If anybody asks you to classify vulnerabilities the first thing that comes to mind is to mark them as High, Medium, and Low. At least that is what the majority of security engineers would respond as an answer.
Recently while responding to an RFP we came across an interesting section of RFP where it asked for our process to identify new classes of vulnerability. As our vulnerability assessment and penetration testing service is a combination of automated with manual verification techniques, we had to think of ways to bring this simple but tactical ask in our response.
If a new vulnerability is announced what happens to the known ones, especially the ones which were discovered well in the early days of computer engineering. In the process some interesting comparison with Volcano also came up. Yes volcano the lava fragments. Volcanos are defined as Active, Dormant & Extinct. This classification of Volcano did trigger a spark in our thought process however never heard of vulnerabilities that are extinct, have you ?. Finally with few rounds of discussion among the team we ended up classifying Web-based vulnerabilities into 4 types, namely:
Dormant Vulnerability: If all documented exploitation methodologies can no longer be used but each has at least one recorded exploitation method
Evolved Vulnerability: Has documented detection for the vulnerability and there also exists at least one recorded exploitation method that is still usable.
New Vulnerability: Has no documented detection but the vulnerability has at least one recorded exploitation method
Zero-Day vulnerability: If there is no recorded detection or exploitation method for the vulnerability
This classification of vulnerability as (DENZ) was introduced in the response to RFP and is now part of our VA/PT* methodology for web based applications.
*VA/PT = Vulnerability Assessment / Penetration Testing