There was an internal discussion, and someone pointed to this article written by Scott Culp that describes what a “Security Vulnerability” is.
It’s actually a cool article, and rather nicely points out the definition of a vulnerability:
It also explains what all the terms in this definition mean – for instance:
|•||Usurping: Privilege elevation vulnerabilities involve assuming unauthorized capabilities.
Examples: A flaw that allows an administrator to change the permissions on any file on the computer would not be a security vulnerability, because an administrator already has this capability. In contrast, if a flaw allowed an unprivileged user to do the same thing, it would constitute a security vulnerability.
I’ve got to say that I like this definition, especially after it’s been spelled out in detail.