A vulnerability is a shortcoming in a service, either inherent or contextual.
Vulnerabilities can take many forms:
- Product flaws that impact users.
- Missing features with significant user demand.
- Operational abuse or alienation of noteworthy slices of the user population.
A vulnerability may or may not be exploitable; when analyzing vulnerabilities, list them all regardless, and leave the matter of exploitability to the action plan writers.