This document outlines key performance indicators and key risk indicators for vulnerability management across various categories. It identifies 19 metrics for measuring the effectiveness of vulnerability detection and scanning, vulnerability assessment, patch management, asset classification, reporting and analytics, compliance and auditing, incident response, vulnerability scanning, vendor and third-party risk management, and training and awareness programs. Example metrics include vulnerability remediation rates, patch compliance rates, accuracy of vulnerability reporting, and timeliness of incident response.