Terminology

We need strict definitions of the software terms: bug, weakness, and vulnerability; as well as of the term security failure.

We define a software bug as a coding error that needs to be fixed.

Although it is difficult to define a software weakness itself, we know that it is caused by a bug or ill-formed data. A weakness type is also a meaningful notion, as different vulnerabilities may have the same type of underlying weaknesses.

We define a software vulnerability as an instance of a weakness type that leads to a security failure. It may have more than one underlying weaknesses linked by causality.

We define a security failure as a violation of a system security requirement.