Vulnerability Response implementation

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response implementation

    This guide outlines the process for downloading, installing, and configuring the Vulnerability Response application on your ServiceNow AI Platform® instance. It includes an example installation involving the base system, the Vulnerability Response application, and a third-party Qualys scanner application. The implementation process is supported by role requirements, mandatory and optional tasks, and configuration steps designed to help you successfully deploy and manage vulnerability data.

    Show full answer Show less

    Key Features

    • Role Management: The admin role is required to download and install applications and assign the snvul.vulnerabilityadmin persona along with other Vulnerability Response roles to users and groups.
    • Setup Assistant: The snvul.vulnerabilityadmin role guides administrators through configuration, starting with Vulnerability Response Settings to verify and understand vulnerability management processes.
    • Unified Security Exposure Management: From version 30.0, the Administration console in the Security Exposure Management Workspace offers centralized configuration for all related applications, including assignment rules, classification rules, and remediation targets, providing consistent workflows across Vulnerability Response and related applications.
    • Rules and Risk Calculators: Default rules assist in automatically assigning vulnerable items to appropriate groups, grouping items during import, defining remediation timelines, and calculating risk.
    • Third-Party Integration: You can configure third-party scanner applications (e.g., Qualys) by entering account information, import settings, schedules, and configuration item lookup rules to tailor the vulnerability import process to your environment.

    Practical Guidance for ServiceNow Customers

    • Ensure you have the necessary admin or snvul.vulnerabilityadmin roles to perform installation and configuration tasks.
    • Use the Setup Assistant to methodically configure Vulnerability Response settings and verify expected results throughout the setup.
    • Leverage the Administration console for centralized and streamlined management of security exposure configurations across multiple applications.
    • Review and customize default assignment, remediation, and risk calculation rules to align with your organizational vulnerability management policies.
    • Integrate third-party vulnerability scanners by providing accurate account details and configuring import parameters to ensure up-to-date vulnerability data ingestion.
    • Refer to the Implementation checklist for detailed steps and supporting documentation to guide your deployment.
    • Consult the Best Practices: Vulnerability Response Implementation Knowledge Base article (KB1157979) to optimize performance and configuration.

    Use the steps illustrated in the following images to download the Vulnerability Response application from the ServiceNow Store, install it on your ServiceNow AI Platform® instance, and configure it using the Setup Assistant.

    An installation and configuration example for installing the base system, the Vulnerability Response application and a third-party scanner application, the Qualys application, is illustrated in the following images. Required roles and mandatory tasks, as well as optional steps, are also listed.

    • For more information about each step illustrated in the following images and a checklist with links to supporting documentation, see Implementation checklist for the Vulnerability Response application.
    • You can extend the concepts and sequence of steps presented in this example to installing and configuring other supported applications for Vulnerability Response. For a list of support applications, see Installation of Vulnerability Response and supported applications.
    • The admin role is required to download and install the Vulnerability Response application and the Qualys Vulnerability application used for this example.
    • The admin role also assigns the Vulnerability admin [sn_vul.vulnerability_admin] persona and other Vulnerability Response persona roles to users and groups.
    Figure 1. Admin tasks
    Refer to the first section for links and a description of how to download, activate, and configure apps from within the Setup Assistant.

    The sn_vul.vulnerability_admin role configures the Vulnerability Response and Qualys applications in Setup Assistant and verifies expected results.

    Follow the steps and prompts in Setup Assistant starting with the Vulnerability Response Settings section to continue with the installation and configuration. Reviewing these settings helps you understand and verify the processes of Vulnerability Response as you continue to set up your environment.

    Role required: sn_vul.vulnerability_admin or, alternatively, admin.

    Figure 2. Vulnerability admin tasks
    Vulnerability admin tasks in the Setup Assistant under the Vulnerability Response Settings module and the Integration Configuration module.

    Starting with v30.0 of Vulnerability Response, the Administration console in the Security Exposure Management Workspace enables one-stop configuration for all Unified Security Exposure Management applications, including assignment rules, classification rules, and remediation targets. It provides consistent workflows across Vulnerability ResponseApplication Vulnerability ResponseContainer Vulnerability Response, and Configuration Compliance applications. For more information, see Configure rules to manage findings.

    Review the descriptions, default settings, and demo data that you installed with the applications in the following sections:

    • Vulnerability Assignment Rules - automatically assign vulnerable items (VIs) to the appropriate assignment group.
    • Remediation Task Rules - automatically group vulnerable items (VIs) as they are imported based on certain conditions.
    • Risk Calculators - Default Risk Calculator is enabled.
    • Remediation Target Rules - Define remediation time lines for VIs and remediation tasks (RTs).
    • Review and edit the settings for the third-party applications and installed solutions you installed and define conditions for your data imports. Enter your third-party account information and configure import settings, and schedules, configuration item (CI) lookup rules, as well as other settings.

    See Implementation checklist for the Vulnerability Response application for more information.

    For additional information while customizing or implementing the Vulnerability Response application, see the Best Practices: Vulnerability Response Implementation for better performance Knowledge Base article [KB1157979].