[kortilla]

If I can cause a server to not serve requests to anyone else in the world by sending a well crafted set of bytes, that’s absolutely a vulnerability because it can completely disable critical systems.

If availability isn’t part of CIA then a literal brick fulfills the requirements of security and the entire practice of secure systems is pointless.

[staticassertion]

> If I can cause a server to not serve requests to anyone else in the world by sending a well crafted set of bytes, that’s absolutely a vulnerability because it can completely disable critical systems.

Well obviously I reject that, right? That's sort of my point.

> If availability isn’t part of CIA then a literal brick fulfills the requirements of security and the entire practice of secure systems is pointless.

That doesn't follow at all. If I say "availability is an operational concern and not a security concern" it does not follow then that "remote code execution is not a security concern" whatsoever.

[kortilla]

No, the answer to every security concern can be “don’t attach it to a network” in your view. That’s why it’s so incredibly stupid to not have availability in the framework.