Glossary · Security testing
What is Vulnerability Management?
Also known as: Vuln management, VM program
Vulnerability management is the ongoing process of identifying, prioritizing, and remediating security weaknesses across an organization's systems and software. It is a continuous cycle rather than a one-time scan, and it relies on standardized CVE identifiers and CVSS severity scores to track and rank issues.
Key takeaways
- Vulnerability management is a continuous identify, prioritize, remediate, and verify loop.
- It uses CVE identifiers to name vulnerabilities and CVSS scores to gauge severity.
- Prioritization should weigh real-world exploitability and exposure, not severity alone.
- It underpins many compliance requirements and a strong overall security posture.
What are the stages of the vulnerability management lifecycle?
Vulnerability management is best understood as a repeating lifecycle rather than a checklist. Most programs cycle through a few core stages on an ongoing basis, because new weaknesses appear constantly and yesterday's clean scan says nothing about today's risk.
- Discover and inventory assets so you know what you are protecting.
- Scan and assess those assets to find known weaknesses.
- Prioritize findings based on severity, exploitability, and business exposure.
- Remediate by patching, reconfiguring, or applying compensating controls.
- Verify the fix and feed results back into the next cycle.
How are vulnerabilities named and scored?
Two standards make vulnerability management tractable across vendors and tools. A CVE identifier gives each publicly disclosed vulnerability a unique, stable name, while a CVSS score expresses its inherent severity on a 0.0 to 10.0 scale. Together they let teams speak a common language about which issues exist and how serious they are in the abstract.
Crucially, a CVSS score describes a vulnerability's inherent severity, not your organization's specific exposure. A critical-rated flaw on an isolated, unreachable system may pose less actual risk than a medium-rated flaw on an internet-facing server holding sensitive data. Mature programs therefore combine these scores with context such as asset value, network exposure, and evidence of active exploitation.
How do you measure and prove the program works?
Effective programs track metrics like mean time to remediate, the age of open findings, scan coverage, and the proportion of critical issues resolved within target windows. These figures show whether risk is actually shrinking over time or simply being rediscovered each cycle.
Vulnerability management also feeds directly into compliance and audit obligations. Continuous control monitoring can turn remediation activity into ongoing evidence, while attack surface management helps confirm which exposed weaknesses an attacker could realistically reach.
Frequently asked questions
- Is vulnerability management the same as a vulnerability scan?
- No. A scan is a single point-in-time activity that detects known weaknesses. Vulnerability management is the broader, continuous program that prioritizes, remediates, verifies, and tracks those findings over time.
- How should teams prioritize which vulnerabilities to fix first?
- Prioritize by combining CVSS severity with real-world context: whether the vulnerability is being actively exploited, how exposed the affected asset is, and how valuable the data or system behind it is. Severity alone is a starting point, not a verdict.
- How does vulnerability management relate to compliance?
- Many frameworks require organizations to identify and remediate weaknesses on a defined schedule. A documented vulnerability management lifecycle, with evidence of timely remediation, satisfies these control requirements and strengthens audit readiness.