I also vote to drop “in a range of …”

Best regards,
Jim Pangburn
Director, IPG Operations

From: Joe Baum <joe.b...@motorolasolutions.com>
Sent: Wednesday, July 13, 2022 1:21 PM
To: Kurt Seifried <k...@seifried.org>
Cc: SJ Jazz <sjoeja...@gmail.com>; Alec J Summers <asumm...@mitre.org>; CWE 
Research Discussion <cwe-research-list@mitre.org>
Subject: Re: CWE/CAPEC Definitions

Or for that matter non-vendors. Software composition, as an example, Open 
Source, etc.

Best Regards,
Joe Baum
Director, Threat Management Group

On Wed, Jul 13, 2022 at 3:18 PM Kurt Seifried 
<k...@seifried.org<mailto:k...@seifried.org>> wrote:
Also, it excludes services. So yeah, I vote drop the " in a range of products 
made by different vendors"

On Wed, Jul 13, 2022 at 2:12 PM SJ Jazz 
<sjoeja...@gmail.com<mailto:sjoeja...@gmail.com>> wrote:
I still recommend deleting at the end of the definition of weakness "... in a 
range of products made by different vendors.

It adds no value, and actually unintentionally limits applicability by implying 
weaknesses only apply to products made by vendors.



On Wed, Jul 13, 2022, 12:08 Alec J Summers 
<asumm...@mitre.org<mailto:asumm...@mitre.org>> wrote:
Dear CWE Research Community,

I hope this email finds you well.

Over the past few months, the CWE/CAPEC User Experience Working Group has been 
working to modernize our programs through a variety of activities. One such 
activity is harmonizing the definitions on our sites for some of our key 
terminology including weakness, vulnerability, and attack pattern. As CWE and 
CAPEC were developed separately and on a different timeline, some of the terms 
are not defined similarly, and we want to address that.

We are seeking feedback on our working definitions:

A flaw in a software, firmware, hardware, or service component resulting from a 
weakness that can be exploited, causing a negative impact to the 
confidentiality, integrity, or availability of an impacted component or 
components (from CVE®)
A type of flaw or defect inserted during a product lifecycle that, under the 
right conditions, could contribute to the introduction of vulnerabilities in a 
range of products made by different vendors
Attack Pattern
The common approach and attributes related to the exploitation of a weakness, 
usually in cyber-enabled capabilities

Note: CVE’s definition for ‘vulnerability’ was agreed upon after significant 
community deliberation, and we are not looking to change it at this time.

We are hoping to publish new, improved definitions on our websites at the end 
of the month. Please provide thoughts and comments by Tuesday, July 26.


Alec J. Summers
Center for Securing the Homeland (CSH)
Cyber Security Engineer, Principal
Group Lead, Cybersecurity Operations and Integration
MITRE - Solving Problems for a Safer World™

Kurt Seifried (He/Him)

For more information on how and why we collect your personal information, 
please visit our Privacy 

Reply via email to