Vulnerability (computer security)

<h2 id="causes">Causes</h2>
Despite developers' goal of delivering a product that works entirely as intended, virtually all <a href="/facts/Software_bugs/I1uSXySv">software</a> and <a href="/facts/Hardware_bug/dsCVKPmN">hardware</a> contains bugs.<a class="footnote-ref" id="fnref:2" href="#fn:2">2</a> If a bug creates a security risk, it is called a vulnerability.<a class="footnote-ref" id="fnref:3" href="#fn:3">3</a><a class="footnote-ref" id="fnref:4" href="#fn:4">4</a><a class="footnote-ref" id="fnref:5" href="#fn:5">5</a> <a href="/facts/Software_patch/sIHVBPls">Software patches</a> are often released to fix identified vulnerabilities, but those that remain unknown (<a href="/facts/Zero-day_(computing)/B1jJkD0C">zero days</a>) as well as those that have not been patched are still liable for exploitation.<a class="footnote-ref" id="fnref:6" href="#fn:6">6</a> Vulnerabilities vary in their ability to be <a href="/facts/Exploit_(computer_security)/EdlqsRJM">exploited</a> by malicious actors,<a class="footnote-ref" id="fnref:7" href="#fn:7">7</a> and the actual risk is dependent on the nature of the vulnerability as well as the value of the surrounding system.<a class="footnote-ref" id="fnref:8" href="#fn:8">8</a> Although some vulnerabilities can only be used for <a href="/facts/Denial_of_service/6nkoK02J">denial of service</a> attacks, more dangerous ones allow the attacker to <a href="/facts/Code_injection/6gPRDpd1">inject</a> and run their own code (called <a href="/facts/Malware/5ee7TLFR">malware</a>), without the user being aware of it.<a class="footnote-ref" id="fnref:9" href="#fn:9">9</a> Only a minority of vulnerabilities allow for <a href="/facts/Privilege_escalation/STzSAaf5">privilege escalation</a>, which is necessary for more severe attacks.<a class="footnote-ref" id="fnref:10" href="#fn:10">10</a> Without a vulnerability, the exploit cannot gain access.<a class="footnote-ref" id="fnref:11" href="#fn:11">11</a> It is also possible for <a href="/facts/Malware/5ee7TLFR">malware</a> to be installed directly, without an exploit, if the attacker uses <a href="/facts/Social_engineering_(security)/7obTw773">social engineering</a> or implants the malware in legitimate software that is downloaded deliberately.<a class="footnote-ref" id="fnref:12" href="#fn:12">12</a>

<h3>Design factors</h3>
Fundamental design factors that can increase the burden of vulnerabilities include:

<ul><li>Complexity: Large, complex systems increase the probability of flaws and unintended <a href="/facts/File_system_permissions/DHq5SwI4">access points</a>.<a class="footnote-ref" id="fnref:13" href="#fn:13">13</a></li>
<li>Familiarity: Using common, well-known code, software, operating systems, and/or hardware increases the probability an attacker has or can find the knowledge and tools to exploit the flaw.<a class="footnote-ref" id="fnref:14" href="#fn:14">14</a></li>
<li>Connectivity: any system connected to the internet can be accessed and compromised. <a href="/facts/Air_gap_(networking)/1b2J4BJo">Disconnecting systems from the internet</a> is one truly effective measure against attacks, but it is rarely feasible.<a class="footnote-ref" id="fnref:15" href="#fn:15">15</a></li>
<li><a href="/facts/Legacy_software/YvYjMcCz">Legacy software</a> and <a href="/facts/Legacy_hardware/YvYjMcCz">hardware</a> is at increased risk, but upgrading often is prohibitive in terms of cost and <a href="/facts/Downtime/8DcAUp3j">downtime</a>.<a class="footnote-ref" id="fnref:16" href="#fn:16">16</a></li></ul>
<h3>Development factors</h3>
Some <a href="/facts/Software_development/UUfsAaYY">software development</a> practices can affect the risk of vulnerabilities being introduced to a code base. Lack of knowledge about secure software development or excessive pressure to deliver features quickly can lead to avoidable vulnerabilities to enter production code, especially if security is not prioritized by the <a href="/facts/Company_culture/FdAzHDyV">company culture</a>. This can lead to unintended vulnerabilities. The more complex the system is, the easier it is for vulnerabilities to go undetected. Some vulnerabilities are deliberately planted, which could be for any reason from a disgruntled employee selling access to cyber criminals, to sophisticated state-sponsored schemes to introduce vulnerabilities to software.<a class="footnote-ref" id="fnref:17" href="#fn:17">17</a> Inadequate <a href="/facts/Code_review/1I93ffGF">code reviews</a> can lead to missed bugs, but there are also <a href="/facts/Static_application_security_testing/eN4lDLk2">static code analysis</a> tools that can be used as part of code reviews and may find some vulnerabilities.<a class="footnote-ref" id="fnref:18" href="#fn:18">18</a> 
<a href="/facts/DevOps/yRg6dIBc">DevOps</a>, a development workflow that emphasizes automated testing and deployment to speed up the deployment of new features, often requires that many developers be granted access to change configurations, which can lead to deliberate or inadvertent inclusion of vulnerabilities.<a class="footnote-ref" id="fnref:19" href="#fn:19">19</a> Compartmentalizing dependencies, which is often part of DevOps workflows, can reduce the <a href="/facts/Attack_surface/KxF9Y8XK">attack surface</a> by paring down dependencies to only what is necessary.<a class="footnote-ref" id="fnref:20" href="#fn:20">20</a> If <a href="/facts/Software_as_a_service/LPyPQ5b7">software as a service</a> is used, rather than the organization's own hardware and software, the organization is dependent on the cloud services provider to prevent vulnerabilities.<a class="footnote-ref" id="fnref:21" href="#fn:21">21</a>

<h3>National Vulnerability Database classification</h3>
The <a href="/facts/National_Vulnerability_Database/kVoJTyAp">National Vulnerability Database</a> classifies vulnerabilities into eight root causes that may be overlapping, including:<a class="footnote-ref" id="fnref:22" href="#fn:22">22</a>

<ol><li><a href="/facts/Improper_input_validation/4967Sm1s">Input validation</a> (including <a href="/facts/Buffer_overflow/uMFduL4B">buffer overflow</a> and <a href="/facts/Boundary_condition/QEfmUqmP">boundary condition</a>) vulnerabilities occur when <a href="/facts/Input_checking/tFCchJTM">input checking</a> is not sufficient to prevent the attacker from injecting malicious code.<a class="footnote-ref" id="fnref:23" href="#fn:23">23</a></li>
<li><a href="/facts/Access_control/08zE5Pz8">Access control</a> vulnerabilities enable an attacker to access a system that is supposed to be restricted to them, or engage in <a href="/facts/Privilege_escalation/STzSAaf5">privilege escalation</a>.<a class="footnote-ref" id="fnref:24" href="#fn:24">24</a></li>
<li>When the system fails to handle and exceptional or unanticipated condition correctly, an attacker can exploit the situation to gain access.<a class="footnote-ref" id="fnref:25" href="#fn:25">25</a></li>
<li>A configuration vulnerability comes into existence when configuration settings cause risks to the system security, leading to such faults as unpatched software or file system permissions that do not sufficiently restrict access.<a class="footnote-ref" id="fnref:26" href="#fn:26">26</a></li>
<li>A <a href="/facts/Race_condition/bvNpgy4F">race condition</a>—when timing or other external factors change the outcome and lead to inconsistent or unpredictable results—can cause a vulnerability.<a class="footnote-ref" id="fnref:27" href="#fn:27">27</a></li></ol>
<h2 id="vulnerabilities-by-component">Vulnerabilities by component</h2>
<h3>Hardware</h3>
Main article: <a href="/facts/Hardware_security_bug/gtDTGbzq">Hardware security bug</a> 
Deliberate security bugs can be introduced during or after manufacturing and cause the <a href="/facts/Integrated_circuit/fjn6vg7C">integrated circuit</a> not to behave as expected under certain specific circumstances. Testing for security bugs in hardware is quite difficult due to limited time and the complexity of twenty-first century chips,<a class="footnote-ref" id="fnref:28" href="#fn:28">28</a> while the globalization of design and manufacturing has increased the opportunity for these bugs to be introduced by malicious actors.<a class="footnote-ref" id="fnref:29" href="#fn:29">29</a>

<h3>Operating system</h3>
See also: <a href="/facts/Operating_system/8XTuvMh2">Operating system § Security</a>
Although operating system vulnerabilities vary depending on the <a href="/facts/Operating_system/8XTuvMh2">operating system</a> in use, a common problem is <a href="/facts/Privilege_escalation/STzSAaf5">privilege escalation</a> bugs that enable the attacker to gain more access than they should be allowed. <a href="/facts/Open-source/7X9rCdz4">Open-source</a> operating systems such as <a href="/facts/Linux/9FvCKSTq">Linux</a> and <a href="/facts/Android_(operating_system)/nNyHb0xz">Android</a> have a freely accessible <a href="/facts/Source_code/o9J6Jv23">source code</a> and allow anyone to contribute, which could enable the introduction of vulnerabilities. However, the same vulnerabilities also occur in proprietary operating systems such as <a href="/facts/Microsoft_Windows/bwhAhuSL">Microsoft Windows</a> and <a href="/facts/List_of_Apple_operating_systems/mrqrldMc">Apple operating systems</a>.<a class="footnote-ref" id="fnref:30" href="#fn:30">30</a> All reputable vendors of operating systems provide patches regularly.<a class="footnote-ref" id="fnref:31" href="#fn:31">31</a>

<h3>Client–server applications</h3>
<a href="/facts/Client%E2%80%93server_model/FSnf27C5">Client–server applications</a> are downloaded onto the end user's computers and are typically updated less frequently than web applications. Unlike web applications, they interact directly with a user's <a href="/facts/Operating_system/8XTuvMh2">operating system</a>. Common vulnerabilities in these applications include:<a class="footnote-ref" id="fnref:32" href="#fn:32">32</a>

<ul><li>Unencrypted data that is in permanent storage or sent over a network is relatively easy for attackers to steal.<a class="footnote-ref" id="fnref:33" href="#fn:33">33</a></li>
<li>Process hijacking occurs when an attacker takes over an existing <a href="/facts/Computer_process/Vcq7EnUV">computer process</a>.<a class="footnote-ref" id="fnref:34" href="#fn:34">34</a></li></ul>
<h3>Web applications</h3>
<a href="/facts/Web_applications/BLkF3BIN">Web applications</a> run on many websites. Because they are inherently less secure than other applications, they are a leading source of <a href="/facts/Data_breach/xGxRFY1A">data breaches</a> and other security incidents.<a class="footnote-ref" id="fnref:35" href="#fn:35">35</a><a class="footnote-ref" id="fnref:36" href="#fn:36">36</a> They can include: 

<ul><li><a href="/facts/Authentication/64y4S69b">Authentication</a> and <a href="/facts/Authorization/FYFAkCH2">authorization</a> failures enable attackers to access data that should be restricted to trusted users.<a class="footnote-ref" id="fnref:37" href="#fn:37">37</a></li>
<li>Business logic vulnerability occurs when programmers do not consider unexpected cases arising in <a href="/facts/Business_logic/D0eEdM3t">business logic</a>.</li></ul>
Attacks used against vulnerabilities in web applications include: 

<ul><li><a href="/facts/Cross-site_scripting/dhtusKKm">Cross-site scripting</a> (XSS) enables attackers to <a href="/facts/Code_injection/6gPRDpd1">inject</a> and run <a href="/facts/JavaScript/XhhIIEsl">JavaScript</a>-based <a href="/facts/Malware/5ee7TLFR">malware</a> when <a href="/facts/Input_checking/tFCchJTM">input checking</a> is insufficient to reject the injected code.<a class="footnote-ref" id="fnref:38" href="#fn:38">38</a> XSS can be persistent, when attackers save the malware in a data field and run it when the data is loaded; it can also be loaded using a malicious <a href="/facts/URL/pPD5g7Wq">URL</a> link (reflected XSS).<a class="footnote-ref" id="fnref:39" href="#fn:39">39</a> Attackers can also insert malicious code into the <a href="/facts/Domain_object_model/rSxm7s5a">domain object model</a>.<a class="footnote-ref" id="fnref:40" href="#fn:40">40</a></li>
<li><a href="/facts/SQL_injection/QD0cwbk5">SQL injection</a> and similar attacks manipulate <a href="/facts/Database_queries/VYcpkevb">database queries</a> to gain unauthorized access to data.<a class="footnote-ref" id="fnref:41" href="#fn:41">41</a></li>
<li><a href="/facts/Command_injection/6gPRDpd1">Command injection</a> is a form of code injection where the attacker places the malware in data fields or <a href="/facts/Process/YNbQjvNP">processes</a>. The attacker might be able to take over the entire server.<a class="footnote-ref" id="fnref:42" href="#fn:42">42</a></li>
<li><a href="/facts/Cross-site_request_forgery/RN7XuvsW">Cross-site request forgery</a> (CSRF) is creating client requests that do malicious actions, such as an attacker changing a user's credentials.<a class="footnote-ref" id="fnref:43" href="#fn:43">43</a></li>
<li><a href="/facts/Server-side_request_forgery/YBvtQIl9">Server-side request forgery</a> is similar to CSRF, but the request is forged from the server side and often exploits the enhanced privilege of the server.<a class="footnote-ref" id="fnref:44" href="#fn:44">44</a></li>
<li>Business logic vulnerability occurs when programmers do not consider unexpected cases arising in <a href="/facts/Business_logic/D0eEdM3t">business logic</a>.<a class="footnote-ref" id="fnref:45" href="#fn:45">45</a></li></ul>
<h2 id="management">Management</h2>
Main article: <a href="/facts/Vulnerability_management/z1KXhvnp">Vulnerability management</a>
There is little evidence about the effectiveness and cost-effectiveness of different cyberattack prevention measures.<a class="footnote-ref" id="fnref:46" href="#fn:46">46</a> Although estimating the risk of an attack is not straightforward, the mean time to breach and expected cost can be considered to determine the priority for remediating or mitigating an identified vulnerability and whether it is cost effective to do so.<a class="footnote-ref" id="fnref:47" href="#fn:47">47</a> Although attention to security can reduce the risk of attack, achieving perfect security for a complex system is impossible, and many security measures have unacceptable cost or usability downsides.<a class="footnote-ref" id="fnref:48" href="#fn:48">48</a> For example, reducing the complexity and functionality of the system is effective at reducing the <a href="/facts/Attack_surface/KxF9Y8XK">attack surface</a>.<a class="footnote-ref" id="fnref:49" href="#fn:49">49</a> 
Successful vulnerability management usually involves a combination of remediation (closing a vulnerability), mitigation (increasing the difficulty, and reducing the consequences, of exploits), and accepting some residual risk. Often a <a href="/facts/Defense_in_depth/2P70n6oB">defense in depth</a> strategy is used for multiple barriers to attack.<a class="footnote-ref" id="fnref:50" href="#fn:50">50</a> Some organizations scan for only the highest-risk vulnerabilities as this enables prioritization in the context of lacking the resources to fix every vulnerability.<a class="footnote-ref" id="fnref:51" href="#fn:51">51</a> Increasing expenses is likely to have <a href="/facts/Diminishing_returns/YNwQIqtK">diminishing returns</a>.<a class="footnote-ref" id="fnref:52" href="#fn:52">52</a>

<h3>Remediation</h3>
Remediation fixes vulnerabilities, for example by downloading a <a href="/facts/Software_patch/sIHVBPls">software patch</a>.<a class="footnote-ref" id="fnref:53" href="#fn:53">53</a> Software vulnerability scanners are typically unable to detect zero-day vulnerabilities, but are more effective at finding known vulnerabilities based on a database. These systems can find some known vulnerabilities and advise fixes, such as a patch.<a class="footnote-ref" id="fnref:54" href="#fn:54">54</a><a class="footnote-ref" id="fnref:55" href="#fn:55">55</a> However, they have limitations including <a href="/facts/False_positive/jkC44hML">false positives</a>.<a class="footnote-ref" id="fnref:56" href="#fn:56">56</a>
Vulnerabilities can only be exploited when they are active-the software in which they are embedded is actively running on the system.<a class="footnote-ref" id="fnref:57" href="#fn:57">57</a> Before the code containing the vulnerability is configured to run on the system, it is considered a carrier.<a class="footnote-ref" id="fnref:58" href="#fn:58">58</a> Dormant vulnerabilities can run, but are not currently running. Software containing dormant and carrier vulnerabilities can sometimes be uninstalled or disabled, removing the risk.<a class="footnote-ref" id="fnref:59" href="#fn:59">59</a> Active vulnerabilities, if distinguished from the other types, can be prioritized for patching.<a class="footnote-ref" id="fnref:60" href="#fn:60">60</a>
Vulnerability mitigation is measures that do not close the vulnerability, but make it more difficult to exploit or reduce the consequences of an attack.<a class="footnote-ref" id="fnref:61" href="#fn:61">61</a> Reducing the <a href="/facts/Attack_surface/KxF9Y8XK">attack surface</a>, particularly for parts of the system with <a href="/facts/Superuser/0Brr6ol7">root</a> (administrator) access, and closing off opportunities for exploits to engage in privilege exploitation is a common strategy for reducing the harm that a cyberattack can cause.<a class="footnote-ref" id="fnref:62" href="#fn:62">62</a> If a patch for third-party software is unavailable, it may be possible to temporarily disable the software.<a class="footnote-ref" id="fnref:63" href="#fn:63">63</a>

<h3>Testing</h3>
A <a href="/facts/Penetration_test/Jd7lFd4z">penetration test</a> attempts to enter the system via an exploit to see if the system is insecure.<a class="footnote-ref" id="fnref:64" href="#fn:64">64</a> If a penetration test fails, it does not necessarily mean that the system is secure.<a class="footnote-ref" id="fnref:65" href="#fn:65">65</a> Some penetration tests can be conducted with automated software that tests against existing exploits for known vulnerabilities.<a class="footnote-ref" id="fnref:66" href="#fn:66">66</a> Other penetration tests are conducted by trained hackers. Many companies prefer to contract out this work as it simulates an outsider attack.<a class="footnote-ref" id="fnref:67" href="#fn:67">67</a>

<h2 id="vulnerability-lifecycle">Vulnerability lifecycle</h2>

The vulnerability lifecycle begins when vulnerabilities are introduced into hardware or software.<a class="footnote-ref" id="fnref:68" href="#fn:68">68</a> Detection of vulnerabilities can be by the software vendor, or by a third party. In the latter case, it is considered most ethical to immediately disclose the vulnerability to the vendor so it can be fixed.<a class="footnote-ref" id="fnref:69" href="#fn:69">69</a> Government or intelligence agencies buy vulnerabilities that have not been publicly disclosed and may use them in an attack, stockpile them, or notify the vendor.<a class="footnote-ref" id="fnref:70" href="#fn:70">70</a> As of 2013, the <a href="/facts/Five_Eyes/7lnSYxYh">Five Eyes</a> (United States, United Kingdom, Canada, Australia, and New Zealand) captured the plurality of the market and other significant purchasers included Russia, India, Brazil, Malaysia, Singapore, North Korea, and Iran.<a class="footnote-ref" id="fnref:71" href="#fn:71">71</a> Organized criminal groups also buy vulnerabilities, although they typically prefer <a href="/facts/Exploit_kit/4q8h3rke">exploit kits</a>.<a class="footnote-ref" id="fnref:72" href="#fn:72">72</a> 
Even vulnerabilities that are publicly known or patched are often exploitable for an extended period.<a class="footnote-ref" id="fnref:73" href="#fn:73">73</a><a class="footnote-ref" id="fnref:74" href="#fn:74">74</a> Security patches can take months to develop,<a class="footnote-ref" id="fnref:75" href="#fn:75">75</a> or may never be developed.<a class="footnote-ref" id="fnref:76" href="#fn:76">76</a> A patch can have negative effects on the functionality of software<a class="footnote-ref" id="fnref:77" href="#fn:77">77</a> and users may need to <a href="/facts/Software_testing/VoXzG9Tb">test</a> the patch to confirm functionality and compatibility.<a class="footnote-ref" id="fnref:78" href="#fn:78">78</a> Larger organizations may fail to identify and patch all dependencies, while smaller enterprises and personal users may not install patches.<a class="footnote-ref" id="fnref:79" href="#fn:79">79</a> Research suggests that risk of cyberattack increases if the vulnerability is made publicly known or a patch is released.<a class="footnote-ref" id="fnref:80" href="#fn:80">80</a> Cybercriminals can <a href="/facts/Reverse_engineer/pmJCV7J7">reverse engineer</a> the patch to find the underlying vulnerability and develop exploits,<a class="footnote-ref" id="fnref:81" href="#fn:81">81</a> often faster than users install the patch.<a class="footnote-ref" id="fnref:82" href="#fn:82">82</a>
Vulnerabilities become deprecated when the software or vulnerable versions fall out of use.<a class="footnote-ref" id="fnref:83" href="#fn:83">83</a> This can take an extended period of time; in particular, industrial software may not be feasible to replace even if the manufacturer stops supporting it.<a class="footnote-ref" id="fnref:84" href="#fn:84">84</a>

<h2 id="assessment-disclosure-and-inventory">Assessment, disclosure, and inventory</h2>
<h3>Assessment</h3>
A commonly used scale for assessing the severity of vulnerabilities is the open-source specification <a href="/facts/Common_Vulnerability_Scoring_System/LPP5p4SV">Common Vulnerability Scoring System</a> (CVSS). CVSS evaluates the possibility to exploit the vulnerability and compromise data confidentiality, availability, and integrity. It also considers how the vulnerability could be used and how complex an exploit would need to be. The amount of access needed for exploitation and whether it could take place without user interaction are also factored in to the overall score.<a class="footnote-ref" id="fnref:85" href="#fn:85">85</a><a class="footnote-ref" id="fnref:86" href="#fn:86">86</a>

<h3>Disclosure</h3>
Someone who discovers a vulnerability may disclose it immediately (<a href="/facts/Full_disclosure_(computer_security)/X4WTLAw0">full disclosure</a>) or wait until a patch has been developed (<a href="/facts/Coordinated_vulnerability_disclosure/xojA0o75">responsible disclosure</a>, or coordinated disclosure). The former approach is praised for its transparency, but the drawback is that the risk of attack is likely to be increased after disclosure with no patch available.<a class="footnote-ref" id="fnref:87" href="#fn:87">87</a> Some vendors pay <a href="/facts/Bug_bounty/KfyUbdlL">bug bounties</a> to those who report vulnerabilities to them.<a class="footnote-ref" id="fnref:88" href="#fn:88">88</a><a class="footnote-ref" id="fnref:89" href="#fn:89">89</a> Not all companies respond positively to disclosures, as they can cause legal liability and operational overhead.<a class="footnote-ref" id="fnref:90" href="#fn:90">90</a> There is no law requiring disclosure of vulnerabilities.<a class="footnote-ref" id="fnref:91" href="#fn:91">91</a> If a vulnerability is discovered by a third party that does not disclose to the vendor or the public, it is called a <a href="/facts/Zero-day_vulnerability/B1jJkD0C">zero-day vulnerability</a>, often considered the most dangerous type because fewer defenses exist.<a class="footnote-ref" id="fnref:92" href="#fn:92">92</a> 

<h3>Vulnerability inventory</h3>
The most commonly used vulnerability dataset is <a href="/facts/Common_Vulnerabilities_and_Exposures/r6uEABNB">Common Vulnerabilities and Exposures</a> (CVE), maintained by <a href="/facts/Mitre_Corporation/lmFLYepE">Mitre Corporation</a>.<a class="footnote-ref" id="fnref:93" href="#fn:93">93</a> As of November 2024<a href="https://en.wikipedia.org/w/index.php?title=Vulnerability_(computer_security)&action=edit">[update]</a>, it has over 240,000 entries <a class="footnote-ref" id="fnref:94" href="#fn:94">94</a> This information is shared into other databases, including the United States' <a href="/facts/National_Vulnerability_Database/kVoJTyAp">National Vulnerability Database</a>,<a class="footnote-ref" id="fnref:95" href="#fn:95">95</a> where each vulnerability is given a risk score using <a href="/facts/Common_Vulnerability_Scoring_System/LPP5p4SV">Common Vulnerability Scoring System</a> (CVSS), <a href="/facts/Common_Platform_Enumeration/8cfAjALv">Common Platform Enumeration</a> (CPE) scheme, and <a href="/facts/Common_Weakness_Enumeration/LsL19Ff9">Common Weakness Enumeration</a>. CVE and other databases typically do not track vulnerabilities in <a href="/facts/Software_as_a_service/LPyPQ5b7">software as a service</a> products.<a class="footnote-ref" id="fnref:96" href="#fn:96">96</a> Submitting a CVE is voluntary for companies that discovered a vulnerability.<a class="footnote-ref" id="fnref:97" href="#fn:97">97</a>

<h2 id="liability">Liability</h2>
The software vendor is usually not legally liable for the cost if a vulnerability is used in an attack, which creates an incentive to make cheaper but less secure software.<a class="footnote-ref" id="fnref:98" href="#fn:98">98</a> Some companies are covered by laws, such as <a href="/facts/Payment_Card_Industry_Security_Standards_Council/a51xVeFk">PCI</a>, <a href="/facts/HIPAA/b40VtyEC">HIPAA</a>, and <a href="/facts/Sarbanes-Oxley/pfYfkDD2">Sarbanes-Oxley</a>, that place legal requirements on vulnerability management.<a class="footnote-ref" id="fnref:99" href="#fn:99">99</a>

<h2 id="sources">Sources</h2>

<ul><li>Ablon, Lillian; Bogart, Andy (2017). <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf">Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits</a> (PDF). Rand Corporation. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-8330-9761-3.</li>
<li>Agrafiotis, Ioannis; Nurse, Jason R C; Goldsmith, Michael; Creese, Sadie; Upton, David (2018). "A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate". Journal of Cybersecurity. 4 (1). <a href="/facts/Doi_(identifier)/muM9Etpq">doi</a>:<a href="https://doi.org/10.1093%2Fcybsec%2Ftyy006">10.1093/cybsec/tyy006</a>. <a href="/facts/ISSN_(identifier)/DPAflDvU">ISSN</a> <a href="https://search.worldcat.org/issn/2057-2085">2057-2085</a>.</li>
<li><a href="/facts/Neil_Daswani/uVmLPflX">Daswani, Neil</a>; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-4842-6654-0.</li>
<li>Garg, Shivi; Baliyan, Niyati (2023). Mobile OS Vulnerabilities: Quantitative and Qualitative Analysis. CRC Press. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-000-92451-0.</li>
<li>Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-4842-3627-7.</li>
<li>Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf">The Defender's Dilemma: Charting a Course Toward Cybersecurity</a> (PDF). Rand Corporation. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-8330-8911-3.</li>
<li>Linkov, Igor; Kott, Alexander (2019). "Fundamental Concepts of Cyber Resilience: Introduction and Overview". Cyber Resilience of Systems and Networks. Springer International Publishing. pp. 1–25. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-3-319-77492-3.</li>
<li>Magnusson, Andrew (2020). Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk. No Starch Press. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-59327-989-9.</li>
<li>O'Harrow, Robert (2013). Zero Day: The Threat In Cyberspace. Diversion Books. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-938120-76-3.</li>
<li>Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: Winner of the FT & McKinsey Business Book of the Year Award 2021. Bloomsbury Publishing. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-5266-2983-8.</li>
<li>Salmani, Hassan (2018). Trusted Digital Circuits: Hardware Trojan Vulnerabilities, Prevention and Detection. Springer. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-3-319-79081-7.</li>
<li>Seaman, Jim (2020). PCI DSS: An Integrated Data Security Standard Guide. Apress. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-4842-5808-8.</li>
<li>Sharp, Robin (2024). Introduction to Cybersecurity: A Multidisciplinary Challenge. Springer Nature. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-3-031-41463-3.</li>
<li>Sloan, Robert H.; Warner, Richard (2019). Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy. CRC Press. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-351-12729-5.</li>
<li>Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-12-800619-1.</li>
<li>Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-80324-356-6.</li>
<li>Tjoa, Simon; Gafić, Melisa; Kieseberg, Peter (2024). Cyber Resilience Fundamentals. Springer Nature. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-3-031-52064-8.</li></ul>

<h2 id="external-links">External links</h2>
<ul><li> Media related to Vulnerability (computing) at Wikimedia Commons</li></ul>

<h2 id="references">References</h2>

<ol>
<li id="fn:1">"CVE - Program Metrics". 15 November 2024. <a href="https://www.cve.org/About/Metrics" target="_blank">https://www.cve.org/About/Metrics</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></li>
<li id="fn:2">Ablon & Bogart 2017, p. 1. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></li>
<li id="fn:3">Ablon & Bogart 2017, p. 2. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></li>
<li id="fn:4">Daswani & Elbayadi 2021, p. 25. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="#fnref:4" class="footnote-back-ref">↩</a></li>
<li id="fn:5">Seaman 2020, pp. 47–48. - Seaman, Jim (2020). PCI DSS: An Integrated Data Security Standard Guide. Apress. ISBN 978-1-4842-5808-8. <a href="#fnref:5" class="footnote-back-ref">↩</a></li>
<li id="fn:6">Daswani & Elbayadi 2021, pp. 26–27. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="#fnref:6" class="footnote-back-ref">↩</a></li>
<li id="fn:7">Ablon & Bogart 2017, p. 2. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></li>
<li id="fn:8">Haber & Hibbert 2018, pp. 5–6. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:8" class="footnote-back-ref">↩</a></li>
<li id="fn:9">Ablon & Bogart 2017, p. 2. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></li>
<li id="fn:10">Haber & Hibbert 2018, p. 6. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:10" class="footnote-back-ref">↩</a></li>
<li id="fn:11">Haber & Hibbert 2018, p. 10. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:11" class="footnote-back-ref">↩</a></li>
<li id="fn:12">Haber & Hibbert 2018, pp. 13–14. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:12" class="footnote-back-ref">↩</a></li>
<li id="fn:13">Kakareka, Almantas (2009). "23". In Vacca, John (ed.). Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 393. ISBN 978-0-12-374354-1. <a href="978-0-12-374354-1" target="_blank">978-0-12-374354-1</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></li>
<li id="fn:14">Krsul, Ivan (April 15, 1997). Technical Report CSD-TR-97-026. The COAST Laboratory Department of Computer Sciences, Purdue University. CiteSeerX 10.1.1.26.5435. <a href="/wiki/CiteSeerX_(identifier)" target="_blank">/wiki/CiteSeerX_(identifier)</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></li>
<li id="fn:15">Linkov & Kott 2019, p. 2. - Linkov, Igor; Kott, Alexander (2019). "Fundamental Concepts of Cyber Resilience: Introduction and Overview". Cyber Resilience of Systems and Networks. Springer International Publishing. pp. 1–25. ISBN 978-3-319-77492-3. <a href="#fnref:15" class="footnote-back-ref">↩</a></li>
<li id="fn:16">Haber & Hibbert 2018, p. 155. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:16" class="footnote-back-ref">↩</a></li>
<li id="fn:17">Strout 2023, p. 17. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:17" class="footnote-back-ref">↩</a></li>
<li id="fn:18">Haber & Hibbert 2018, p. 143. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:18" class="footnote-back-ref">↩</a></li>
<li id="fn:19">Haber & Hibbert 2018, p. 141. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:19" class="footnote-back-ref">↩</a></li>
<li id="fn:20">Haber & Hibbert 2018, p. 142. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:20" class="footnote-back-ref">↩</a></li>
<li id="fn:21">Haber & Hibbert 2018, pp. 135–137. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:21" class="footnote-back-ref">↩</a></li>
<li id="fn:22">Garg & Baliyan 2023, pp. 17–18. - Garg, Shivi; Baliyan, Niyati (2023). Mobile OS Vulnerabilities: Quantitative and Qualitative Analysis. CRC Press. ISBN 978-1-000-92451-0. <a href="#fnref:22" class="footnote-back-ref">↩</a></li>
<li id="fn:23">Garg & Baliyan 2023, p. 17. - Garg, Shivi; Baliyan, Niyati (2023). Mobile OS Vulnerabilities: Quantitative and Qualitative Analysis. CRC Press. ISBN 978-1-000-92451-0. <a href="#fnref:23" class="footnote-back-ref">↩</a></li>
<li id="fn:24">Garg & Baliyan 2023, p. 17. - Garg, Shivi; Baliyan, Niyati (2023). Mobile OS Vulnerabilities: Quantitative and Qualitative Analysis. CRC Press. ISBN 978-1-000-92451-0. <a href="#fnref:24" class="footnote-back-ref">↩</a></li>
<li id="fn:25">Garg & Baliyan 2023, p. 18. - Garg, Shivi; Baliyan, Niyati (2023). Mobile OS Vulnerabilities: Quantitative and Qualitative Analysis. CRC Press. ISBN 978-1-000-92451-0. <a href="#fnref:25" class="footnote-back-ref">↩</a></li>
<li id="fn:26">Garg & Baliyan 2023, p. 18. - Garg, Shivi; Baliyan, Niyati (2023). Mobile OS Vulnerabilities: Quantitative and Qualitative Analysis. CRC Press. ISBN 978-1-000-92451-0. <a href="#fnref:26" class="footnote-back-ref">↩</a></li>
<li id="fn:27">Garg & Baliyan 2023, p. 18. - Garg, Shivi; Baliyan, Niyati (2023). Mobile OS Vulnerabilities: Quantitative and Qualitative Analysis. CRC Press. ISBN 978-1-000-92451-0. <a href="#fnref:27" class="footnote-back-ref">↩</a></li>
<li id="fn:28">Salmani 2018, p. 1. - Salmani, Hassan (2018). Trusted Digital Circuits: Hardware Trojan Vulnerabilities, Prevention and Detection. Springer. ISBN 978-3-319-79081-7. <a href="#fnref:28" class="footnote-back-ref">↩</a></li>
<li id="fn:29">Salmani 2018, p. 11. - Salmani, Hassan (2018). Trusted Digital Circuits: Hardware Trojan Vulnerabilities, Prevention and Detection. Springer. ISBN 978-3-319-79081-7. <a href="#fnref:29" class="footnote-back-ref">↩</a></li>
<li id="fn:30">Garg & Baliyan 2023, pp. 20–25. - Garg, Shivi; Baliyan, Niyati (2023). Mobile OS Vulnerabilities: Quantitative and Qualitative Analysis. CRC Press. ISBN 978-1-000-92451-0. <a href="#fnref:30" class="footnote-back-ref">↩</a></li>
<li id="fn:31">Sharp 2024, p. 271. - Sharp, Robin (2024). Introduction to Cybersecurity: A Multidisciplinary Challenge. Springer Nature. ISBN 978-3-031-41463-3. <a href="#fnref:31" class="footnote-back-ref">↩</a></li>
<li id="fn:32">Strout 2023, p. 15. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:32" class="footnote-back-ref">↩</a></li>
<li id="fn:33">Strout 2023, p. 15. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:33" class="footnote-back-ref">↩</a></li>
<li id="fn:34">Strout 2023, p. 15. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:34" class="footnote-back-ref">↩</a></li>
<li id="fn:35">Strout 2023, p. 13. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:35" class="footnote-back-ref">↩</a></li>
<li id="fn:36">Haber & Hibbert 2018, p. 129. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:36" class="footnote-back-ref">↩</a></li>
<li id="fn:37">Strout 2023, p. 13. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:37" class="footnote-back-ref">↩</a></li>
<li id="fn:38">Strout 2023, p. 13. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:38" class="footnote-back-ref">↩</a></li>
<li id="fn:39">Strout 2023, p. 13. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:39" class="footnote-back-ref">↩</a></li>
<li id="fn:40">Strout 2023, p. 14. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:40" class="footnote-back-ref">↩</a></li>
<li id="fn:41">Strout 2023, p. 14. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:41" class="footnote-back-ref">↩</a></li>
<li id="fn:42">Strout 2023, p. 14. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:42" class="footnote-back-ref">↩</a></li>
<li id="fn:43">Strout 2023, p. 14. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:43" class="footnote-back-ref">↩</a></li>
<li id="fn:44">Strout 2023, p. 14. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:44" class="footnote-back-ref">↩</a></li>
<li id="fn:45">Strout 2023, pp. 14–15. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:45" class="footnote-back-ref">↩</a></li>
<li id="fn:46">Agrafiotis et al. 2018, p. 2. - Agrafiotis, Ioannis; Nurse, Jason R C; Goldsmith, Michael; Creese, Sadie; Upton, David (2018). "A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate". Journal of Cybersecurity. 4 (1). doi:10.1093/cybsec/tyy006. ISSN 2057-2085. <a href="https://doi.org/10.1093%2Fcybsec%2Ftyy006" target="_blank">https://doi.org/10.1093%2Fcybsec%2Ftyy006</a> <a href="#fnref:46" class="footnote-back-ref">↩</a></li>
<li id="fn:47">Haber & Hibbert 2018, pp. 97–98. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:47" class="footnote-back-ref">↩</a></li>
<li id="fn:48">Tjoa et al. 2024, p. 63. - Tjoa, Simon; Gafić, Melisa; Kieseberg, Peter (2024). Cyber Resilience Fundamentals. Springer Nature. ISBN 978-3-031-52064-8. <a href="#fnref:48" class="footnote-back-ref">↩</a></li>
<li id="fn:49">Tjoa et al. 2024, pp. 68, 70. - Tjoa, Simon; Gafić, Melisa; Kieseberg, Peter (2024). Cyber Resilience Fundamentals. Springer Nature. ISBN 978-3-031-52064-8. <a href="#fnref:49" class="footnote-back-ref">↩</a></li>
<li id="fn:50">Magnusson 2020, p. 34. - Magnusson, Andrew (2020). Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk. No Starch Press. ISBN 978-1-59327-989-9. <a href="#fnref:50" class="footnote-back-ref">↩</a></li>
<li id="fn:51">Haber & Hibbert 2018, pp. 166–167. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:51" class="footnote-back-ref">↩</a></li>
<li id="fn:52">Haber & Hibbert 2018, pp. 97–98. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:52" class="footnote-back-ref">↩</a></li>
<li id="fn:53">Haber & Hibbert 2018, p. 11. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:53" class="footnote-back-ref">↩</a></li>
<li id="fn:54">Strout 2023, p. 8. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:54" class="footnote-back-ref">↩</a></li>
<li id="fn:55">Haber & Hibbert 2018, pp. 12–13. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:55" class="footnote-back-ref">↩</a></li>
<li id="fn:56">Haber & Hibbert 2018, p. 11. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:56" class="footnote-back-ref">↩</a></li>
<li id="fn:57">Haber & Hibbert 2018, p. 84. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:57" class="footnote-back-ref">↩</a></li>
<li id="fn:58">Haber & Hibbert 2018, p. 85. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:58" class="footnote-back-ref">↩</a></li>
<li id="fn:59">Haber & Hibbert 2018, pp. 84–85. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:59" class="footnote-back-ref">↩</a></li>
<li id="fn:60">Haber & Hibbert 2018, p. 84. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:60" class="footnote-back-ref">↩</a></li>
<li id="fn:61">Magnusson 2020, p. 32. - Magnusson, Andrew (2020). Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk. No Starch Press. ISBN 978-1-59327-989-9. <a href="#fnref:61" class="footnote-back-ref">↩</a></li>
<li id="fn:62">Haber & Hibbert 2018, p. 11. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:62" class="footnote-back-ref">↩</a></li>
<li id="fn:63">Magnusson 2020, p. 33. - Magnusson, Andrew (2020). Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk. No Starch Press. ISBN 978-1-59327-989-9. <a href="#fnref:63" class="footnote-back-ref">↩</a></li>
<li id="fn:64">Haber & Hibbert 2018, p. 93. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:64" class="footnote-back-ref">↩</a></li>
<li id="fn:65">Haber & Hibbert 2018, p. 96. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:65" class="footnote-back-ref">↩</a></li>
<li id="fn:66">Haber & Hibbert 2018, p. 94. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:66" class="footnote-back-ref">↩</a></li>
<li id="fn:67">Haber & Hibbert 2018, p. 96. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:67" class="footnote-back-ref">↩</a></li>
<li id="fn:68">Strout 2023, p. 16. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:68" class="footnote-back-ref">↩</a></li>
<li id="fn:69">Strout 2023, p. 18. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:69" class="footnote-back-ref">↩</a></li>
<li id="fn:70">Libicki, Ablon & Webb 2015, p. 44. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:70" class="footnote-back-ref">↩</a></li>
<li id="fn:71">Perlroth 2021, p. 145. - Perlroth, Nicole (2021). This Is How They Tell Me the World Ends: Winner of the FT & McKinsey Business Book of the Year Award 2021. Bloomsbury Publishing. ISBN 978-1-5266-2983-8. <a href="#fnref:71" class="footnote-back-ref">↩</a></li>
<li id="fn:72">Libicki, Ablon & Webb 2015, pp. 44, 46. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:72" class="footnote-back-ref">↩</a></li>
<li id="fn:73">Ablon & Bogart 2017, p. 8. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:73" class="footnote-back-ref">↩</a></li>
<li id="fn:74">Sood & Enbody 2014, p. 42. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:74" class="footnote-back-ref">↩</a></li>
<li id="fn:75">Strout 2023, p. 26. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:75" class="footnote-back-ref">↩</a></li>
<li id="fn:76">Sood & Enbody 2014, p. 42. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:76" class="footnote-back-ref">↩</a></li>
<li id="fn:77">Sood & Enbody 2014, p. 42. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:77" class="footnote-back-ref">↩</a></li>
<li id="fn:78">Libicki, Ablon & Webb 2015, p. 50. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:78" class="footnote-back-ref">↩</a></li>
<li id="fn:79">Sood & Enbody 2014, p. 42. - Sood, Aditya; Enbody, Richard (2014). Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware. Syngress. ISBN 978-0-12-800619-1. <a href="#fnref:79" class="footnote-back-ref">↩</a></li>
<li id="fn:80">Libicki, Ablon & Webb 2015, pp. 49–50. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:80" class="footnote-back-ref">↩</a></li>
<li id="fn:81">Strout 2023, p. 28. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:81" class="footnote-back-ref">↩</a></li>
<li id="fn:82">Libicki, Ablon & Webb 2015, pp. 49–50. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:82" class="footnote-back-ref">↩</a></li>
<li id="fn:83">Strout 2023, p. 18. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:83" class="footnote-back-ref">↩</a></li>
<li id="fn:84">Strout 2023, p. 19. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:84" class="footnote-back-ref">↩</a></li>
<li id="fn:85">Strout 2023, pp. 5–6. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:85" class="footnote-back-ref">↩</a></li>
<li id="fn:86">Haber & Hibbert 2018, pp. 73–74. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:86" class="footnote-back-ref">↩</a></li>
<li id="fn:87">"Ask an Ethicist: Vulnerability Disclosure". Association for Computing Machinery's Committee on Professional Ethics. 17 July 2018. Retrieved 3 May 2024. <a href="https://ethics.acm.org/integrity-project/ask-an-ethicist/ask-an-ethicist-vulnerability-disclosure/" target="_blank">https://ethics.acm.org/integrity-project/ask-an-ethicist/ask-an-ethicist-vulnerability-disclosure/</a> <a href="#fnref:87" class="footnote-back-ref">↩</a></li>
<li id="fn:88">O'Harrow 2013, p. 18. - O'Harrow, Robert (2013). Zero Day: The Threat In Cyberspace. Diversion Books. ISBN 978-1-938120-76-3. <a href="#fnref:88" class="footnote-back-ref">↩</a></li>
<li id="fn:89">Libicki, Ablon & Webb 2015, p. 45. - Libicki, Martin C.; Ablon, Lillian; Webb, Tim (2015). The Defender's Dilemma: Charting a Course Toward Cybersecurity (PDF). Rand Corporation. ISBN 978-0-8330-8911-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf</a> <a href="#fnref:89" class="footnote-back-ref">↩</a></li>
<li id="fn:90">Strout 2023, p. 36. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:90" class="footnote-back-ref">↩</a></li>
<li id="fn:91">Haber & Hibbert 2018, p. 110. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:91" class="footnote-back-ref">↩</a></li>
<li id="fn:92">Strout 2023, p. 22. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:92" class="footnote-back-ref">↩</a></li>
<li id="fn:93">Strout 2023, p. 6. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:93" class="footnote-back-ref">↩</a></li>
<li id="fn:94">"CVE - Program Metrics". 15 November 2024. <a href="https://www.cve.org/About/Metrics" target="_blank">https://www.cve.org/About/Metrics</a> <a href="#fnref:94" class="footnote-back-ref">↩</a></li>
<li id="fn:95">Strout 2023, p. 6. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:95" class="footnote-back-ref">↩</a></li>
<li id="fn:96">Strout 2023, p. 8. - Strout, Benjamin (2023). The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities. Packt Publishing. ISBN 978-1-80324-356-6. <a href="#fnref:96" class="footnote-back-ref">↩</a></li>
<li id="fn:97">Haber & Hibbert 2018, p. 110. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:97" class="footnote-back-ref">↩</a></li>
<li id="fn:98">Sloan & Warner 2019, pp. 104–105. - Sloan, Robert H.; Warner, Richard (2019). Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy. CRC Press. ISBN 978-1-351-12729-5. <a href="#fnref:98" class="footnote-back-ref">↩</a></li>
<li id="fn:99">Haber & Hibbert 2018, p. 111. - Haber, Morey J.; Hibbert, Brad (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. Apress. ISBN 978-1-4842-3627-7. <a href="#fnref:99" class="footnote-back-ref">↩</a></li>
</ol>

Vulnerability (computer security) open-in-new

Vulnerability (computer security)