When is an actual vulnerability no longer considered a vulnerability?

In a stunning statement at the 2011 ACS Cyber Security Conference, Marty Edwards from DHS stated that in order for a design deficiency to be considered a vulnerability, it must be fixable by a patch. This means exploitable design deficiencies such as those found by Ralph Langner and Dillon Beresford are not considered vulnerabilities by DHS because they cannot be fixed by patches. It also implies theses exploitable design deficiencies do not have to be disclosed by ICS-CERT.  This is bizarre.  

Joe Weiss
Sept. 23, 2011
In a stunning statement at the 2011 ACS Cyber Security Conference, Marty Edwards from DHS stated that in order for a design deficiency to be considered a vulnerability, it must be fixable by a patch. This means exploitable design deficiencies such as those found by Ralph Langner and Dillon Beresford are not considered vulnerabilities by DHS because they cannot be fixed by patches. It also implies theses exploitable design deficiencies do not have to be disclosed by ICS-CERT.  This is bizarre.  
Joe Weiss

About the Author

jweiss

jweiss

Sign up for our eNewsletters
Get the latest news and updates

Related

Phillips 66 digitalizes SIS management
Prep to paint the analytics room
Boost Sludge Thickening with Real-Time Metrics
Sponsored
Reliable Instrumentation for Carbon Capture
Sponsored