Comparing operating system vulnerabilities to non-operating system vulnerabilities requires determining whether a particular program or component should be considered part of an operating system. This is not always a simple and straightforward question to answer, given the componentized nature of modern operating systems. Some programs (media players, for example) ship by default with operating system software but can also be downloaded from the system software vendor’s website and installed individually. Linux distributions, in particular, are often assembled from components developed by different teams, many of which provide crucial operating functions, like a graphical user interface (GUI) or Internet browsing.

To facilitate analysis of operating system and browser vulnerabilities, the Security Intelligence Report distinguishes between three different kinds of vulnerabilities:

• Operating system vulnerabilities are those affecting the Linux kernel; or components that ship with an operating system produced by Microsoft, Apple, or a proprietary Unix vendor, and defined as part of the operating system by the vendor, except as described in the next paragraph.
• Browser vulnerabilities are those affecting components defined as part of a web browser. This includes web browsers that ship with operating systems, such as Windows Internet Explorer and Apple’s Safari, along with third-party browsers, such as Mozilla Firefox and Google Chrome.
• Application vulnerabilities are those affecting all other components, including components published by operating system vendors and other vendors. Vulnerabilities in open source components that may ship with Linux distributions (such as the X Window System, the GNOME desktop environment, GIMP, and others) are considered application vulnerabilities.