We currently use "remediation" in the guide to mean both fix and mitigate.
For example, see section 4.4 Remediation
But other sources use remediation to mean something disjoint from mitigation.
[ ] The first question to address is whether we are the outlier or not.
[ ] The second question is to suggest how the guide can identify, define, and consistently use terms representing:
[ ] (1) "fix", "patch" (noun) - a complete elimination of the vulnerability
[ ] (2) "mitigation", "partial fix", "workaround" (noun) - a reduction in risk (either impact OR probability) posed by the vulnerability that does not meet the criteria for (1)
[ ] (3) "remediation" (noun) An umbrella term for the set of both (1) and (2) (noun) - any action taken in response to the existence of a vulnerability that decreases associated risk (possibly to zero)
[ ] (4) "vulnerability response" (noun) - An umbrella term for things that one does in response to the existence of a vulnerability, regardless whether it affects the associated risk or not
The list above reflects current usage in the guide, but depending on whether or not we use "remediation" to mean 1 or 3, then any of these may need to change.
References to the "remediation = fix (only)" usage include:
ahouseholder
commented
5 months ago
We currently use "remediation" in the guide to mean both fix and mitigate. For example, see section 4.4 Remediation But other sources use remediation to mean something disjoint from mitigation.
The list above reflects current usage in the guide, but depending on whether or not we use "remediation" to mean 1 or 3, then any of these may need to change.
References to the "remediation = fix (only)" usage include:
This issue is closely related to SSVC#46