From 1003493ea5f81e95b8ffc2433b2d8f4c288d867e Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 13 Oct 2020 10:13:23 -0400 Subject: [PATCH] add sentence explaining that exposure is about deployment context not intended use --- doc/version_1/040_treesForVulMgmt.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/version_1/040_treesForVulMgmt.md b/doc/version_1/040_treesForVulMgmt.md index f244662c..bb495951 100644 --- a/doc/version_1/040_treesForVulMgmt.md +++ b/doc/version_1/040_treesForVulMgmt.md @@ -379,6 +379,9 @@ resiliency > The Accessible Attack Surface of the Affected System or Service Measuring attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access. +Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed. +For example, the exposure of a device on a vehicle's CAN bus will vary depending on the presence of a cellular telemetry device on the same bus. + If a vulnerability cannot be patched, other mitigations may be used. Usually, the effect of these mitigations is to reduce exposure of the vulnerable component. Therefore, an applier’s response to Exposure may change if such mitigations are put in place.