Dear CAPEC Community,

Earlier this summer I emailed you regarding the CWE/CAPEC User Experience 
Working Group’s efforts to harmonize the definitions of some key terminology 
across our sites. As CWE and CAPEC were developed separately and on a different 
timeline, some of the terms are not similarly defined, and we want to address 

Thank you for your thoughtful and considered feedback to my first request for 
comment on this topic. We received the most feedback on the definition of 
“weakness”. The UEWG and the CWE/CAPEC team has used that in our development of 
a new definition:

Weakness: A condition in a software, firmware, hardware, or service component 
that, under the right circumstances, could contribute to the introduction of 

If adopted, this would be accompanied by the following two definitions for 
‘attack pattern’ and ‘vulnerability’, respectively.

Attack Pattern: The common approach and attributes related to the exploitation 
of a weakness, usually in cyber-enabled capabilities

Vulnerability: A flaw in a software, firmware, hardware, or service component 
resulting from a weakness that can be exploited, causing a negative impact to 
the confidentiality, integrity, or availability of an impacted component or 
components. (from CVE® and not in consideration for modification)

We are eager to hear your thoughts, and we look forward to formalizing this 
change on our sites soon.


Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration
MITRE - Solving Problems for a Safer World™

Reply via email to