add sentence explaining that exposure is about deployment context not…

… intended use
CERTCC · Oct 13, 2020 · 1003493 · 1003493
1 parent 7ce7514
commit 1003493
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/doc/version_1/040_treesForVulMgmt.md b/doc/version_1/040_treesForVulMgmt.md
@@ -379,6 +379,9 @@ resiliency</td>
 > The Accessible Attack Surface of the Affected System or Service
 
 Measuring attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access.
+Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed.
+For example, the exposure of a device on a vehicle's CAN bus will vary depending on the presence of a cellular telemetry device on the same bus.
+
 If a vulnerability cannot be patched, other mitigations may be used.
 Usually, the effect of these mitigations is to reduce exposure of the vulnerable component.
 Therefore, an applier’s response to Exposure may change if such mitigations are put in place.