Please nitpick the following (or suggest an authority, such as NIST or CISA )

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Mon, 06 Apr 2026 07:17:20 GMT

d3tm4r@infosec.exchange — Mon, 06 Apr 2026 07:17:20 GMT

@adamshostack nails it pretty well imo

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 21:41:56 GMT

fennix@infosec.space — Sat, 04 Apr 2026 21:41:56 GMT

I would include under the umbrella of weakness "lack of observability."

It's a definite weakness if there's no monitoring in place to alert on obvious suspicious behaviour, and I don't see that accounted for in what's written.

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 21:26:34 GMT

adamshostack@infosec.exchange — Sat, 04 Apr 2026 21:26:34 GMT

@heiglandreas It absolutely does, but in a nuanced way that's far less salient than say, "pwned."

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:47:17 GMT

0xd0ug@infosec.exchange — Sat, 04 Apr 2026 20:47:17 GMT

@adamshostack Another nitpick: consider changing “gain” to “reach” or “achieve”.

I agree with Prof. @mattblaze about “weaponize”. It’s my preferred alternative, but his suggestion “fieldable” works fine. Also consider “operational” or “operationalized” as alternatives closer to “weaponized”.

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:42:47 GMT

heiglandreas@phpc.social — Sat, 04 Apr 2026 20:42:47 GMT

@adamshostack well does RCE not negatively influence integrity and confidentiality?

I mean... when someone can execurlte anything on a server, then integrity is compromised and confidentiality can't be guaranteed...

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:39:38 GMT

benaveling@infosec.exchange — Sat, 04 Apr 2026 20:39:38 GMT

Some vulnerabilities can't be exploited in ways that lead to attacker success, e.g. the next/previous line of defense is sound, but they're still vulnerabilities in that they allow one or more lines of defense to be bypassed.
I'd also ask:
- do bugs usually get patched?
- is this definition supposed to cover social-engineering or insider threats?
- is this definition supposed to cover volumetric DOS?

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:35:54 GMT

mattblaze@federate.social — Sat, 04 Apr 2026 20:35:54 GMT

@adamshostack "Fieldable"

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:26:26 GMT

adamshostack@infosec.exchange — Sat, 04 Apr 2026 20:26:26 GMT

@heiglandreas Yeah, I looked at that, and frankly, respond really negatively to "a negative impact to confidentiality, integrity, or availability" ; I've never found C/I/A to be that useful around RCE

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:24:47 GMT

adamshostack@infosec.exchange — Sat, 04 Apr 2026 20:24:47 GMT

@mattblaze thanks! I thought about productize, bit not all 'fully developed' exploits are in products. do you have a better term handy?

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:23:44 GMT

adamshostack@infosec.exchange — Sat, 04 Apr 2026 20:23:44 GMT

@cford that is what i meant by milestone. I think it's misleading to claim that there are people who care about controlling EiP. They care about something else and that's a stepping stone along the way

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:20:10 GMT

raboof@merveilles.town — Sat, 04 Apr 2026 20:20:10 GMT

@adamshostack sounds about right. I like the definition from the @CVE_Program glossary as well, https://www.cve.org/ResourcesSupport/Glossary#glossaryVulnerability - especially how they explicitly mention the security policy.

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:09:49 GMT

cford@toot.thoughtworks.com — Sat, 04 Apr 2026 20:09:49 GMT

@adamshostack Would it make sense to say that a vulnerability can be exploited to attain some goal or achieve further compromise? Or is that what you mean by "milestone"?

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:09:45 GMT

mattblaze@federate.social — Sat, 04 Apr 2026 20:09:45 GMT

@adamshostack Nitpick: This seems to imply a progression from a PoC demo (something generally produced with the aim demonstrating a bug so it can be fixed) to actual exploit code. While that can certainly happen, we don't know that that distinction is always present for malicious exploits (it's only one path).

Also, people react to the term "weaponize". It carries some baggage. It doesn't particularly bother me, but some people dislike it.

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:09:08 GMT

heiglandreas@phpc.social — Sat, 04 Apr 2026 20:09:08 GMT

@adamshostack I know. I was asking myself that question every time I answer Bug-Bounty reports.

NIST defines it quite well in https://nvd.nist.gov/vuln - but that definition focuses on the attacked party and the impact on them.

Which is why I asked....

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:06:04 GMT

adamshostack@infosec.exchange — Sat, 04 Apr 2026 20:06:04 GMT

@heiglandreas I think that in this context, the vulnerability is a more specific concept than the wider English term.

Reply to Please nitpick the following (or suggest an authority, such as NIST or CISA ) on Sat, 04 Apr 2026 20:03:56 GMT

heiglandreas@phpc.social — Sat, 04 Apr 2026 20:03:56 GMT

@adamshostack Is a vulnerability something that benefits the attacker? Or something that hurts the attacked? (and being the IP-source of an attack on someone else *is* hurting the attacked)