5 exercises — one wrong verb in a security report or policy changes the entire meaning. These collocations appear in CVE writeups, pentest reports, compliance policies, and incident reviews.
Verb–noun pairs in this set
exploit a vulnerability — actively weaponise a flaw; vs. discover = find it in testing
disclose a vulnerability — responsible disclosure to the vendor; vs. publish = go public
audit access rights — formal, documented review; stronger than review or check
assess the risk — standard verb in risk management; vs. calculate (quantitative)
revoke access — formally withdraw a permission grant; paired antonym: grant access
0 / 5 completed
1 / 5
A penetration test report reads:
"During the engagement, our security researcher was able to ___ a critical SQL injection vulnerability in the login endpoint to extract all records from the users table — including password hashes."
Which verb is the correct technical choice here?
"Exploit a vulnerability" means to actively take advantage of a security flaw to cause harm, gain access, or extract data — to use it maliciously. This is distinct from finding it: discover/find/identify a vulnerability = detect that it exists during assessment; exploit a vulnerability = weaponise it and cause damage. A pentest report says "our tester was able to exploit the vulnerability" to prove real-world impact. In a responsible disclosure report you would say: "we discovered the vulnerability and notified the vendor". Core security vocabulary: exploit (verb, noun), vulnerability, attack surface, proof of concept (PoC). Never confuse: discover (find in a lab/audit) ↔ exploit (use in an attack).
2 / 5
A CVE writeup describes a researcher's decision:
"Following responsible disclosure principles, the researcher ___ the vulnerability to the vendor and allowed 90 days for a patch before publishing the technical details."
Which verb is the standard term for the formal act of sharing vulnerability details with the affected vendor?
"Disclose a vulnerability" is the industry-standard term for formally communicating the details of a security flaw to the affected party (usually the vendor/developer) before making the information public. The entire practice is called responsible disclosure or coordinated vulnerability disclosure (CVD). Key phrases: "disclose to the vendor", "disclosure timeline", "full disclosure", "zero-day (undisclosed vulnerability)". "Publish" is what happens after the disclosure period — you publish a CVE, a blog post, or a technical writeup, but you disclose to the vendor first. "Announce" is too public and informal. "Declare" is not used in security contexts. The noun form: "disclosure policy" (how long researchers must wait before going public — usually 90 days, per Google Project Zero's standard).
3 / 5
A DevSecOps team policy states:
"To prevent privilege creep, the team must ___ all user access rights quarterly — generating a formal access report for each service."
Which verb best describes a formal, documented review of access permissions?
"Audit access rights" is the precise term for a formal, systematic, and documented review of who has access to what — and whether that access is appropriate. It implies a structured process with records, often required for compliance (SOC 2, ISO 27001, PCI DSS). An access audit produces artefacts: access reports, exception logs, remediation tickets. Compare: review access = read through it informally; check access = verify a specific permission quickly; audit access = systematic formal review generating a documented record. Related terms: access control list (ACL), principle of least privilege, privilege creep (when users accumulate permissions over time beyond their needs), access review (process), IAM audit (Identity and Access Management audit). Usage: "we audit access rights quarterly and revoke anything unused for 30 days."
4 / 5
A DevSecOps checklist item reads:
"Before launch, the security team must ___ the risk of every third-party dependency — including CVE history, maintenance status, and licence compliance."
Which verb is the standard collocation in risk management English?
"Assess the risk" is the standard phrase in security, compliance, and risk management. It is the correct verb in a wide range of formal contexts: "assess the risk of a dependency", "assess the blast radius", "conduct a risk assessment". The noun is: risk assessment. The full process: identify → assess → treat → monitor. "Calculate the risk" implies a numerical formula — appropriate for actuarial or financial contexts, but not the standard in software security. "Measure the risk" is similarly quantitative and less common. "Review the risk" suggests looking at an existing risk register, not the initial evaluation. Other standard collocations: assess a vulnerability, assess the impact, assess the attack surface, threat assessment, risk appetite. Usage: "before every major release we assess the risk of new third-party packages added to the build."
5 / 5
A security policy for employee offboarding states:
"All access to production systems, databases, and internal tools must be ___ immediately upon notification of termination — before the employee's last day."
Which verb is the correct technical term for formally withdrawing access permissions?
"Revoke access" is the precise technical and legal term for formally withdrawing a previously granted permission or credential. It implies a deliberate act against a specific grant — you revoke a certificate, a token, a licence, an API key, or access permissions. This is the word used in IAM systems, certificate authorities, OAuth flows, and compliance documentation. "Remove access" is informal and technically correct but less precise — "remove" is generic. "Delete access" suggests erasing a record, which is different from revoking a grant. "Cancel access" is non-standard in security contexts. Real-world usage: "revoke the OAuth token", "certificate revocation list (CRL)", "revoke admin privileges", "RBAC — role revocation on offboarding". IAM tools (Okta, AWS IAM) use "revoke" throughout their interfaces. Learn the pattern: grant access ↔ revoke access — these are paired antonyms in access control.