[tptacek]

No. RCE is a term of art. It implies arbitrary native code execution.

[a1369209993]

> It implies arbitrary []native[] code execution.

This is simply not true in a plurality of cases (eg, it implies that applications running under qemu are incapable of having RCE vulnerabilities) and frankly sounds like a distinction that was made up to avoid admitting that script tags are RCE bugs in web browsers.

[tptacek]

It's interesting how much this little subthread recapitulates the experience of responding to the median bug bounty submission.

[a1369209993]

Well, modulo "responding to a submission" versus "reporting a vulnerabity", we can certainly agree on that at least.