The current definition reads
The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.
I've been thinking about this lately, and I'm not sure what value the second phrase (, or ...) is adding to the definition.
There is absolutely a place in implementation notes for the fact that even just a small amount of information exposure (if that information is log-in credentials) can in fact lead to total control of the system. And exposure of such information should be evaluated as total control.
However, as it is, I think the second phrase just invites room for confusion, actually.
Have people been importantly operationalizing that second part of the phrase? Or is it just ignorable? If it's ignorable (I think we've been ignoring it), I suggest we remove it.
The current definition reads
I've been thinking about this lately, and I'm not sure what value the second phrase (, or ...) is adding to the definition.
There is absolutely a place in implementation notes for the fact that even just a small amount of information exposure (if that information is log-in credentials) can in fact lead to total control of the system. And exposure of such information should be evaluated as total control.
However, as it is, I think the second phrase just invites room for confusion, actually.
Have people been importantly operationalizing that second part of the phrase? Or is it just ignorable? If it's ignorable (I think we've been ignoring it), I suggest we remove it.