The bottom-up approach is where the ground-level staff initiate action to implement the new initiative. Speaking in the context of the vulnerability management program, the action flow in a bottom-up approach would look something similar to the following:

1. A junior team member of the system administrator team identifies some vulnerability in one of the systems
2. He reports it to his supervisor and uses a freeware tool to scan other systems for similar vulnerabilities
3. He consolidates all the vulnerabilities found and reports them to his supervisor
4. The supervisor then reports the vulnerabilities to higher management
5. The higher management is busy with other activities and therefore fails to prioritize the vulnerability remediation
6. The supervisor of the system administrator team tries to fix a few of the vulnerabilities with the help of the limited resources he has
7. A set of systems is still lying vulnerable as no one is much interested in fixing them

What we can notice in the preceding scenario is that all the activities were unplanned and ad hoc. The junior team member was doing a vulnerability assessment on his own initiative without much support from higher management. Such an approach would never succeed in the longer run.