Security vulnerabilities may be placed into two groups: design vulnerabilities and implementation vulnerabilities.
Design vulnerabilities exist due to poor design or a design that does not take into account the security requirements for a particular protocol, network, system, or application. (Compare these to implementation vulnerabilities, which are discussed next.)
Implementation vulnerabilities are a result of bad or inadequate implementation of a system designed with security in mind (compare these to design vulnerabilities). Most often, the targets are widely-used software, such as BIND, sendmail, and FTP servers.