fix

Author: nocomplexity

fundamentals/threatmodel.md

@@ -45,6 +45,13 @@ Below the core high level Python Treat model:
 
 ![python threat model](../images/threatmodel.png)
 
+In strict security engineering, a weakness and a vulnerability are not the same thing.
+
+- Weakness ([CWE)](https://cwe.mitre.org/index.html)): This is a type of flaw, mistake, or bug in software, hardware, or system architecture. It is an internal characteristic of the code or design (e.g., "failing to validate user input" or "using a weak encryption algorithm"). A weakness exists in a vacuum, regardless of whether it is deployed or targeted.
+
+- Vulnerability [(CVE)](https://www.cve.org/About/Overview): This occurs when a weakness is actually present in a specific, deployable system, and an attacker can realistically exploit it to cause harm.
+
+A weakness is Python code can become a vulnerability only when it exists in a real-world environment where it is reachable and exploitable by a threat.
 
 
 ## STRIDE Threat Model

fundamentals/whatissast.md

@@ -139,6 +139,8 @@ To use a Python SAST scanner effectively, it is vital to understand the differen
 **Weakness (or potential security issue):**  
 A weakness is a flaw, error, poor design choice, or unsafe programming practice in your code that *might* create security problems under certain conditions. It represents an increased risk, but it is not necessarily exploitable in your specific context.
 
+Weaknesses do not create or lead to threats; rather, they act as an open door for existing threats.
+
 Examples in Python:
 
 - Using `eval()` on user input. This is a weakness because it allows arbitrary code execution **if** misused.
@@ -154,8 +156,17 @@ A vulnerability is a weakness that can be **actually exploited** by an attacker
 
 :::{important}
 A weakness becomes a vulnerability only when the right conditions, inputs, and attacker capabilities align. Many weaknesses remain harmless in practice, while others can become critical depending on how and where the application runs.
+
+So: Weaknesses lead to vulnerabilities, not threats.
 :::
 
+Example:
+1. A developer introduces a Weakness (e.g., forgets to sanitize inputs).
+2. Because this code is deployed in a live environment, it becomes a Vulnerability (an open door).
+3. A Threat (the hacker) discovers the vulnerability and exploits it.
+4. This results in a Security Incident or breach. But this security incident can be **prevented** when using a Python SAST tool before deployment. 
+
+
 ### Why This Distinction Matters
 
 Not every issue reported by a SAST tool needs urgent fixing. However, every weakness should be **evaluated** rather than ignored. Treating weaknesses seriously significantly reduces the likelihood of exploitable vulnerabilities appearing later.