Vulnerability Response Integration with NVD release notes

  • Release version: Store
  • Updated June 11, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response Integration with NVD release notes

    The Vulnerability Response Integration with the National Vulnerability Database (NVD) enables ServiceNow customers to import and manage Common Vulnerabilities and Exposures (CVEs) and Common Platform Enumerations (CPEs) data directly from the NVD. This integration supports up-to-date vulnerability scoring and software association via the NVD API, enhancing vulnerability management processes within ServiceNow's Vulnerability Response application.

    Show full answer Show less

    Key Features

    • API Integration and Updates: Supports NVD API 2.0 endpoints for fetching CPEs and mapping CPEs with CVEs, with evolving support for API key authentication and optimized API call usage to reduce overhead.
    • CVSS Score Handling: Accurate mapping of Common Vulnerability Scoring System (CVSS) versions 3.0, 3.1, and 4.0 scores according to the latest NVD API response structure, including fallback to secondary scores when primary scores are unavailable.
    • Data Management Enhancements: Introduction of the noauditdelete attribute to prevent unintended deletions of key data records, and improvements in source tracking by populating the 'Source' column and marking CPEs and references with 'NVD'.
    • Assessment Creation: Ability to create vulnerability assessments using version range information from NVD without explicitly creating CPEs, streamlining vulnerability analysis workflows.
    • Access Control and UI Improvements: Migration of query access control definitions to a standard product codebase for consistent enforcement, alongside enhancements to the admin console UI for better usability.

    Key Outcomes

    • Improved alignment with NVD API changes ensures customers receive the most accurate and comprehensive vulnerability data.
    • Reduced API calls and optimized data fetching improve integration performance and reduce external dependencies.
    • Enhanced data integrity and audit capabilities safeguard against accidental data loss during synchronization with NVD.
    • Support for CVSS 4.0 and fallback mechanisms ensures scoring accuracy for prioritizing vulnerabilities effectively.
    • Streamlined vulnerability assessments improve operational efficiency in identifying and mitigating risks.

    Practical Considerations for ServiceNow Customers

    Customers should review system requirements and family compatibility on the ServiceNow Store prior to updating or installing the integration. Keeping the integration current ensures compatibility with the latest NVD API changes and leverages new features such as API key support and advanced CVSS scoring. Administrators will benefit from the new UI and access control improvements for easier management and consistent security enforcement.

    Version history for the Vulnerability Response Integration with NVD on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 30.3.1 - June 2026
    • Changed:
      • Admin console UI changes.
      • Migrated query access control definitions in National Vulnerability Database (NVD) to the standard product codebase, ensuring consistent access control enforcement.
    Version 30.3.0 - April 2026 (USEM)
    • Fixed: The Common Vulnerability Scoring System (CVSS) V4 score mapping to align with the latest NVD API response structure.
    • Changed: Added the no_audit_delete attribute to the NVD CPE key [sn_vul_nvd_cpe_key] table.
    Version 1.7.4 - April 2026
    • Fixed: The Common Vulnerability Scoring System (CVSS) V4 score mapping to align with the latest NVD API response structure.
    • Changed: Added the no_audit_delete attribute to the NVD CPE key [sn_vul_nvd_cpe_key] table.
    Version 1.7.1 - August 2025
    New: Create assessments without explicitly creating CPEs using the Version Range information that the National Vulnerability Database (NVD) provides.
    Version 1.6.1 - May 2025
    Changed: The 'Source' column in the reference table and the CPE field should be populated with 'NVD'. If any changes occur, only the CPE and references marked with the source 'NVD' should be deleted.
    Version 1.5.3 - December 2024
    Minor fixes for this release.
    Version 1.5.1 - November 2024
    New: The National Vulnerability Database (NVD) now includes entries for the Common Vulnerability Scoring System (CVSS) score 4.0 values.
    Version 1.4.5 - May 2024
    Fixed: The NVD integration has been fixed to utilize the secondary CVSS score when primary CVSS score is unavailable.
    Version 1.4.3 - February 2024
    Changed: CVSS3.0 will be considered for processing if CVSS3.1 is not present in the NVD response.
    Version 1.4.2 - November 2023
    Fixed: Updated unmapped integration to use the cpesearch Rest Endpoint API so that the number of API calls are reduced to NVD for associating software with NVD entry if the NVD entry exists.
    Version 1.3.3 - August 2023 (Vancouver)
    • New:
      • Created the following integrations to use NVD API 2.0 version.
      • NIST National Vulnerability Database Integration - API (CPE only). This integration fetches CPEs.
      • NIST National Vulnerability Database Integration - API (Unmapped CPE). This integration maps CPEs with the CVEs.
    • Changed: Deprecated existing integration i.e NIST National Vulnerability Database Integration - API (CVE and CPE).
    Version 1.2.0 - May 2022
    New: Added support for using API keys for calling NVD endpoints.
    Version 1.1.0 - October 2021
    • Changed:
      • Modifications to support changes to the CPE APIs done by NIST. These changes restrict CPE APIs by limiting date ranges to 120 days.
      • When you enter a start or end date for the optional parameters, you need to provide both the start and end dates.
    Version 1.0.3 - June 2021
    Fixed: The "source" attribute is populated in the Third-party entry table for NVD records. Vulnerable Software records from NVD are available as expected.
    Version 1.0.0 - February 2021
    • New:
      • Initial release.
      • Two NVD integrations that import the CVEs and CPEs information from the NIST National Vulnerability Database (NVD).