<b>Security Vulnerability</b><br/>The vulnerability portion of the model is designed to carry information about potential weaknesses in hardware, applications, and operating systems that may be exploited by an adversary or threat.  The original contribution was designed around the NIST National Vulnerability Database (NVD) and tools.<br/>At the highest level, vulnerability can be described as a software flaw, which would be identified using a Common Vulnerability Enumeration (CVE) identifier or a weak configuration, which would be identified with a Common Configuration Enumeration (CCE) identifier.  Information directly included in the Vulnerability core class includes a summary, the date and time it was discovered, the date and time it was disclosed, the data an exploit was published against it, the date and time the vulnerability was published, and the level of access (security protection – root, user, or other) that can be obtained by exploiting the vulnerability.  <br/><b>Fix Action </b><br/>One or more “fix” actions can be applied to vulnerability to remedy the exposure.  The fix action techniques or tools must be identified.<br/>Some number of fix actions exists for each vulnerability.  Fix actions may consist of updating software, applying patches, implementing administrative policies, other external mitigation, or changing the configuration of the vulnerable asset.  Fix actions are typically described as remediation or mitigations.  The model allows for these titles to be used; however, where there is any ambiguity, the choice is also provided to label the fix action as a complete or partial fix.  Fix actions may contain multiple steps, so recursive fix action steps can be provided.  Fix actions will also reference the configurations they are target to, the configuration of the tool that is required to apply a fix action, patches they apply, and the specific check to verify successful completion of each fix action.<br/>