Exception Management for Unified Security Exposure Management release notes

  • Release version: Store
  • Updated June 11, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Exception Management for Unified Security Exposure Management Release Notes

    Exception Management for Unified Security Exposure Management (USEM) is a ServiceNow application designed to help organizations efficiently handle and document vulnerability exceptions. It provides a structured and controlled process for requesting, reviewing, and approving exceptions to vulnerable findings. This ensures transparency, compliance, and audit readiness while streamlining operational workflows and maintaining risk visibility.

    Show full answer Show less

    The release notes cover versions from January to June 2026, detailing new features, improvements, bug fixes, and important upgrade information related to USEM.

    Key Features

    • Bulk Editing and Processing: Supports bulk editing of Risk Reduction actions and bulk approval or rejection of exception requests, significantly reducing manual effort in high-volume workflows.
    • Smart Assessment Integration: Enhanced support for Smart Assessment in exception templates and risk reduction requests, including template versioning for safer upgrades and category role support for configurable assessment-driven workflows.
    • Improved User Interface: Updates include clickable summary cards in the approval UI, removal of confusing UI buttons on new AVIT creation forms, and list view improvements to enhance usability.
    • Dashboard Enhancements: New KPI tiles for Expiring Exceptions, Exception Extensions, and Repeated Rejections provide approvers and managers with insightful exception lifecycle and health metrics.
    • Configuration and Maintenance: Migration of form read-only configurations to the standard product codebase improves maintainability. Exception Rule configurations can now be included in update sets for easier change management across environments.
    • Security and Access Controls: Updated access controls ensure that only authorized users can request exceptions and design questionnaires, addressing previous ACL bypass vulnerabilities.

    Key Outcomes

    • Enhanced efficiency and reduced operational bottlenecks through bulk processing capabilities and workflow automation.
    • Improved maintainability and upgrade safety with standardized configurations and template versioning support.
    • Greater transparency and compliance by capturing detailed exception justifications and providing comprehensive dashboard KPIs.
    • Resolved critical bugs related to workflow execution, performance degradation, state transitions, and security vulnerabilities, ensuring a stable and secure exception management environment.
    • Facilitated smooth migration to the USEM architecture with a dedicated Migration Assistant, ensuring a safe upgrade path from legacy Vulnerability Response applications.

    Important Considerations

    Customers upgrading from Vulnerability Response to USEM must use the Migration Assistant to avoid issues. For those not ready to upgrade, it is advised to select a version below 30.x when installing or upgrading the application.

    Version history for the ServiceNow® Exception Management for Unified Security Exposure Management application on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.
    Version 30.5.0 - June 2026 (USEM)
    • New: Bulk edit now supports Risk Reduction, letting users evaluate and process risk reduction requests across multiple vulnerable items at once. - The Risk Reduction option via the Request Exception option now supports Smart Assessment.
    • Changed:
      • Migrated security exception form read-only configuration to the standard product codebase, improving maintainability and simplifying future updates.
      • Updated access controls so the Request Exception action is correctly displayed for authorized users.
    • Fixed: Application Vulnerability Response and Container Vulnerability Response remediation task deferral-extension workflow issues.
    Version 30.4.1 - June 2026
    • New: Added Smart Assessment versioning support for Exception templates to enable safer and more controlled template upgrades on customer instances.
    • Changed:
      • Migrated security exception form read-only configuration to the standard product codebase, improving maintainability and simplifying future updates.
      • Updated access controls so the Request Exception action is correctly displayed for authorized users.
      • Enhancements to support template-related record updates. You might see improved performance for record updating.
    • Fixed:
      • Application Vulnerability Response and Container Vulnerability Response remediation task deferral-extension workflow issues.
      • Issues that were identified during unit-test coverage improvements.
    Version 30.3.4 - May 2026
    • Fixed:
      • An issue where conditional questionnaires failed to trigger on exception submission after upgrading to Unified Security Exposure Management (USEM), affecting both pre-upgrade and newly created questionnaire configurations.
      • The out-of-memory error and platform node restart caused by the scheduled job responsible for refreshing Change Approval fields. The job now completes successfully within memory limits.
      • An issue where cancellation and deletion operations on exception rules did not execute as expected.
    Version 30.3.2 - April 2026
    • Fixed:
      • An issue where vulnerable items were not transitioning to a closed state after their associated detections were closed, because the exception rule scheduled job was not checking for the closed state on finding records.
      • A performance degradation in USEM ingestion caused by redundant repeated queries to the findings configuration table during exception processing. A static method has been implemented for invocation that eliminates the unnecessary per-instance overhead.
      • The bulk approve and reject modal incorrectly opening for non-eligible records, preventing approvers from inadvertently acting on records that do not qualify for bulk processing. List view layout enhancements might improve usability.
      • Resolved VIT records incorrectly remaining in a "Deferred" state after an Exception Rule was deleted, caused by deferral fields not being cleared properly during final state transitions.
      • Fixed a security vulnerability where the "Design new questionnaire" UI action could be accessed by unauthorized users due to an ACL bypass, ensuring only permitted users can access questionnaire design functionality.
      • Resolved multiple exception management issues in the Risk Reduction and Questionnaire approval flows, including incorrect state transitions and edge cases in approval handling.
    • Changed:
      • Introduced Bulk Approve and Reject capability for approvers, enabling them to process multiple exception requests simultaneously from a single list view, which can help with significantly reducing manual effort for high-volume approval workflows.
      • Added new KPI tiles to the Exception Management dashboard for Expiring Exceptions, Exception Extensions, and Repeated Rejections, giving approvers and managers additional visibility into exception health and lifecycle trends.
      • Exception Rule configurations can now be added to update sets, allowing administrators to capture and promote exception rule changes across environments as part of standard change management processes.
      • Improved the Approval UI with clickable summary cards, providing a more intuitive navigation experience for approvers reviewing and actioning exception requests.
      • Added support for category_roles in Smart Assessments and enabled quick editing of assessment templates, improving configurability of assessment-driven exception workflows.
      • Removed unnecessary UI action buttons (Resolve and Close) from the new AVIT creation form, preventing user confusion and unintended actions on records that have not yet been fully saved.
    Version 30.2.1 - January 2026
    • Note:
      This app version is intended for Unified Security Exposure Management (USEM), a significant architectural upgrade to the Vulnerability Response applications. If you are currently using Vulnerability Response and upgrading to USEM for the first time, you must use the Migration assistant for Unified Security Exposure Management to ensure a safe and successful upgrade. If you do not intend to upgrade to USEM, please select a version below 30.x when installing or upgrading.
    • Exception Management enables organizations to efficiently handle and document vulnerability exceptions. It provides a controlled process for requesting, reviewing, and approving exceptions to vulnerable findings, ensuring transparency and compliance. By automating workflows and capturing exception justifications, it helps reduce operational bottlenecks while maintaining risk visibility and audit readiness.