Dear CWE/CAPEC Board Members,
Good afternoon! I hope the week is going well for you all.
During a recent CWE/CAPEC User Experience Working Group session, the topic of
definitions came up – more specifically, the difficulty in agreeing on good
ones and making sure they are understood by downstre
Red Hat adopted the following definition of a weakness a year or so ago. "A
weakness is specifically the absence of a safeguard in an asset or process
that provides a higher potential or frequency of a threat occurring, but
does not meet the exploitability criteria for a vulnerability." We've also
Hi Alec and all,
Happy to hear there is an initiative to help align these definitions. I
know it's a very common confusion point for many.
A couple of thoughts/comments from me:
- In the weakness definition the word "mistake" throws me off a bit
because that implies there was awareness of
Jeremy, welcome!
I like the idea of defining a weakness wrt to a protection for an asset.
The protection could have weaknesses because of mistakes, forgetfulness, or
any other reason (e.g. environment). An asset-based definition fits really
well for hardware and I think for a lot of software, but
