Skip to content

Vulnerability

Vulnerability

A vulnerability is a set of conditions or behaviors that allows the violation of an explicit or implicit security policy.

Vulnerabilities can be caused by software defects, configuration or design decisions, unexpected interactions between systems, or environmental changes. Successful exploitation of a vulnerability has technical and risk impacts. Vulnerabilities can arise in information processing systems as early as the design phase and as late as system deployment.

Vulnerability in the NIST Glossary

NIST offers the following definitions of vulnerability:

  1. "Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source"
  2. "A weakness in a system, application, or network that is subject to exploitation or misuse"
  3. "Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source"

Those familiar with the CERT Resiliency Management Model (RMM) may be accustomed to the more general definition of vulnerability in the Vulnerability Analysis and Resolution (VAR) process area:

Vulnerability in the CERT RMM

A vulnerability is the susceptibility of an asset and associated service to disruption.

A summary of the VAR process area of the CERT RMM is provided in our discussion of Vulnerability Management.

While vulnerabilities can be found in many assets belonging to an organization—people, information, technology, and facilities—in this documentation we primarily focus on vulnerabilities in software or software-centric products and to a lesser degree services built on software-dependent products. While precisely defining vulnerability can be difficult, for our purpose a vulnerability may be thought of as an undesirable, exploitable, and likely unintended feature of software or hardware components that allows an attacker to perform actions that wouldn't otherwise be available to them. The impact of such vulnerabilities can vary greatly, from being able to access someone's private data, to taking control of a computer, to causing physical damage and bodily injury.

Why does CERT shorten vulnerability to vul instead of vuln?

Lots of folks ask us this question. The answer is simple: Tradition. We've been calling them vuls (no n) since at least 1993, and we have the email archives to prove it. Considering how many times we've had to type it, we figure we've saved ourselves approximately a gazillion keystrokes over the years. At this point, it's become a shibboleth{:target="blank"} for CERT/CC staff and alumni. You can start using it too, and instantly make your CVD practice _up to 25% more efficient!