Comment I don't care about SCADA. Vulnerabilities, I do. (Score 3, Insightful) 92
SCADA? I don't care about. Not directly. But the problem is that once the government says, "These aren't vulnerabilities or security holes. These are design issues." The problem is that you've set the example, and other software vendors are going to follow.
Example: "The denial of service attack against your application is not a security vulnerability, it is just a design issue that everything locks up for a while if it gets an incoming packet, and tries to resolve the IP address against its authoritative DNS server while that is DNS server is offline. We only do security fixes on old products / old releases. Sorry."
"Design issue, not a security vulnerability" is not a distinction you want easily drawn. Others will follow a government example if it is an easy out.