Lets say that there is a company which does not have a firewall and it is possible to perform an enumeration of ports and services.
Could it be considered a vulnerability if it provides fingerprinting information? Or is it only considered a vulenerability to the process of exploitation?
To be more precise, I have found a port for a legit service that is not protected outside of their DMZ and is providing information to exploit some other real vulnerabilities in other services. In fact, it is providing the version of the MySQL server that they use which is quite old and highly vulnerable.
How should I notify it? If I cannot set a CVSS they will suppose that there is not any risk associated.