A vulnerability refers to an intrinsic flaw built into the software or hardware of a device that is often well-known and can be exploited in some way. A risk, on the other hand, considers environmental, configuration, behavioral, and security policy-related factors in addition to one or more underlying vulnerabilities. This distinction is important because some risks appear in the device details page but not on the Vulnerabilities page, and yet they can influence the severity level that IoT Security assigns to a vulnerability.

IoT Security considers a vulnerability to be potential when it applies to a specific device type, model, and version number and one or more devices match the specified device type but their model and/or version number are unknown. Similarly, a device is considered to be potentially vulnerable for the same reason.

A vulnerability can also be considered potential if it only applies to devices with certain serial numbers and there are devices whose serial numbers are unknown but match the vulnerability description in all other regards.