Recently we spoke about malicious software (malware). The basis of every malicious software is exploit. The foundation of every exploit is vulnerability. Vulnerability -> Exploit -> Malware Vulnerability without exploit is useless. Vulnerability is a flaw in the software. It can be anything. For example, vulnerability is that you can steal all the data if you take a hard disk from the server. But the server is usually well secured, and by no means, without severe risk, you can do that. So exploit for your vulnerability does not exist. It is essential that you can use the vulnerability. The number of vulnerabilities is much more than the number of exploits, and no one worries about pure vulnerabilities. In fact slightly worries, because someone may develop an exploit later, but you understand what I mean, right? If you go for bug bounty, an exploit is an essential criterion for whatever vulnerability you found. When reading news, clearly separate these terms. Vulnerability on its own bears almost no risk unless exploit is available in the wild.