What is a Vulnerability in software security?
A weakness — in design, configuration, procedures, or code — that lets a threat cause harm if it's realized.
A vulnerability is any characteristic of a system (its location, security posture, design, security procedures, internal controls, or implementation) that permits a threat or hazard to occur. It's the "open door" — on its own it causes no harm, but it's what an attack needs to succeed.
Vulnerabilities come in several categories — not just buggy code:
| Category | Example |
|---|---|
| Implementation (code) bugs | Buffer overflow, SQL injection, missing input validation |
| Design flaws | Sending passwords in plaintext, no authentication on an API |
| Configuration weaknesses | Default admin password left unchanged, an S3 bucket set to public |
| Procedural / human | No patch process, employees who fall for phishing |
Degree of vulnerability is a qualitative or quantitative expression of how susceptible the system is to harm when a threat is realized (this is what scores like CVSS try to capture).
Why it matters: Secure coding eliminates the implementation-bug category, but it can't fix a weak design, a misconfiguration, or a missing patch process — those need secure design, hardening, and good operational procedures as well.