The term 'vulnerability' is often mentioned in connection with computer security, in many different contexts.
In its broadest sense, the term 'vulnerability' is associated with some violation of a security policy. This may be due to weak security rules, or it may be that there is a problem within the software itself. In theory, all computer systems have vulnerabilities; whether or not they are serious depends on whether or not they are used to cause damage to the system.
There have been many attempts to clearly define the term 'vulnerability' and to separate the two meanings. MITRE, a US federally funded research and development group, focuses on analysing and solving critical security issues. The group has produced the following definitions:
According to MITRE's CVE Terminology:
[...] A universal vulnerability is a state in a computing system (or set of systems) which either:
MITRE believes that when an attack is made possible by a weak or inappropriate security policy, this is better described as 'exposure':
An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either:
When trying to gain unauthorized access to a system, an intruder usually first conducts a routine scan (or investigation) of the target, collects any 'exposed' data, and then exploits security policy weaknesses or vulnerabilities. Vulnerabilities and exposures are therefore both important points to check when securing a system against unauthorized access.