Vulnerability Management Research Group (VMRG)

About VMRG

The Vulnerability Management Research Group (VMRG) is a global, vendor-neutral community focused on improving how organizations identify, prioritize, and remediate vulnerabilities at scale.

Our members include practitioners, academics, students, product builders, and security executives who share a common goal: to move vulnerability management beyond raw severity scores and toward context-aware, evidence-driven risk management.

Global Community Practitioners Academics Students Executives Tool Builders

Research & Focus Areas

We research and publish on topics including:

Vulnerability management operating models and program design.
Prioritization methods that combine exploitability, exposure, and business context.
Metrics, KPIs, and reporting that align with risk, not just volume or SLA compliance.
Automation, orchestration, and data pipelines for large-scale vulnerability management.
Asset and attack surface discovery as foundations for effective remediation.
Human factors, training, and leadership models for vulnerability management teams.
Comparative analysis of commercial and open-source VM tools and platforms.

        Objective: Turn academic rigor and front-line experience into
        practical guidance that global organizations can adopt to improve their internal
        vulnerability management programs.
      

Our Community

Global Companies

We work with organizations of all sizes – from startups to large multinational enterprises – to:

Review and benchmark vulnerability management programs and processes.
Offer independent feedback on tooling, data flows, and governance structures.
Provide advisory input on roadmaps, organizational design, and team skills.

Universities & Cybersecurity Degree Programs

VMRG partners with universities and cybersecurity programs to ensure that the next generation of professionals gain real-world insight into vulnerability management.

Guest lectures, panels, and practitioner-led workshops.
Collaborative research projects with faculty and graduate students.
Curriculum feedback from industry practitioners and security leaders.
Opportunities for students to contribute to open research and publications.

Vulnerability Risk Model (VRM 3.0)

VMRG is the steward of the Vulnerability Risk Model (VRM 3.0), an open framework designed to help organizations move from static severity ratings to context-aware risk scoring.

VRM 3.0 integrates factors such as:

Base severity (e.g., CVSS and similar scores).
Exploit probability and threat intelligence.
Exposure, compensating controls, and environmental context.
Business impact and data sensitivity considerations.

VRM 3.0 will be released at:
https://vulnerabilityriskmodel.com

Release status: Coming soon.

How to Get Involved

VMRG is an open, invitation-friendly community. If you work in or study vulnerability management and would like to participate, there are several ways to get involved:

Collaborate on research studies, surveys, and whitepapers.
Share anonymized lessons learned, case studies, and post-implement reviews.
Contribute to the evolution of the Vulnerability Risk Model (VRM 3.0).
Host or join local and virtual meetups, study groups, and roundtables.
Partner as a university, training provider, or vendor-neutral research sponsor.

To express interest in membership, partnerships, speaking, or research collaboration, please contact us.

Contact

Email: info@vmrg.org

When you reach out, you may optionally include:

Your name, role, and organization.
Whether you are a practitioner, student, academic, or executive.
How you would like to participate (research, partnership, membership, speaking, etc.).

We are a global group and welcome participation from all regions and time zones.