Classifying vulnerabilities into specific types

If anybody asks you to classify vulnerabilities the first thing that comes to mind is to mark them as High, Medium, and Low. At least that is what the majority of security engineers would respond as an answer.
Recently while responding to an RFP we came across an interesting section of RFP where it asked for our process to identify new classes of vulnerability. As our vulnerability assessment and penetration testing service is a combination of automated with manual verification techniques, we had to think of ways to bring this simple but tactical ask in our response.
If a new vulnerability is announced what happens to the known ones, especially the ones which were discovered well in the early days of computer engineering. In the process some interesting comparison with Volcano also came up. Yes volcano the lava fragments. Volcanos are defined as Active, Dormant & Extinct. This classification of Volcano did trigger a spark in our thought process however never heard of vulnerabilities that are extinct, have you ?. Finally with few rounds of discussion among the team we ended up classifying Web-based vulnerabilities into 4 types, namely:
Dormant Vulnerability: If all documented exploitation methodologies can no longer be used but each has at least one recorded exploitation method
Evolved Vulnerability: Has documented detection for the vulnerability and there also exists at least one recorded exploitation method that is still usable.
New Vulnerability: Has no documented detection but the vulnerability has at least one recorded exploitation method
Zero-Day vulnerability: If there is no recorded detection or exploitation method for the vulnerability
This classification of vulnerability as (DENZ) was introduced in the response to RFP and is now part of our VA/PT* methodology for web based applications.
*VA/PT = Vulnerability Assessment / Penetration Testing

Rate this article: 
Average: 2.4 (10 votes)
Article category: 

There are 2 Comments

I thought vulnerability categories would be the OWASP classification sort of stuff. So is a vulnerability a buffer overflow or XSS etc. How would you classify a new type or are you just looking for the OWASP top 10?

I think its a semantic issue, The title of the post is best represented as state of vulnerabilities than classification. I was intrigued to present the three states as it helps us in strategizing the test scenarios against an application, I didn't realise i'm openning up a confusion :-)
While a new vuln will fall into one among the two States (New Vulnerability or ZERO day) based on whether an exploit is available or not, I'd look into the attack scenario, affected technology and the error that is leading to the exploit to classify a vulnerability. However there are popular vulnerability classification criterias.