I do believe that applications, passwords, and protocols count as “resources,”
and that the default configuration that ships with an application, or is
engineered into a system, would count as the “initialization” of that
“resource.” That said, could CWE-1188 get some better demonstrative
oguski
Date: Thursday, November 9, 2023 at 1:45 PM
To: Hood, Jonathan W CTR USARMY DEVCOM AVMC (USA)
Cc: Hatfield, Arthur , CWE Research Discussion
Subject: [EXTERNAL] Re: [EXT] RE: [Non-DoD Source] Re: Request for CWE:
Improper Licensing (UNCLASSIFIED)
Hi Jon, Thank you for accepting different opin
Look at it this way:
Licensing issues are not a property of software, but of the society and economy
around the software.
A buffer overflow in a driver will crash your computer and make it unavailable
any time data passes through it in a particular way, no matter who is causing
that data to
I think it may be best to split the difference by describing weaknesses as
flaws that are potentially exploitable to cause undesired operation of the
system and describing vulnerabilities as the subset of weaknesses that are
provably exploitable; that allows the possibility that some exploits
It’s still a vulnerability, in my opinion, even if it’s not actually known yet.
I think it makes most sense to assume identified weaknesses in a particular
system are vulnerabilities until proved otherwise – either by referring to a
specific control designed (and proven) to prevent that
