I would like to offer slightly differently way of thinking about the concept of vulnerability.
Vulnerability, in the context of information security, refers to one or more weaknesses, and following its exploitation, the probability of damaging data or information systems and/or processes.
Vulnerability as a concept, originates from the human life, of human weakness that endangers the body and/or soul/mind, thus increases the risk of injury to the person in question.
Vulnerability is something passive, kind of an existing characteristic, one that a person who has it – will probably wish to strengthen/fix it as soon as possible, to reduce the possibility of damage.
If a “regular” computerized bug hits a calculation or processing of a system, its stability and its performance – the bug is usually realized unintentionally, during the occurrence of certain cases, some originated from a standard human operation of the system and some by an automatic process.
Vulnerability, in my view, is a private case of a bug, but an important one – it would not be a bug nor it will materialize, as many cases of human life, without a malice of a human (except, perhaps, Denial-of-Service actions – which may (barely) be considered as an inability to meet high volume of legitimate operational activities).
Vulnerability is a bug that initiates and realized only when there is a malicious human intent behind it.
Both human and computerized systems can exist for a long time without being damaged when a vulnerability exits within them – if they live in an environment that is not hostile or malicious.
Without a human originated initiative to exploit a vulnerability – we can say that the risk the bug represents does not really exist, because no action was taken to reveal or exploit the vulnerability.
Many times, when thinking of information security, we tend to concentrate on the technology side of it (and therefore also looking for only technological solutions), and ignore/neglect the aspects of human behavior that is essentially inherited in this profession (and also at the parallel occupations of safety and physical security), with whom it is harder for us to deal with, both personally and as an organization – the human malicious intent.
(This post is a translation of a post from my Hebrew information security blog, from 10-May-2008)