A 5-level maturity model (Reactive through Strategic) for vulnerability management programs, graded across five dimensions: Scan Coverage, Triage Quality, Remediation Ops, Stakeholder Engagement, and Visibility & Reporting. Where linear models reduce a program to one number, VM³ exposes the dimensional variance that drives actual prioritization. Includes mappings to NIST 800-171 (CMMC), PCI DSS v4.0, and SOC 2. CC BY 4.0.