it.

@mattblaze thanks! I thought about productize, bit not all 'fully developed' exploits are in products. do you have a better term handy?

Matt Blaze 1d ago

@adamshostack "Fieldable"

Doug Everson 1d ago

@adamshostack Another nitpick: consider changing “gain” to “reach” or “achieve”.

I agree with Prof. @mattblaze about “weaponize”. It’s my preferred alternative, but his suggestion “fieldable” works fine. Also consider “operational” or “operationalized” as alternatives closer to “weaponized”.

@adamshostack Would it make sense to say that a vulnerability can be exploited to attain some goal or achieve further compromise? Or is that what you mean by "milestone"?

@cford that is what i meant by milestone. I think it's misleading to claim that there are people who care about controlling EiP. They care about something else and that's a stepping stone along the way

@adamshostack sounds about right. I like the definition from the @CVE_Program glossary as well, https://www.cve.org/ResourcesSupport/Glossary#glossaryVulnerability - especially how they explicitly mention the security policy.

Ben Aveling 1d ago

Some vulnerabilities can't be exploited in ways that lead to attacker success, e.g. the next/previous line of defense is sound, but they're still vulnerabilities in that they allow one or more lines of defense to be bypassed.
I'd also ask:
- do bugs usually get patched?
- is this definition supposed to cover social-engineering or insider threats?
- is this definition supposed to cover volumetric DOS?

I would include under the umbrella of weakness "lack of observability."

It's a definite weakness if there's no monitoring in place to alert on obvious suspicious behaviour, and I don't see that accounted for in what's written.