Is a denial-of-service a vulnerability?
I always like to ask questions that make everyone answer immediately with what they are sure is the right answer, and then tell them that they haven't thought it through.
The title of this post is one such question. The answer is "yes", right?
Sometimes, yes, but sometimes, no.
Let's think about it a little.
The obvious vulnerability related to a denial-of-service is when you're trying to provide a service to numerous users, and an outage will cost you (money, usually).
But what about a browser denial-of-service?
If I visit some hacker's web site, and it closes my browser, what happens, really?
Unless you're particularly hard of thinking, you simply don't visit that web site again.
Yes, you have to go further into that "it closes my browser" mention, because that might just be a null-pointer dereference, which just stops the browser cold, or it might be an exploitable buffer overflow that you can only exploit occasionally.
But if it's really just a denial-of-service - and the only thing it does is to stop or close the browser - it's not really a security issue. It's a pain, and a reminder not to visit that site again, but it's not a threat to your security, and you can wait to apply that patch.
Am I wrong?