Vulnerability Management Program Best Practices (2026)

The Common Vulnerability Scoring System measures technical severity: attack vector, attack complexity, required privileges, user interaction required, and impact scope. These are useful inputs for understanding what a vulnerability does. They are poor inputs for prioritizing remediation because they do not measure whether the vulnerability is actually being exploited.

The consequence of CVSS-only prioritization is predictable: a team working through CVSSv3 Critical findings will spend weeks patching vulnerabilities with no public exploits, no exploitation history, and no threat actor interest — while a CVSSv3 Medium vulnerability with an active Metasploit module and documented exploitation in ransomware campaigns goes unaddressed because it ranked lower.

The empirical data is unambiguous. Approximately 5% of published CVEs are ever exploited in the wild, per Tenable Research. That means CVSS-only prioritization wastes 95% of remediation effort on vulnerabilities that pose no practical risk. The question vulnerability management programs need to answer is not 'how severe is this vulnerability theoretically?' but 'how likely is this vulnerability to be used against us in the next 30 days?'

Two data sources provide the exploitability context that CVSS lacks.

EPSS (Exploit Prediction Scoring System), maintained by FIRST, is a machine learning model that predicts the probability that a given CVE will be exploited in the wild within the next 30 days. EPSS scores range from 0 to 1 and are updated daily. A CVE with an EPSS score above 0.1 (10% probability of exploitation in 30 days) warrants significantly higher priority than a CVSS 9.8 CVE with an EPSS score of 0.001. EPSS is available via a free API and is increasingly integrated into commercial vulnerability management platforms (Tenable, Qualys, Rapid7 all expose EPSS data).

CISA's Known Exploited Vulnerabilities (KEV) catalog is a curated list of CVEs with confirmed exploitation in the wild. CISA adds CVEs to the KEV when it has evidence of active exploitation across the threat landscape. KEV listing is a stronger prioritization signal than any CVSS score — if CISA has confirmed exploitation, the vulnerability is actively being used. CISA's Binding Operational Directive 22-01 mandates KEV remediation within 15 days for federal agencies. For non-federal organizations, KEV status should trigger your most aggressive SLA tier.

Combine CVSS, EPSS, and KEV status with asset context (internet-facing vs. internal, business criticality, presence of compensating controls) to produce a risk score that reflects actual organizational exposure. This combination eliminates the majority of wasted remediation effort from CVSS-only programs.

SSVC (Stakeholder-Specific Vulnerability Categorization), developed by CISA in collaboration with Carnegie Mellon University's CERT/CC, provides a structured decision tree for vulnerability prioritization that incorporates organizational context that CVSS and EPSS cannot capture.

The SSVC decision tree for patch appliers (the defender's perspective) evaluates four factors in sequence: exploitation status (is the CVE publicly known? Is there a public exploit? Is it being actively exploited?), automatable exploitation (can the vulnerability be exploited at scale with minimal attacker effort?), technical impact (what level of system control does exploitation grant — partial or total?), and mission prevalence (how critical is the affected system to your organization's core operations?).

These four factors combine to produce one of four outcomes: track (monitor but no immediate action required), track with special attention (monitor more closely), attend (schedule remediation in your next patch cycle), or act (remediate immediately, within 24 to 96 hours). The SSVC decision tree is available as a free worksheet and is implementable without specialized tooling, making it accessible for programs that do not yet have EPSS API integration.

For large vulnerability programs, SSVC is most valuable as a triage tool for the vulnerabilities that EPSS and KEV do not cleanly categorize — those with moderate exploitation probability but uncertain organizational impact.

Asset inventory is the prerequisite for effective vulnerability management. You cannot scan assets you do not know exist, and shadow IT consistently represents the highest-risk vulnerability exposure in enterprise environments. Before optimizing scan frequency or prioritization methodology, establish a complete asset inventory — including cloud accounts, SaaS-hosted assets, and assets registered by lines of business outside IT.

Scan cadence by asset criticality: internet-facing assets and tier-0 infrastructure (domain controllers, PKI, backup infrastructure) require continuous or weekly scanning. Internal servers and endpoints require monthly scanning. After significant changes — new deployments, major software updates, firewall rule changes — trigger an immediate targeted scan of affected assets regardless of cadence.

SLA definition creates accountability. Without documented SLAs signed by asset owners, vulnerability remediation is permanently deprioritized by every other operational priority. Define SLAs by risk tier: KEV-listed CVEs within 15 days; Critical findings (CVSS 9.0-plus with EPSS above 0.1) within 7 days; High findings within 30 days; Medium findings within 90 days; Low findings within 180 days or accepted as tolerated risk. SLAs must be agreed by the remediation teams (typically IT operations, DevOps, or application teams), not unilaterally imposed by the security team.

Ticketing integration converts vulnerability scan data into accountable work items. Configure your scanner to create Jira or ServiceNow tickets automatically for findings above your SLA threshold, assigned to the team responsible for the affected asset based on CMDB ownership records. Bidirectional integration — the ticket closes when a rescan confirms remediation — eliminates the manual verification burden that kills ticketing programs.

Exception management is where vulnerability management programs most frequently fail. Without a structured exception process, every acknowledged but un-remediated vulnerability becomes an implicit exception — undocumented, unreviewed, and perpetually deprioritized.

A functional exception process requires: a formal risk acceptance form documenting the CVE, affected asset, business justification for non-remediation, compensating controls in place, and explicit acceptance by the asset owner and the CISO or designated risk authority. Exceptions must have an expiration date — maximum 90 days for High findings, 180 days for Medium. Expired exceptions require re-review; they do not auto-renew. The total number of active exceptions and their expiration dates are program metrics reported to leadership.

The metrics that indicate program effectiveness: Mean Time to Remediate (MTTR) by severity tier (tracks whether your SLAs are achievable in practice), SLA compliance rate (percentage of findings remediated within defined SLAs — target 90% or above for critical and high), exploitable percentage (percentage of your total finding inventory that has EPSS above 0.1 or KEV status — this number should decline over time), and internet-facing critical finding count (a leading indicator of breach risk). The metrics that create the illusion of progress: total vulnerability count (always goes up), scan coverage percentage (a process metric, not a risk metric), and number of patches applied (measures activity, not risk reduction).