Ari Kalfus and Tim Lisko from DigitalOcean share their experience of redesigning their vulnerability management program to incorporate a "security debt" approach, which has resulted in proactive self-service remediation by product owners, improved accountability, and a more nuanced understanding of security risk. By measuring the amount of time security issues remain unresolved past an expected remediation timeframe, teams are incentivized to prioritize high-severity issues first, reducing timeline disruption and enabling business leaders to take ownership of security work. The approach has been well-received by stakeholders across the organization, with some even adopting similar models for their own metrics. DigitalOcean's experience highlights the importance of collaboration, feedback, and continuous improvement in implementing effective vulnerability management programs.