How about something like this:

Weakness: A state or condition in a product that when subjected to certain 
condition(s) will fail.


Counter-Fraud Capability Leader
Nationwide Insurance 3-23-201
Three Nationwide Plaza
Columbus, OH  43215
Phone: 614.677.2528
Fax: 877.202.5001
Cell: 614.270.0887

The information contained in this e-mail message, including any attachments, is 
CONFIDENTIAL, and is intended only for the individual or entity named in this 
communication.  If the reader of this message is not the intended recipient, or 
employee, or agent responsible for delivering it to the intended recipient, you 
are hereby notified that dissemination, distribution, or copying of this 
communication is strictly prohibited.  If you have received this communication 
in error, please immediately notify the sender by e-mail and destroy all copies 
of the original message. Thank you.

From: Keith J Hill <>
Sent: Wednesday, July 20, 2022 2:53 PM
To: Alec J Summers <>; CAPEC Researcher Discussion 
Subject: [EXTERNAL] RE: CWE/CAPEC Definitions

Nationwide Information Security Warning: This is an EXTERNAL email. Use CAUTION 
before clicking on links, opening attachments, or responding. (Sender:<>)


Thanks for the reminder Alec,

I'm bothered by the Weakness definition, specifically "type of flaw or defect 
inserted..."  because I think this presumes too much.  I'm tossing this into 
the ring for consideration. It incorporates some of the ideas that others 

Weakness: A condition that under the right circumstances begins a process or 
combines with other weaknesses to cause a harm in a product or system.

The key is that a weakness is a condition; it may include human and process 
flaws.  A weakness begins or contribute to that chain of circumstances that 
results in a vulnerability/harm.


From: Alec J Summers <<>>
Sent: Wednesday, July 20, 2022 2:39 PM
To: CAPEC Researcher Discussion 
Subject: FW: CWE/CAPEC Definitions

Just a soft follow-up and reminder that we are seeking comment from our CAPEC 
researcher community on the proposed definitions by next Tuesday, July 26. If 
you have already responded - thank you!


Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration
MITRE - Solving Problems for a Safer World(tm)

From: Alec J Summers <<>>
Date: Wednesday, July 13, 2022 at 1:08 PM
To: CAPEC Researcher Discussion 
Subject: CWE/CAPEC Definitions
Dear CAPEC Research Community,

I hope this email finds you well.

Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.

We are seeking feedback on our working definitions:

A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE(r))
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors
Attack Pattern
The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities

Note: CVE's definition for 'vulnerability' was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.

We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.


Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration
MITRE - Solving Problems for a Safer World(tm)

Reply via email to