Originally Posted by Thine Wonk:
“IETF RFC 2828 define vulnerability as:
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy
Seeing as the pin on the phone is optional, and seeing as the option to enable siri on the lockscreen or not, I would consider this NOT to be a security vulnerability.
It is an optional security feature which can be enabled if the user is concerned about simple physical unauthorised access.
The feature can be enabled or disabled to reflect the level of security the user requires. There is no weakness in the design or implementation, the features can clearly be turned on or off and by default are off.
I don't bother with a pin on my phone because I keep it in my pocket and never leave it on a desk and walk away. Other people I know at work leave their phones on their desks and then go off to meetings, leaving their colleagues to silence it when it rings etc, annoying!!!”
that is a somewhat contrived explanation. if windows shipped with DEP, ASLR, firewall, UAC and driver signing all switched off by default you could equally well apply your arguments and definitions to that not being a vulnerability, it's a security feature that is not implemented by default.
and that would be wrong. the obvious thing to do in all these cases is to enable the security feature by default and allow the informed user to turn it off if they wish. you could even prompt the user....