Assessing a third party’s risk by counting bugs in the code may not be the...

Error messages are not part of the attack surface, which is the sum of all the points where an attacker can try to enter or extract data from a system. Error messages are the output of the system when something goes wrong, and they can reveal useful information to an attacker, such as the system version, configuration, or vulnerabilities. However, they are not directly associated with the attack surface. Input protocols, target processes, and access rights are all factors that can affect the attack surface, as they determine how the system interacts with the external environment and what resources are exposed or protected. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Security Engineering, page 587; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 3: Security Architecture and Engineering, page 375.