This is a tricky word, especially in application security or cybersecurity. The simple definition in a software context is that the code has some problem that could be exploited by someone at some point. Some think of it as a piece of code with a proven exploit, IE a static analysis violation with a stack trace and values used. This is a very narrow definition that probably doesn’t help improve the state of the art. I prefer the idea that it’s code that is exploitable based on the body of knowledge (as encapsulated in software coding standards).
