For Software Vendors
For software manufacturers, vulnerability management is above all a quality control requirement and a way to prevent loss of reputation.
Software manufacturers systematically search for vulnerabilities in their software in a variety of ways. Examples include code analysis, black box tests and white box tests, and penetration tests. In addition, they receive reports on potential or real vulnerabilities from external stakeholders, such as customers or security researchers.
The software vendor evaluates these reports, taking into account its own findings, defines a workaround if necessary, and takes care of remediating the vulnerability.
This usually leads to a security patch, usually combined with a security announcement and possibly the issuance / application of a CVE ID.