Vulnerability work started for me on 7 July 1999 with the discovery of buffer overflows in vCalendar software. I had just joined OUSPG and started to try out the first alpha versions of testing tools developed in the PROTOS project. The years that followed brought forth a number of test sets - WAP, SIP, HTTP, SNMP - and a veritable plenitude of vulnerability. Later I joined CERT-FI, where I had to change my perspective from testing to trying to cope with the prevalence of software flaws within our society. In this presentation, I try to summarise a part of my findings along the way, on the pains of vulnerability researchers, reporters, coordinators as well as the developers trying to enhance their products, and the end user. The most important aspect of vulnerability handling is that it is a problem of resource limitations. The researchers try to maximise their productivity in terms of vulnerability sophistication, volume and impact, all considered hard research problems. Coordinators and reporters try to relay this information to the vendor in a clear and concise manner, while avoiding false positives, hype and needless pressure. Developers and vendors have goals ranging from protecting their customers to making revenue. The meeting of these disparate actors and motivations invoke extraordinary situations. Technical vulnerability itself is a fickle thing, mutating through changes of environment and valuation. Demonstrations of exploitability was first required, then waived only to be practically required again later. The test set has died, while trivial vulnerabilities are reborn in new application areas. I will present post-mortems on vulnerability coordination projects I have been involved with, including recent CERT-FI disclosures. Coordination is riddled with delays, communication overhead, leaks, miscommunication and arguments of principle. While the goal of a majority of the vulnerability scene is to protect the end users, their needs remain forgotten throughout most vulnerability disclosure processes. From a pragmatic point of view, protecting the society from the ill effects of vulnerabilities requires conclusion, collaboration and control. We are mostly failing, and the problem of vulnerability extends far beyond the mere implementation level issues discussed in this presentation.