Vulnerability lifecycle: Discovery (found by researcher/attacker) → Reporting (to vendor) → Patch development → Coordinated disclosure → CVE published → Exploitation spikes → Patch deployment.
The window between CVE publication and patch deployment is the critical risk period. Exploitation attempts spike within 24-72 hours of CVE publication. CISA KEV = being actively exploited = emergency patch. Risk-based patching focuses effort on this window.