To provide read only access to the Vulnerability report, you can create a custom role and grant 'View' permission on either 'Runtime Scan' or 'Registry Scan', or both depending on what the user should be able to view under the view.
The "Vulnerability" permission is for view and management of the Vulnerability profile, it has nothing to do with the vulnerability report from the scan.