As management is a systematic approach to achieve a goal or goals, I define vulnerability management based on definitions from the Wikipedia and NIST CSRC Glossary and extend them as follows:

Vulnerability management is the cyclical practice of identifying, classifying, prioritizing, remediating, and validating vulnerabilities in an information system, system security procedures, internal controls, or implementation to mitigate risk.

Wikipedia

Vulnerability Management is the “cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities. (Wikipedia)

NIST CSRC Glossary

In a narrow sense, vulnerabilities may refer to those enlisted in the Common Vulnerabilities and Exposures (CVEs).

For example, vulnerability management is “an ISCM capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.” (NIST CSRC Glossary)

In a broader sense, vulnerability is a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” (NIST CSRC Glossary)

Internal security controls are hardware, firmware, or software features within an information system that restrict access to resources to only authorized subjects. (NIST CSRC Glossary)