[a1369209993]

"Remote Code Execution" means the attacker can Execute Code Remotely, right? I guess you could classify the virtual machine as a (virtually) separate machine from the physical one, so that it's not a RCE on the machine you actually want to attack, but it's clearly executing code on some machine that the remote attacker isn't supposed to be able to execute code on.

[tptacek]

No. RCE is a term of art. It implies arbitrary native code execution.

[a1369209993]

> It implies arbitrary []native[] code execution.

This is simply not true in a plurality of cases (eg, it implies that applications running under qemu are incapable of having RCE vulnerabilities) and frankly sounds like a distinction that was made up to avoid admitting that script tags are RCE bugs in web browsers.

[tptacek]

It's interesting how much this little subthread recapitulates the experience of responding to the median bug bounty submission.

[a1369209993]

Well, modulo "responding to a submission" versus "reporting a vulnerabity", we can certainly agree on that at least.