Vulnerability management, in the context of information security, is a critical, but often overlooked aspect in a comprehensive security posture. Many organizations are limited by time and resources to simply fighting fires and operating in a reactive methodology. Without a clear, defined, and management-supported vulnerability management effort, an organization may continue to operate indefinitely with a reactive methodology. There are three overarching components of vulnerability management that are to be considered in this process: Vulnerability discovery -how does an organization become aware of existing or newly published vulnerabilities?Vulnerability notification -how does an organization communicate discovered vulnerabilities to those responsible for the affected system(s)?Remediation verification -how does an organization validate the remediation/justification responses of those responsible for remediation? In considering these three factors, I intend to communicate successful examples of vulnerability management from discovery to notification, remediation, and, finally, verification. Recommendations for organizations new to vulnerability management are also included.