Which of the following activities identifies but does not exploit vulnerabilities?

Penetration testing involves simulating attacks on a system to exploit vulnerabilities actively. Unlike static analysis, penetration tests are designed to demonstrate the potential impact of vulnerabilities by actually exploiting them, which is contrary to the activity of merely identifying vulnerabilities.

Dynamic analysis tests a running application to identify vulnerabilities by monitoring its behavior during execution. While it can reveal vulnerabilities in real-time, it often involves testing under attack conditions, which can lead to exploitation of identified weaknesses, thus deviating from the goal of merely identifying vulnerabilities.

Bug bounty programs invite ethical hackers to find and report vulnerabilities in exchange for rewards. This activity encourages the exploitation of vulnerabilities to demonstrate their existence and severity, which again contrasts with the objective of identifying vulnerabilities without exploiting them.