A typical vulnerability management policy in an organization defines the time in which an identified vulnerability must be fixed or mitigated. Ideally, the time period for fixing the vulnerability as specified in the policy must be strictly followed. However, there might be exceptions where vulnerability mitigation has slipped the due dates. This metric attempts to identify vulnerabilities that have crossed the mitigation due date. Such vulnerabilities may need priority attention.