With hundreds of thousands of software vulnerabilities to manage, security and risk (S&R) professionals don’t know where to start. Remediation priority has often been tied to Common Vulnerability Scoring System (CVSS) scores, which don’t consider what’s most important for your specific organization, attack feasibility, active threats, and other aspects of security programs. This report discusses how to prioritize vulnerability remediation using an identification, prioritization, and response framework.