Safekipedia

Vulnerability (computer security)

Adapted from Wikipedia · Discoverer experience

Timeline showing how a computer security vulnerability is discovered, exploited, and then fixed.

In computer security, vulnerabilities are weaknesses in a system that can be used by someone with bad intentions to cause harm. Even though experts work very hard to keep systems safe, most hardware and software still have small mistakes or “bugs.” If these bugs let someone break into a system or change how it works, they are called vulnerabilities. Poor ways of making software and very complicated designs can make it easier for these weaknesses to happen.

Managing vulnerabilities is an important job that includes finding which systems need the most protection, looking for weak spots, and then fixing them. This process often uses different steps like fixing the problem, finding ways to lessen the danger, or deciding to accept some risk.

Vulnerabilities are given scores to show how serious they are using something called the Common Vulnerability Scoring System. They are also listed in special databases like the Common Vulnerabilities and Exposures database. As of April 2026, this database had records of more than 327,000 different weaknesses.

A vulnerability starts when it is created in the hardware or software. It becomes a real problem when that software or hardware is being used. Someone might find the weakness — maybe the person in charge, the company that made it, or even someone outside. Telling everyone about the weakness publicly can make it more dangerous because bad people can use that information to attack systems before they are fixed. Finally, a vulnerability goes away when the system is updated with a fix or is no longer used.

Causes

Even when people try their best to keep computers safe, most hardware and software still have small mistakes called bugs. If a bug lets someone break into or harm a computer, it is called a vulnerability. Sometimes, fixes called patches are made to fix known vulnerabilities, but some problems can still be used before they are fixed.

Vulnerabilities can be made worse by how things are built or set up. For example, very big and complicated systems are more likely to have mistakes. Using common software can make it easier for someone to find these mistakes, but it also means fixes come more often. Being connected to the internet makes a system easier to attack, but sometimes it can't be avoided. Older systems are also more likely to have problems.

How software is made can also lead to vulnerabilities. If people making the software don’t know enough about keeping things safe, or if they are rushed, mistakes can happen. If checking for mistakes isn’t done well, some problems might be missed, but there are tools that can help find them. When many people need to change settings to add new features quickly, this can sometimes bring in new problems. Using services online instead of owning your own computers means you rely on someone else to keep things safe.

Vulnerabilities by component

Hardware

Main article: Hardware security bug

Sometimes, security problems can be put into hardware on purpose when it is made. These problems make the hardware act in unexpected ways under certain conditions. Checking for these issues in hardware is hard because it takes a lot of time and modern chips are very complicated.

Operating system

See also: Operating system § Security

Operating systems can have different security problems, but one common issue is when someone can get more access than they should. Operating systems like Linux and Android let anyone look at their code and help improve them, which might sometimes lead to security problems. But these issues can also happen in systems like Microsoft Windows and Apple operating systems. Companies that make operating systems regularly release fixes to solve these problems.

Client–server applications

Client–server applications are programs that people download to their computers. They are updated less often than websites and work directly with the computer’s operating system. Common problems with these programs include:

  • Unprotected data that is stored on a computer or sent over the internet can be easily taken by attackers.
  • Attackers can also take control of processes that are already running on a computer.

Web applications

Web applications are used on many websites. Because they are often less protected than other programs, they are a big reason why important information gets stolen. Problems in these applications can include:

  • Mistakes in checking who can see or change data let attackers access information they shouldn’t.
  • Programmers not thinking about all possible situations can lead to security issues.

Attacks against web applications include:

  • Cross-site scripting (XSS) lets attackers add harmful code that runs when a person visits a website. This can happen when the website doesn’t check the information people send in correctly.
  • SQL injection and similar attacks change how a website talks to its database to get unauthorized access to data.
  • Command injection is when attackers add harmful code to parts of a website, sometimes taking control of the whole server.
  • Cross-site request forgery (CSRF) tricks a person’s computer into doing things on a website without their knowledge, like changing their account details.
  • Server-side request forgery is similar but the attack starts from the server and can use the server’s stronger access rights.

Taxonomy

Security bugs can be grouped into a few main types. These include problems with memory safety, like buffer overflows and dangling pointers, as well as race conditions where timing issues cause errors. Other common issues involve how software handles inputs and outputs, uses APIs incorrectly, manages use cases improperly, deals with exceptions, leaks resources, and fails to preprocess input strings before checking them.

Management

Main article: Vulnerability management

Keeping computer systems safe is tricky and not always easy to measure. Even with careful planning, it’s hard to stop every possible attack because perfect safety can be too expensive or hard to use. One way to help protect systems is to focus on the biggest risks first, especially when resources are limited.

To protect systems, people often use a mix of fixing problems, making attacks harder, and accepting some small risks. A common strategy is to build several layers of defense. Sometimes, companies only look for the most serious problems to save time and money. Fixing problems can include downloading updates to software. Tools can help find known issues and suggest fixes, but they aren’t perfect.

Testing a system by trying to break into it can show if there are weak spots. Some tests use special software, while others are done by experts pretending to be attackers. Many companies hire outside experts to test their systems.

Vulnerability lifecycle

Vulnerability timeline

Vulnerabilities start when weaknesses appear in hardware or software. These can be found by the company that made the software or by someone outside the company. It's best to tell the company right away so they can fix the problem.

Sometimes, governments or groups might keep these weaknesses secret to use them later, or they might tell the company to fix them. Even after a problem is known or fixed, it can still be a danger for a long time. Fixing these issues can take many months, and sometimes they are never fixed. Not everyone updates their software right away, which means the problem can still be used by someone who wants to cause trouble.

A vulnerability is no longer a concern when the software or the old versions are no longer used. This can take a very long time, especially for special software used in factories that cannot be easily replaced.

Assessment, disclosure, and inventory

When checking how serious a problem in a computer system might be, people often use a tool called the Common Vulnerability Scoring System, or CVSS. This system looks at how easy it is for someone to use the problem and what kinds of things they might be able to change or see because of it.

If someone finds a problem, they can tell everyone right away, which is called full disclosure, or they can wait until a fix is ready, known as responsible disclosure. Telling everyone right away can be good because it’s honest, but it can also make the system easier to attack until a fix is made. Some companies even offer rewards, called bug bounties, to people who tell them about problems. Not all companies like being told about problems this way, because it can cause extra work and legal issues. There are no laws that say who must tell about these problems. If someone finds a problem but doesn’t tell anyone, it’s called a zero-day vulnerability, which can be very risky because there aren’t many ways to protect against it.

The most well-known list of these problems is kept by the Mitre Corporation and is called Common Vulnerabilities and Exposures, or CVE. As of April 2026, it includes more than 327,000 problems. This list is shared with other databases, like the United States' National Vulnerability Database, which also uses CVSS and other systems to give each problem a risk score. However, these databases usually don’t include problems found in online services called software as a service. Companies can choose whether or not to share their problems with the CVE list.

Liability

Usually, the company that makes software is not responsible if someone uses a weakness in the software to cause problems. This can make companies focus more on saving money than on making very safe software. However, some companies must follow special rules, like PCI, HIPAA, and Sarbanes-Oxley, which require them to take good care of these weaknesses.

Related articles

Common Vulnerability Scoring System
Common Vulnerabilities and Exposures
Computer security
Linux
Android (operating system)
Microsoft Windows

This article is a child-friendly adaptation of the Wikipedia article on Vulnerability (computer security), available under CC BY-SA 4.0.

Images from Wikimedia Commons. Tap any image to view credits and license.