Upon review of the STIX 2.0 standard I have found what appears to be a missing relationship between the Indicator and Vulnerability objects. It would seem prudent that an "Indicator" object would be able to "indicate" a "Vulnerability". However the draft standard does not list this as a defined type of relationship. I believe this is an important relationship for the standard, as being able to publish proactive indicators that indicate a vulnerability would be very beneficial to detect and remediate a vulnerability before it is exploited by an adversary.
Thanks for your consideration in adding this to the standard.
Terrance McKay
Critical Infrastructure Analyst
Idaho National Laboratory