As an exercise, this seems reasonable for the most part. In principle, many different attacks could exploit the same set of vulnerabilities, so I'd model that as many-to-many (1..* - 1..*). In the real world, there is no one correct/canonical way to do it - it all depends on what the application is about. If it's made for an existing business or an organization, it depends on how they think about the stuff they are going to use this application for. On top of that, it's possible for different developers to model the same thing differently, and end up with roughly the same functionality.
↧