Version history

Version 30.6.0 - June 2026 (USEM)

• New:
  • Enhanced Vulnerability Response (VR) Integration Health Diagnostics to help administrators monitor the health and performance of VR integrations more effectively.
  • Added versioning support for VR questionnaires, enabling safer and more controlled upgrades to questionnaire templates on customer instances.
• Changed:
  • Improved localization support across Vulnerability Response for non-English users.
  • UpdatedGitHub integrations to display informational messages.Updated access controls so authorized users can correctly view and use the Request Exception action.
  • Improved the Delete Application Vulnerability Item (AVIT) action under the new integration framework by updating related access controls and descriptions.
  • Improved the Application Remediation Task deferral extension upgrade flow to ensure cleaner upgrades for non-USEM jobs.
  • Optimized Vulnerability Response database indexing to reduce storage consumption and improve query performance.
• Fixed:
  • Security fixes.
  • Fixed visibility issues in the Security Exposure Management workspace dashboard and Solutions list for read-only users.
  • Fixed an issue where newer vulnerability detections could be incorrectly marked as INVALID while older detections remained active.
• Removed:
  • Removed an obsolete file related to VR questionnaire data delivery.
  • Removed deprecated indexing attributes from Vulnerability Response dictionary definitions as part of ongoing performance optimization.

Version 30.4.4 - June 2026 (USEM)

• New:
  • Enhanced Vulnerability Response (VR) Integration Health Diagnostics to help administrators monitor the health and performance of VR integrations more effectively.
  • Added versioning support for VR questionnaires, enabling safer and more controlled upgrades to questionnaire templates on customer instances.
• Changed:
  • Improved localization support across Vulnerability Response for non-English users.
  • UpdatedGitHub integrations to display informational messages.Updated access controls so authorized users can correctly view and use the Request Exception action.
  • Improved the Delete Application Vulnerability Item (AVIT) action under the new integration framework by updating related access controls and descriptions.
  • Improved the Application Remediation Task deferral extension upgrade flow to ensure cleaner upgrades for non-USEM jobs.
  • Optimized Vulnerability Response database indexing to reduce storage consumption and improve query performance.
• Fixed:
  • Security fixes.
  • Fixed visibility issues in the Security Exposure Management workspace dashboard and Solutions list for read-only users.
  • Fixed an issue where newer vulnerability detections could be incorrectly marked as INVALID while older detections remained active.
• Removed: Removed an obsolete file related to VR questionnaire data delivery.Removed deprecated indexing attributes from Vulnerability Response dictionary definitions as part of ongoing performance optimization.

Version 26.7.1 - June 2026

• Changed:
  • Updated GitHub integrations to display informational messages and improved application vulnerability item (AVIT) form behavior for generic secret scan types.
  • Improved visibility handling for HTTP request and response sections in AVIT forms.
  • Updated the Delete AVIT action under the new integration framework by improving related access controls and descriptions.
  • Updated Vulnerability Compensating Approval unassign actions to correctly capture entered work notes as the reason.
  • Improved security enforcement for grouped data retrieval operations by consistently applying Access Control List (ACL) validation.
• Fixed: Resolved an issue where request extension processing could become stuck when handling a large number of related tasks.
• Removed: Reverted a previous deferral extension utility change to restore prior application behavior.

Version 30.3.3 - April 2026

• New:
  • New vulnerable items ingested after a risk reduction is approved now automatically inherit the reduced risk rating and the corresponding SLA target.
  • Remediation plan fields are now consistently displayed and editable across all finding types with state-aware behaviour - editable when awaiting implementation, read-only when resolved or closed.
  • Integration drill-down is now supported for integrations built on the new integration framework, with a clear message shown when an integration does not comply with the Vulnerability Response integration framework or guidance.
  • Advanced Settings in the Security Exposure Management (SEM) workspace now provides a centralised panel for viewing and managing key system properties, including descriptions and configurable options.
  • Integration run report status charts now use system theme-aware colors, ensuring consistent appearance in both light and dark modes.
  • Import application vulnerability response data that includes application, Software Composition Analysis (SCA) and secrets data with the Wiz Application Vulnerability Response Integration.
  • The sn_vul.rerun_task_rules system property for rerunning assignment rules was changed to sn_sec_rem.rerun_task_rules. Users must activate this property (set to 'true') in order to rerun assignment rules.
• Fixed:
  • An issue where using Split Task multiple times on the same vulnerability caused the page to redirect to an incorrect record instead of the newly created one.
  • An issue where users with a dd/MM/yyyy date format received a "Planned end date must be in the future" error when creating a change from a remediation task in the workspace.
  • An issue where reopening a resolved remediation task did not reopen its associated resolved vulnerable items.
  • An issue where the substate reason was incorrectly cleared on vulnerable items during rollup and rolldown when multiple linked items had differing close reasons.
  • A flickering issue on the Dashboard page when loading the IT Remediation and Vulnerability Manager workspaces.
  • An issue where the Bulk Edit Unassign operation left background jobs stuck in a Processing state with no records updated.
  • An issue where an application vulnerable item could not be closed after being marked as Resolved — the record remained in the Resolved state instead of transitioning to Closed.
  • An issue where the Initial Detection and Last Open Detection widgets on the vulnerable item overview displayed the same port value regardless of which detection was referenced.
  • An issue where Split Vulnerable Item (VI) by proof was not functioning correctly even when a vulnerability was explicitly added to the proof key configuration.
  • An issue where a duplicate remediation task was created when a vulnerable item was reopened with the auto-defer property enabled.
  • An issue where Vulnerability Assessments were not accessible from the Security Event Management (SEM) workspace.
  • A regression where core Vulnerability Response workspaces (Vulnerability Manager, IT Remediation, SEM) were no longer visible in the Workspace menu after installation.
  • An issue where the auto-close rule applied the wrong close note — items closed as Fixed were incorrectly labelled as Decommissioned.
  • A performance issue where solution records were being updated repeatedly by a background process, causing unnecessary excessive database writes.

Version 26.6.2 - April 2026

• New: Compensating controls now correctly propagate to all Vulnerable Items in a Remediation Task, including those linked after the initial configuration.
• Changed:
  • The unified daily collection job has been split into application-specific jobs, significantly reducing overall processing time.
  • Performance on Configuration Compliance tables has been improved by removing unnecessary record update calls within business rules, reducing database load.
• Fixed:
  • An issue where reopening a Remediation Task did not automatically reopen its associated resolved Vulnerable Items, leaving the workflow out of sync.
  • An issue where Split Vulnerable Item (VI) by proof key was silently failing due to a type comparison error, even when the vulnerability was correctly mapped in the proof key configuration.
  • An issue where automated exception rule jobs continuously re-triggered out-of-the-box (OOB) notification rules, resulting in repeated duplicate alert emails.
  • An issue where the SUSE solution integration failed with a missing attachment error, preventing solution records from updating correctly.
  • An issue where using Split Task multiple times on the same vulnerability caused page redirection to fail.
  • Fixed a date format incompatibility (dd/MM/yyyy) that caused errors on the Change Creation form, preventing Change records from being created in affected locales.
  • An issue where the Bulk Edit Unassign action left the Vulnerability Job stuck in a Processing state, blocking further operations.
  • Fixed intermittent flickering on the Dashboard page within the IT Remediation workspace during initial page load.
  • An issue where the close reason entered for False Positive vulnerabilities was unexpectedly cleared, requiring users to re-enter the information.
  • Fixed the Vulnerable Item overview to display port values from the detection record rather than the vulnerable item record, ensuring accurate Initial Detection and Last Open Detection data.
  • Fixed two related issues that caused duplicate open Remediation Tasks to be created when a Vulnerable Item was reopened or an exception was rejected.
  • An issue where a solution record's invalidation timestamp was being updated repeatedly even when the update status was already marked complete, causing unnecessary database writes.
  • Restored core Vulnerability Response workspaces (Vulnerability Manager, IT Remediation, Security Event Management) that were missing from the Workspace menu on fresh installations.
  • An issue where Vulnerable Item records displayed "Closed – Decommissioned" instead of "Closed – Fixed", ensuring closure reasons are accurately recorded.
  • Fixed the Qualys KnowledgeBase import to remove CVE-to-QID associations when the scanner source no longer reports that relationship, preventing stale mappings from persisting.

Version 30.2.5 - January 2026

• Changed:
  • Added support for the cmdb_ci attribute as part of the detection uniqueness criteria. You can now use cmdb_ci in combination with port, protocol, and proof, or use it as an alternative to asset_id, to uniquely identify and create detections based on your requirements.
  • You might see improved performance with enhancements to the Solution metric [Process Vulnerability Solution Metrics Queue] scheduled job.
• Fixed:
  • Resolved VCA state transition issues in risk reduction workflows for both questionnaire-based and non-questionnaire scenarios.
  • Added default sorting functionality for Requested Approvals relationship lists.
  • Addressed multiple issues in the Penetration Testing Workspace, including form rendering errors that prevented vulnerability records from loading and being accessed.
  • Fixed CI matching and field population issues during manual vulnerability ingestion, resolving errors encountered when using Reapply Lookup Rules.
  • Fixed an issue where State Change Approval records in Draft or In Review states for a Vulnerability Item (VIT) False Positive or Exception request were not cancelled when the associated remediation task was moved to Deferred or Closed / False Positive, ensuring the VIT state is updated correctly.

Version 26.5.3 - January 2026

• Changed: Added support for the cmdb_ci attribute as part of the detection uniqueness criteria. You can now use cmdb_ci in combination with port, protocol, and proof, or use it as an alternative to asset_id, to uniquely identify and create detections based on your requirements.
• Fixed:
  • Resolved VCA state transition issues in risk reduction workflows for both questionnaire-based and non-questionnaire scenarios.
  • Fixed a UI issue where False Positive and Exception section headers were not displayed correctly.
  • Addressed multiple issues in the Penetration Testing Workspace, including form rendering errors that prevented vulnerability records from loading and being accessed.
  • Fixed CI matching and field population issues during manual vulnerability ingestion, resolving errors encountered when using Reapply Lookup Rules.
  • Fixed an issue where State Change Approval records in Draft or In Review states for a Vulnerability Item (VIT) False Positive or Exception request were not cancelled when the associated remediation task was moved to Deferred or Closed / False Positive, ensuring the VIT state is updated correctly.
• Removed: Dependency on app-secops-common.

Version 26.2.2 - September 2025

• Fixed:
  • A scheduled job that rolls up exploits instead of keeping them as events. You might experience an increase in performance.
  • Date validation for vulnerable item (VIT) deferrals in the legacy UI. Valid dates are no longer rejected, and an error message is no longer displayed if you select dates within a 12-month period.
  • Policy exception handling logic properly identifies the closed status of vulnerabilities. The system maintains vulnerabilities in the "Closed" state as expected when policy exceptions are applied.
  • State management logic properly processes VIT states when a parent vulnerability is deleted during an active exception request review. The system updates the state of linked VITs as expected when their parent vulnerability is removed.
  • Comment handling logic to prevent unintended state changes on vulnerability remediation tasks when comments are added to rejected or closed policy exceptions. The system maintains the current state of remediation tasks, regardless of comment activity on inactive policy exceptions.
  • Enhanced vulnerability detection logic that maintains previously approved exception statuses. The system maintains the appropriate exception-approved state for VITs when the same vulnerability is detected again, preventing them from automatically transitioning back to an "Open" state.
  • Logic handling for remediation target rules in the Application Vulnerability Response system. The system interprets and applies these rules as expected, ensuring that remediation targets are set appropriately based on the defined criteria.
  • Rule evaluation engine so that it processes and applies conditions as expected that are based on the risk ratings in remediation target rules. The system interprets risk rating conditions and applies the appropriate remediation timeframes based on the configured rules.
  • The data transfer mechanism between remediation tasks and change requests that maintains the Short description field. The system preserves the complete short description text when generating change requests from remediation tasks.
  • UI rendering logic for the 'VI per CI Class' widget to display only valid filter elements. The system displays only valid filters, and empty filter options are not available.
  • Refactored the affected business rules so that the current.update() method is implemented according to the platform's best practices. The implementation updates records with appropriate validation and error handling.
  • Optimized the VulnerabilityUtils initialization process by implementing a more efficient approach to handle auto-close rules. The system uses a cached approach that only queries auto-close rules when they are needed, not during every initialization.
  • The full text from the Description field of a remediation task text is copied to the change request's Description field to preserve the complete context when a change request is created from a remediation task. Additionally, the remediation task's Short description field content is copied to the change request's Short description field.

Version 26.1.4 - August 2025

Changed: Manual termination of background jobs is now enabled for Vulnerability Response Exposure Assessment tasks.

Version 26.0.13 - June 2025

• Fixed:
  • If you request an extension for an exception rule, multiple approvals are not generated.
  • Exception rules are automatically approved when created by users with granular roles.
  • The Overview page in workspaces will display in Dark mode if you select it in your user preferences.
  • For reimported vulnerable items (VITs), the state roll-up will occur if the Last seen dates are older than the Resolution dates.
  • Editing existing remediation target rules no longer results in duplicated histories.
  • Assignment groups for VITs linked to third-party entries (TPEs) are updated after Tenable imports them, following the execution of lookup rules.
  • A runtime error in detection processing can occur if multiple detections have the same Last found date.
  • When you change your target rules and select Apply Changes, only the remediation target rules marked for reapply are executed.
  • The Running total is displayed on the Default Risk Rule for vulnerability calculators.
  • Configuration item (CI) attributes on VITs are updated to reflect changes in corresponding discovered items.
  • The DetectionBase script include automatically updates the ip_address, DNS, netbios, port, protocol, SSL, and proof fields. Note: To roll these updates up to discovered items and VITs, you must activate the sn_vul.show_last_open_detection system property. This update process may affect system performance.
  • Exclusion rule changes the state of VITs from Under Investigation or Awaiting Implementation to Open.
  • Email notifications are sent for expiring exception requests in Vulnerability Response.

Version 26.0.11 - May 2025

• New:
  • Enhanced questionnaire support for exception management via Smart Assessment (Workspace Only):
    • Advanced questionnaire configuration: Configure advanced questionnaires as part of the exception management process using Smart Assessment. This enhancement allows remediation owners to provide more detailed context for exception requests and enables approvers to configure conditional questions to gather information for informed decisions.
    • Collaboration and streamlined approval: Facilitate collaboration between your vulnerability management and remediation teams by streamlining the approval process with clear and complete exception justifications. 
    • Mandatory questionnaires: Block the submission of exception requests until mandatory questionnaires are completed. If a questionnaire is marked as mandatory, the test results and its associated remediation tasks remain in the 'Open' state until the questionnaire is completed and submitted.  If the questionnaire is incomplete, the state change approval record is saved as 'Draft'. Only after completing the questionnaire can the user submit the exception request, which will then move the test results or remediation tasks to the 'In Review' state.
  • Lookup rules enhancements: When you reapply Lookup rules, discovered items (DIs) that have been inactive for more than 90 days are ignored. These DIs are also excluded from licensing considerations. Removing them from the lookup logic can improve performance and reduce processing time.
  • Background job enhancements: New fields have been added to help you view successfully evaluated records, the time taken for processing, the time remaining, and an estimated number of records.
  • Improved accuracy for non-CSDM Vulnerability Response users: A system property (sn_sec_cmn.ci_lifecycle_status_source) has been introduced to help users who do not follow Common Service Data Model (CSDM) standards. This property ensures that DIs and associated VITs are properly marked as Decommissioned and are excluded from the CI Lookup. Additionally, the Retired Configuration Items PA indicator has been updated to accurately reflect CIs based on the decommissioning flags.
  • Import application vulnerable items (AVITs): You can now import AVITs from external sources using standardized templates (e.g., CSV, Excel) and manage the pen test findings lifecycle. The system supports the ingestion of vulnerability data, including details such as affected application, vulnerability description, severity, and remediation recommendations. The process of consolidating vulnerability data from diverse sources into a centralized Pen test workspace has been simplified.
• Changed:
  • Enhancements to exception rules handling:
    • Exception rules are reevaluated with nightly scheduled jobs.
    • Vulnerable items that no longer match exception rule conditions are unlinked from remediation tasks.
    • A deferred vulnerable item (VIT) is reopened if it doesn’t match any active exception rules.
    • Exception rules don’t create remediation tasks. VITs are deferred directly and aren’t associated with a remediation task.
  • Support for Tenable's endpoint scanning integration to retrieve scan metadata. The integration fetches scan details using the last_schedule_id from existing asset data in Tenable.io.
  • Added the Reopened Count field on vulnerable items to track the number of times their states change from 'Closed' to 'Open' or to 'Active'.
  • Out-of-the-box vendor advisories via Common Security Advisory Framework (CSAF) integration. The following vendor advisories are configured out-of-the-box and are automatically activated when the Solution Management plugin is enabled. 
    • Redhat
    • Suse
• Fixed:
  • Translation and localization issues for the Risk Rating field on the compensating control, as well as the "Overview" page fields in both the IT Remediation and the Vulnerability Manager workspaces.
  • Removed the Split UI task button from the remediation tasks created through exception rule.
  • Translation issue fixed with approval notes.
  • Assignment group updation through bulk edit is fixed for AVITs and container vulnerable items (CVITs).
  • Added a validation check when creating a new Common Vulnerability Reporting Framework (CVRF) / CSAF integration if another CVRF or CSAF configuration with the same vendor already exists.
  • Populated the Red Hat Enhancement Advisory (RHEA)/ Red Hat Bug Advisory (RHBA) solutions to sn_vul_solution, where the advisories are linked to atleast one Common Vulnerabilities and Exposures (CVE).
  • Removed usage of preferred solution in container vulnerable items.
  • Issues related to state change management between detections with and without exclusions and vulnerable items are addressed.
  • Reapply assignment rules no longer consider the findings with the assignment type as 'Unassigned'.

Version 24.0.10 - March 2025

New: The search_application_admin role has been replaced with the workspace_user role in the out-of-the-box roles "sn_vul.view_rem_workspace" and "sn_vul.view_manager_workspace". It provides less granular permissions.

Version 25.0.4 - February 2025

• New:
  • Create Remediation Tasks (RT)s manually in the List views of the Vulnerability Manager and IT Remediation Workspaces.
  • As an Appsec Manager or Security Champion, you can create Change Requests (CR)s from remediation tasks in the Application Vulnerability Response application.
    • Expedite your investigation for application vulnerable items (AVITs) that require manual intervention for scanned applications that are classified as configuration items (CI)s.
    • This feature is only available if a discovered application is associated with a CI.
    • The itil role is required.
  • Improvements for Penetration Test Assessment Requests in the Penetration Test Workspace:
    • Monitor your penetration test requests and findings as well as your team's overall progress in the Penetration Test Workspace.
    • The following assessment types are included for Penetration Test Assessment Requests forms in the Penetration Test Workspace: Emergency Release, Bug Bounty Program, Release Approvals, One-off reviews, and Executive Interest.
    • Release approval and Release notes fields help you improve the quality and security of your pen test findings.
    • Release approval fields support the following states: Not Applicable (Default), Approved, Denied.
    • Add details in the Release notes field to justify your approvals.
  • The CI Decommissioned Auto-close Rule closes VITs that are associated with decommissioned CIs.
• Changed: On the Penetration Test Findings tab on Penetration Test Assessment Requests, you can associate Common Weakness Enumerations (CWE)s or Common Vulnerabilities and Exposures (CVE)s in the Vulnerability field for manually created AVITs.
• Fixed:
  • Activate the system property 'sn_sec_cmn.risk_score_changes_add_worknote' to automatically log details in work notes about the score calculations when the risk score is updated.
  • The scanner values for fields on Discovered items such as 'os' and 'netbios' take precedence over cmdb_ci values.
  • On the integration run performance reports, exception rule metrics measure on how much the rules has taken for that integration run.
  • Provision to Deactivate/Delete remediation efforts in the Vulnerability Manager Workspace.
  • Remediation Task Overview page distortion issue.
  • The 403 access error encountered by a remediation owner when selecting a vulnerability entry from the IT Remediation Workspace.
  • Discovered item Cloud Account name is updated when an updated cloud account name from the scanner is received.

Version 24.1.5 - December 2024

New: Compensating Control: Remediation owners can request a risk rating reduction for an application vulnerable item or remediation task by submitting compensating control proofs through an exception management request.

Version 24.0.9 - December 2024

• Changed:
  • When you select the Request Extension button to extend an exception rule, you have the option to extend both the deferred until date' and the exception rule valid to' date.
  • Remediation efforts can now be deleted or deactivated without affecting downstream records.
• Fixed:
  • Tags added to the vulnerable items are displayed in the workspace list view if a tag is associated with it, and the Tags column is included in the list view.
  • The duplicate CVE module list in the Vulnerability Manager workspace, introduced in the November release (24.0.6), has been removed.
  • Opening a workspace with a copied URL will launch the tab corresponding to the copied URL.
  • Manually created solutions will be processed through the "Process Vulnerability Solution Metrics Queue" scheduled job for populating the preferred solution on the VIT.

Version 24.0.6 - November 2024

• New:
  • Properties module: A newPropertiesmodule has been added to the navigation menu under theAdministrationsection. This module enables direct modification of the flag values, offering a user-friendly method to manage and update system properties directly from the interface.
  • Workspace search: Efficiently search using the record numbers and open the records in either the Vulnerability Manager Workspace or the IT Remediation Workspace, depending on your assigned role.
  • Navigating to Workspaces from the All menu: If the 'sn_vul_cmn_ws.navigate_to_workspace' system property is enabled, selecting predefined filter links in the Vulnerability Response and Application Vulnerability Response modules from the 'All' menu will automatically open these links in the Vulnerability Manager Workspace and IT Remediation Workspace based on your role.
  • Refresh the Saved Filter visualizations:You can now refresh the visualizations for saved filters on the Vulnerability Manager Workspace Home page either once or daily. Additionally, you can manually update these visualizations on demand to reflect the latest data.
  • Customizable Age calculation: The Age and Age Closed calculations of a vulnerable item and an application vulnerable item can now be customised so that they are calculated from a choice of available date fields. That is, you can now select any of the available date fields such as last found, created, etc. with reference to which the Age and Age Closed values must be calculated. For more information on how to configure these age calculations, refer to the KB1703270 KB article.
  • Performance improvement in Workspaces: The glide.ui.list.seismic.omit.count' system property allows you to deactivate the record/row count display on the lists in the Vulnerability Manager Workspace and IT Remediation Workspace, optimizing performance for large datasets.
  • Granular Role-based access control:Enhanced the role management in Vulnerability Manager Workspace (for watch topics and lists) and IT Remediation Workspace (for lists). This allows precise access control and configuration tailored to specific user roles.
  • You can now re-evaluate the exception rules for a set of selected vulnerable items and application vulnerable items directly in the Vulnerability Manager Workspace instead of re-evaluating these rules for all records in the classic UI.
  • Application Penetration testing improvements:
    • New workspace that permits you to use the penetration testing workflow of Application Vulnerability Response in the Next Experience UI.
    • Alignment of penetration testing for mobile application security with the recognized standards of the Mobile Application Security Verification Standard (MASVS) via a questionnaire in the penetration testing workflow.
    • A new system property, "sn_vul.populate_scanner_solutions", parses the solutions coming from third-party scanner integrations.
• Changed:
  • Improved preferred solution coverage for vulnerable items by enabling scanner solutions on third-party integrations.
  • A new column titled, "Part" has been added to the Vulnerable Software [sn_vul_software] table specifically to segregate the part component derived from the Common Platform Enumeration (CPE) string.
• Fixed: Performance improvements in the asset exposure with Software Asset Management (SAM).

Version 23.0.11 - October 2024

• Fixes to support critical data integrity issues and the error handling/retry. No changes to the import settings are required.
• Data model changes in Vulnerability Response:
  • Fields added to the Discovered Application [sn_vul_app_release] table: ‘Active’ field (t/f Boolean), ‘Internal app last seen date’, and ‘Last completed scan date’.
  • Values supported for the ‘Scan type’ field on the Scan Summary [sn_vul_app_vul_scan_summary] table: ‘Dynamic’, ‘Static’, ‘Manual’, ‘SCA’, ‘Interactive Analysis’
  • Field added: ‘Source original scan ID’ on the [sn_vul_app_vulnerable_item] displays the original source ID under which a source is detected.

Version 23.0.7 - September 2024

Fixed: The issue that caused the Microsoft Security Response Center Solution Integration to fail when there was no response from the KB API has been resolved.

Version 23.0.6 - August 2024

• New:
  • You can now evaluate the assignments, remediation target dates, remediation tasks, and risk scores for a set of selected vulnerable items and application vulnerable items directly in the Vulnerability Manager Workspace, instead of evaluating these properties for all records in the classic UI.
  • Any changes in risk scores and their contributing fields, including custom fields, will be recorded in the work notes each time a risk score changes. This ensures transparency and aids in auditing by clearly documenting the reasons behind any risk score changes.
• Changed:
  • The existing rollup scheduled jobs for Vulnerable Response to rollup the vulnerable and application vulnerable items values into remediation tasks has been converted to background jobs with multithreading capabilities to speed up the execution time.
  • The legacy workflows have been removed from the Vulnerable Response application.
• Fixed:
  • Clearing out classification rules references when items don`t match.
  • Fixed the CopyURL button action in IT Remediation Workspace in the List views to copy the URL of the opened List view.
  • Text translation issues in various places of the Vulnerability Manager Workspaces are fixed.
  • When a vulnerable item (VI) is first deferred and then reopened through a job after expiration and if the same VI is marked as false-positive, the scheduled Job 'Check Vulnerable Item and Groups Deferment Expiration' will not reopen the item again.
  • When AVIT Finding Type is PenTest, it will allow PenTest user to write or update Risk Rating Field.
  • Resolved an issue that caused multiple remediation tasks with the same deferral expiration date to be moved to "In Review" when an extension was requested for one of them
  • When Exception questionnaire is enabled and False positive questionnaire is not enabled it should not display Request exception questionnaire when we are trying to mark a record False positive in classic view.

Version 22.1.3 - June 2024

New:

• New:
  • You can now create exclusion rules to filter low-priority vulnerabilities such as informational ones during ingestion to prevent the creation of vulnerable items. The exclusion rules feature ensures that only critical and high severity vulnerable items are created. With this feature, you might see an improvement in performance.
  • Application Vulnerability Managers can create auto-close rules to automatically close stale application vulnerable items.
  • A new job Auto-close Rule Processor is created to support auto-close feature for both vulnerable and application vulnerable items using background job framework.
• Removed: The Auto-close Stale Detections job is deprecated.

Version 22.0.5 - May 2024

• New:
  • The Vulnerability Manager Workspace list view now includes a bulk edit option for application vulnerable items. This allows for simultaneous updates to the state, assignment group, and exception request of multiple items.
  • If the system property 'sn_vul.latest_solutions' is enabled, the system will automatically utilize the latest available solution when the preferred solution is not generated from the list of available solutions.
  • The CISA Ransomware report is now available in the Unified Dashboard.
  • By default, inactive install records will not be taken into account during Exposure Assessment. To include inactive records, you can enable the system property 'sn_vul.filter_inactive_sw_installs'.
  • Upload SBOM files in the SBOM Workspace for the CycloneDX and SPDX standards starting with version 3.0 of SBOM Core and 3.2 of SBOM Response.
    • XML and JSON formats are supported for CycloneDX up to and including version 1.4.
    • JSON format is supported for SPDX up to and including version 2.3.
  • Vulnerability Managers can create auto-close rules to automatically close stale detections along with their associated vulnerable items.
  • A new generic framework has been introduced, leveraging the Common Security Advisory Framework (CSAF), to facilitate faster information exchange and processing through integrations. Leading software vendors offer the CSAF format for describing vulnerabilities and solutions. Solution data can be imported either through file upload or API integration.
• Fixed:
  • For solutions created by the Common Vulnerability Reporting Framework (CVRF) integration, an integration instance is populated.
  • Performance enhancements in the SBOM Workspace for the BOM Entities and Components pages. You might experience faster load times for the Home and Components modules in the SBOM Workspace.

Version 21.1.2 - March 2024

• New:

  • The Vulnerable Item (VIT) reflects the most recent and accurate data from the last open detection. To roll up the last open detection to the VIT, the sn_vul.show_last_open_detection system property must be set to true. When enabled, the IP address, SSL, Port, Protocol, DNS name, NetBIOS name, and Description values of the Vulnerable Items (VITs) are updated with the last open detection values during ingestion and change of the Configuration Item (CI) i.e., Reapply CI Look Up rules.

    To apply this update to the existing VITs, execute the 'Update Last Open Detection Value To VITs' scheduled job. This ensures that the last open detection values are correctly updated for all the existing VITs.

• Fixed: The state of a deferred AVIT is updated when a higher state is obtained from the Veracode Scanner during ingestion.

Version 21.0.3 - February 2024

• New:
  • List modules from the navigation menu to open in the Vulnerability Manager Workspace home page with auto-selection of the corresponding saved filter with updated user experience.
  • Address security gaps in your enterprise environments detected through the Security Posture Control application and automatically prioritize, assign, and resolve them with the Configuration Compliance application workflow. The Security Posture Control application requires a separate subscription.
  • Implementation of RedHat Common Security Advisory Framework (CSAF) in Vulnerability Response.
• Changed:
  • Changes in the Overview and Details tabs of vulnerable item and remediation tasks in the Vulnerable Manager Workspace - Added state details, updated reference links, and UI sections.
  • Proviosion for the Vulnerability Manager to associate the compensating controls to the TPEs/Vulnerability/CVEs.
  • Enable questionnaire configuration in the classic experience UI.
  • Enable Bulk Edit feature in the Vulnerable Manager Workspace - Added Bulk Edit UI action for Host vulnerable items list on the List page to perform edit operation on multiple vulnerable items at once.
  • In an email notification, upon clicking the vulnerable item and remediation task links, records open in respective workspaces depending on the user roles.
• Fixed:
• • Fixed Change request modal issues in the IT Remediation Workspace.
  • OS field in the Discovered item will not be clear on changing the CI of the discovered item to any unmatched class
  • Fixed the 'View All' option issue in the IT Remediation Workspace.
  • Reapply CI Lookup Rules support for Manual Ingestion.
  • Resolved last opened date field on VIT to be not older than the created date.
  • IT Remediation Workspace - The link included in the popup will redirect to the URL instead of closing the popup
  • Approvals state changes automatically issue is fixed.
  • The assigned group for Closed vulnerable items will not updated from the Remediation task.
  • Enabled exception Questionnaire for Deferral extension requests in the workspace.
  • Added the category as a scanner for Rapid7 Insight VM vulnerability item integration.
  • Sn_vul_scan entries added in the sys_dictionary table
  • Microsoft TVM recommendations will be visible to vulnerability remediation owners.
  • Empty Email Notifications to the Requestor of Exception and False Positive on the Remediation task are fixed.
  • Fixed Impacted services population on VITs.
  • Fixed 'Refreshed On' time for Watch Topics in Vulnerability Manager Workspace.
  • Affected CI's count will be updated in the change request created from Vulnerability Manager Workspace.
  • Many VITs have the 'In Remediation Task' field false even though they are part of a RT.
  • When clicking individual reports, the list view associated with that report on the Dashboards for IT Remediation Workspace wil be displayed.
  • Deferred Remediation tasks are re-opening One day after the Until date.
  • Added 'Aria Label' to Buttons so screen reader encounters and can read the text
  • Restricting bulk edit on invalid VITs like VITs with empty discovered item and Discovered item's CI is empty.

Version 20.2.4 - January 2024

Fixed: Earlier, when an exception request is raised by the user, an email notification is sent to the approver regarding the deferral extension as well. Now, this issue has been fixed.

Version 20.2.3 - December 2023

New: Minor changes to support the First.org Exploit Prediction Scoring System (EPSS) Integration.

Version 20.0.5 - December 2023

• Fixed:
  • Updated logic to evaluate all the rules before updating the state of a Vulnerable Item (VIT) when a current exception rule expires.
  • Earlier in the Utah and Tokyo versions, the Vulnerability Response Remediation Task Rule form was displayed for the application remediation task rule creation. After the fix, Application Remediation Task Rule creation form displays.
  • After the fix, the remediation status is evaluated properly when a VIT moves to the Closed state.
  • When a VIT is added to a Remediation Task via any functionality flow, the In Remediation Task field of a VIT is evaluated properly.
  • Fixed the New button issue on the Compensating Control and App Vulnerabilities lists in the Vulnerability Manager Workspace.
  • When an exception rule is cancelled, the VIT state changes to the Open state.
  • In the CISA Known Exploit Vulnerability Integration, user can schedule the integration run.

Version 20.0.2 - November 2023

• New:
  • Application Vulnerability Response application is changed so that you can:
    • Create exception rules to automatically defer existing and new application vulnerable items (AVIs) for a specific period.
    • Submit extension requests for exception rules.
    • Defer remediation with the Awaiting Implementation state for AVIs. With this feature in place, you can inform your team that you have taken action but a fix isn't available yet.
    • Create remediation task rules to define how AVIs are automatically grouped and assigned.
  • Compensating Control:Remediation owners can request for risk rating reduction for a vulnerable item or a remediation task by providing compensating controls proofs through Exception Management request.
  • Extend Deferral date for VIT, RT and Exception Rule:You can request extension for a deferred remediation task or vulnerable item or exception rule by clicking Request Extension button.

Version 19.0.8 - October 2023

Fixed: Previously, the form view of records were not loading in the Vulnerability Manager and IT Remediation Owner Workspaces in the instances with the platform versions Utah patch 0 - Utah patch 5. This issue has been fixed. The records will now load in form view in all the supported platform versions.

Version 19.0.7 - September 2023

• New:
  • If the Data Model for SBOMapp is installed, Display name is a new field on the BOM Component table. This field uses the name and version for the displayed value of a component.
  • If the the SBOM Core app is installed, the BOM Entities related list is displayed on the component form. You can see all the BOM entities that this component is used in on this related list.
  • If the SBOM Response app is installed, the data model supports the Vulnerability Intelligence use case.
• Changed: Vulnerability Response Core: The Discovered application and SBOM component fields are displayed on the application vulnerable item (AVI) record.
• Fixed: If the SBOM Core app is installed, you can manually upload BOM documents as expected.

Version 19.0.4 - August 2023 (Vancouver)

• New:
  • The following dashboards are available in the Next Experience UI:
    • Vulnerability Approvals dashboard
    • Vulnerability Management dashboard
    • Vulnerability Remediation dashboard
    • Watch dog overview dashboard
    • My Application Vulnerability dashboard
• Changed:
  • Ability to create recurring/remediation effort without creating remediation tasks.
  • Ability to create remediation tasks (RTs) via UI action available in RE form and list view.
  • Recurring remediation effort can now be scheduled daily and weekly.
  • All the workspace pages will use the Standard record page.
  • On state change on a RT, a background job will be created to sync state on VITs if it has more than 200 VITs and it is configurable in system property. The same is applicable to Application VR Remediation task.
  • OOTB, List view is updated to show CI name instead CI reference to improve list view performance on the VIT and Discovered Item.
  • Integrations will fail if the payload size is greater than 100MB and it is controlled by this system property, sn_sec_cmn.max_integration_payload_size.
• Fixed:
  • On integration run, the Import since and Substate will not change after cancelling the integration run.
  • VIT deferral count will be calculated properly when a VIT is part of multiple Remediation Tasks.
  • NETBIOS will be properly populated on sn_vul_detection and sn_vul_vulnerable_item tables. Earlier, it used to truncate.
  • For the remediation owner, the Remediation Task list view will show items which are assigned to the user even after clearing the filter. Earlier, all the remediation tasks were displayed which doesn't belong to the user.
  • Reevaluate CI lookup rule job will check for the integration run and stop if the integration run is in a running state.
• Removed: Deprecated old workflows in Exception Management.

Version 18.2.6 - July 2023

Fixed:

1. The Auto-Close Configuration Compliance schedule job does not block Vulnerability Response integrations from running anymore.
2. The correct error message is displayed when an integration run fails or gets blocked due to other background jobs.

Version 18.2.5 - June 2023

• Vulnerability Response:
  • Fixed:
    • Earlier, even after cancelling the integration run, post-processing operations were being performed. This issue has been fixed.
    • For Advanced Risk Rule Calculators, the resulting risk score information in the sample scenarios was being populated with incomplete information. This issue has been fixed. The resulting risk score information is now correctly populated.
    • Earlier, unassigning remediation tasks would result in the vulnerable items not being displayed in the Unassign module. This issue has been fixed. Unassigning remediation tasks now unassigns the associated vulnerable items, which are then displayed in the Unassign module.
    • Earlier, no new integration run was created if a rescan integration run record was already in the Vulnerability Integration Run queue. This issue has been fixed. Now, an integration run is created in ready state, even if there is an existing integration run created for rescan.
• Application Vulnerability Response:
  • Fixed:
    • For Advanced Risk Rule Calculators, the resulting risk score information in the sample scenarios was being populated with incomplete information. This issue has been fixed. The resulting risk score information is now correctly populated.
• Container Vulnerability Response:
  • Fixed:
    • For Advanced Risk Rule Calculators, the resulting risk score information in the sample scenarios was being populated with incomplete information. This issue has been fixed. The resulting risk score information is now correctly populated.

Version 18.2.3 - May 2023

• Vulnerability Response:
  • New:
    • Introduced table cleaner records for sn_vul_integration_process and sn_vul_scan_q_entry tables.
    • Introduced system properties to configure user groups for exception approvals instead of using the default groups. Thus, when an exception or false positive request is raised, it is sent for approval to the user ID defined in the system property.
• Fixed:
  • Updates to the 'Exploit exists' field on the Third-party Vulnerability table for the Qualys Knowledge Base integration work as expected.
  • You can select the 'IP address' field in look up rules for the ""Search on field"" field.
  • Background jobs time out instead of getting stuck, if the trigger expires.
  • The rollup job that calculates remediation status metrics applies to updated groups only, not to all groups.
• Application Vulnerability Response:
  • Fixed:
    • Deferred application vulnerable items (AVITs) will continue to remain in the 'Deferred' state, even if scanners report the same issue again.
    • If an AVIT which is 'In review' state gets reopened, it is moved to the 'Open' state instead of 'Deferred' state.
    • Integration processes were timing out after one hour, even if the import queue entry was still being processed. As a result, the integration run status was being updated as 'Error'. Starting from V18.2.2, timestamps (heartbeats) are sent periodically to indicate that the queue is alive and processing valid data.

Version 18.0.6 - March 2023

• Fixed:
  • The Request Exception UI action on remediation tasks gets displayed if GRC is enabled.
  • The ACL issues for Application Security Manager persona for workspace has been resolved.
  • The metrics for all remediation tasks was previously calculated using the scheduled job Calculate Related VI Counts for Vulnerability and Remediation Task which used to run everyday. This resulted in long processing time. To resolve this issue, the metrics are now calculated only for the updated remediation tasks using the scheduled job Rollup VI values to vulnerability, Remediation Task (RT), and VI count on RT.
  • Reopening a deferred vulnerability item (VI) belonging to a deferred remediation task does not reopen other deferred VIs associated with the same remediation task.
  • The data required for notifications is now processed only for those remediation target rules which has associated notify groups and users.

Version 18.0.2 - February 2023

• New: With changes to the Vulnerability Manager Workspace, you can now perform the following tasks
  • Create and view watch topics, remediation efforts, and remediation tasks for application (AVR) and container (CVR) vulnerabilities and configuration test results.
  • Deactivate and reactivate watch topics.
  • Refresh watch topic content on demand.
  • View CVE, CWE, TPE, Policies, Tests, and App Vulnerability lists under the Libraries section on the List page.
  • Exception Management with the questionnaire.
  • View remediation tasks for Vulnerability Response, Application Vulnerability Response, Container Vulnerability Response and Configuration Compliance in a single list.
  • Transfer remediation tasks to a new remediation effort for a watch topic without losing history.
• Changed:
  • The Deferred to date on records remains populated until you manually reopen the record.
  • If you reopen a deferred VI prior to the time limit for a manual exception, the VI is automatically deferred.
  • The IP Address is updated on detections so they can be rescanned.
• Fixed: Users with read permission can view security tags on vulnerable items as expected.

Version 17.1.4 - November 2022

• New:
  • Introduced the ability to implement exception management with Policy & Compliance (GRC) in Application Vulnerability Response.
  • Introduced the provision to resolve duplicate VIs on remediation tasks in Vulnerability Manager and IT Remediation Owner Workspace.
  • Introduced a scheduled job to identify the duplicate VIs in remediation tasks.
  • Introduced the ability to select the "date" field from which the Remediation Target will be calculated on the vulnerability items.
• Changed:
  • Performance improvement in exception rules.
  • Enabled clearing of Import Set queue entries when the integration run is cancelled.
  • Introduced date-time fields for older date fields such as First found, Last Found, Last Opened, and Resolution Date on the Vulnerable Item table.
  • Added the capability for configuring approvals and capturing the reason in the unassigned flow.
  • Updated the remediation task reference on the vulnerable item when the remediation task is deferred.
  • Rolling up the deferred state to the remediation task when all VIs are deferred.
  • Optionally (using a system property) regroup the VIs that were reassigned when reapplying assignment rules.
  • Updated the vulnerability integration process state names from Processing to Retrieving and from Wait Complete to Waiting/Processing.

Version 16.5.4 - August 2022

• New:
  • Identifying potential duplicate VIs from different scanners: If you are using multiple scanners on the same asset to detect vulnerabilities, multiple vulnerable items (VIs) might be created. You can now identify the potential duplicate VIs. This ensures that the potential duplicate vulnerabilities are not assigned to the remediation owners.
  • Manual Ingestion of Vulnerabilities: To effectively protect the assets against unknown threats such as zero day exploits, you can use the Manual Ingestion to import a set of vulnerabilities and CI data into Vulnerability Response. You can proactively ingest the vulnerabilities and remediate them instead of waiting for scanners to report the assets, which are at risk.
  • Remediation owners can remove themselves from assignment from the vulnerable item records they determine are not their responsibility.
  • The Unassign UI action clears the Assigned to and Assignment group fields and sends notifications to admins in a daily digest that records are not assigned.
  • Records updated with this feature are displayed in the Unassigned modules for Vulnerability Response, Application Vulnerability Response, and Container Vulnerability Response.
  • A daily scheduled job counts the records that are updated with this feature and aggregates them by the assignment rules that initially assigned them. You can use the counts that are displayed for each assignment rule to help you monitor how effective your assignment rules are.
  • The Unassign feature is available on remediation tasks (VUL) and vulnerable items (VIT) in both the classic UI and the Vulnerability Response Workspaces.
  • The Unassign feature is also available in the classic UI for AVR vulnerable items (AVIT) and CVR vulnerable items (CVIT).
  • Track the number of times a vulnerable item, application vulnerable item, container vulnerable item, or a remediation task is deferred. A scheduled job, set deferral counts, runs daily to post counts for the records that are deferred more than once in the Deferral count column in the Multiple deferrals modules for VR, AVR, and CVR.
  • With changes to the integration runs, you can view the following information for the vulnerability integration runs:
    • Total chunks: Total number of chunks generated by the Tenable product.
    • Available chunks: The number of chunks available for download to your ServiceNow AI Platform.
  • You can view the attachments that are downloaded and processed. When the status of the integration run is waitcomplete, it displays the percentage of integration that is complete.
• Fixed:
  • VR Risk rule field updates with the correct language as expected.
  • Closed VITs are no longer reopened due to a rejection with pending approvals.
  • The navigation in the setup assistant for the Microsoft TVM integration works as expected.
  • The dialog that displays rescan options for vulnerable items is working as expected.
  • You might see an improvement in performance.

Version 16.2.1 - May 2022

• Changed:
  • Improved performance of Vulnerabity Response framework.
  • The backlog of jobs for integrations is restricted so that only one job can run at a time.
  • The Last scan or Last compliance dates for cloud assets are no longer populated. It is populated only for infra assets.
  • The import queue attachments are cleaned up after 7 days.
• Fixed:
  • The Request Exception button works as expected.
  • Application vulnerable items (AVIT) states do not reset to Open unexpectedly.
  • Security bug fixes.
  • The Ignore_by field on remediation tasks (VULs) and vulnerable items (VITs) populates as expected when you defer a remediation task.
  • Deferred vulnerable items only reopen after an exception rule expires.
  • In the VR Workspaces, rejecting an approval request works as expected.
  • In the VR Workspaces, the Cancel button used when splitting a remediation task works as expected.

Version 16.1.3 - March 2022

• New:
  • The following changes and new features in the Vulnerability Manager and IT Remediation Workspaces are included with this release.
    • Create scheduled, recurring remediation efforts to help with on-going tasks.
    • Create and activate weekly email notification digests for IT remediation owners.
    • Transfer VIs with a specific vulnerability from any of your existing remediation efforts into one remediation effort.
    • Set filter criteria and then select the matching VIs from a list that you want to move when you split a remdiation task. On the Home and List views in the workspaces, see the number of CIs that have vulnerabilities that are assigned to you and your groups.
    • View any associated, active change requests on remediation task records.
  • The Vulnerability Response and Application Vulnerability Response applications also include the following new features and changes:
    • Use the Exception Management module to create a questionnaire to add to the exception request. This questionnaire provides a better understanding of the reason for requesting the exception.
    • Use the watchdog is used to track tables based on the conditions you specify. For example, it can be used to log details of integration run failures in Vulnerability Response.
    • AVI triaging for Application Vulnerability Response: Added the option to perform triaging within ServiceNow.
    • Enable this option to request exceptions or mark AVIs as false positives, and also use the new state mapping logic for AVIs.
    • Penetration testing changes for Application Vulnerability Response: Scheduling capabilities are now supported. Also, penetration testing assessment requests can be quickly created using the previously closed penetration testing assessment request.
    • A new functionality has been provided to extract the Host Names from FQDN/NETBIOS so that the CI lookup/new CI creation can be done on name attribute with just the hostname of the asset. This can be configured in Host Import Map (sn_sec_cmn_src_cmdb_map) for each scanner integration.ChangedYou might find improved performance on watch topic pages.
    • The classification rules have been generalized and can be configured to work on Discovered Items and vulnerability entry table out-of-the-box. It can be extended by updating a system property.

Version 16.0.3 - February 2022

No new features or updates are included with this version. This version ensures that features from the last release are compatible with the San Diego family release.

Version 15.0.4 - January 2022

• Fixed:
  • In the Vulnerability Manager Workspace, the % VIs remediated column in the Home view on watch topics and on the Details page on remediation efforts shows the percentage of closed VIs as expected.
  • In the Vulnerability Manager Workspace, Delete works as expected for watch topics.
  • The load error for the Home page in the Vulnerability Manager Workspace.
  • The pages in the VR Workspaces tabs only reload when you switch between tabs.
  • When you reapply a CI lookup rule on a discovered item and a detection is reopened, if the detection's configuration item doesn’t match the configuration item of the VIT, a new VIT is created.
  • The detections cache can process larger payloads.

Version 15.0.2 - October 2021

• New:
  • A new, modern user experience in the Vulnerability Response application with two workspaces helps vulnerability managers and IT teams identify and resolve vulnerabilities more easily.
    • In the Vulnerability Manager Workspace, monitor the vulnerabilities you care about through Watch Topics. Decide strategically which vulnerabilities you want your IT Teams to work on using Remediation Efforts.
    • In the IT Remediation Workspace, IT teams receive remediation tasks that highlight IT-centric information (assets and solutions) to help them remediate more efficiently.
  • Penetration testing assessment has been introduced for Application Vulnerability Response. It can be used to assess the security posture of your application and manually import the penetration test results.
  • The updated exception management approval workflow provides more configuration options for the approval process and an improved user experience. The approval process has been migrated to flow designer from workflow. The flow designer will now be used to approve exception requests for exception management, exception rules, and false positive in VR.
    • If you are a first-time VR user, the flow designer is enabled by default.
    • Existing users can enable the flow designer using the system property sn_vul.flow_designer_activation.
  • Create vulnerability classification rules to automatically categorize vulnerabilities based on the type of Application or Platform. This enables assignment of the vulnerabilities to the correct IT team for their remediation. In addition, it also allows reporting of vulnerability status and exposure based on the type of Application and operating system.
  • If CMDB changes the life cycle stage status of a CI to retired, you can choose to automatically close the associated VIs.
    • To automatically close the associated VIs, enable the option to auto-close VIs that are associated with retired CIs.
    • The retired CI is eventually archived or permanently deleted from the CMDB.
• Changed:
  • Table labels for vulnerability groups and vulnerability group rules have changed. This change applies to labels on lists, records, and rules in the classic UI and in the workspaces introduced in this release.
    • Vulnerability groups (VGs) are labeled Remediation Tasks. Task records are still prefaced with VUL.
    • Vulnerability group rules are labeled Remediation Task Rules. These rules work just like vulnerability group rules did in previous versions, and you still have access to your existing rules.
    • Table names such as [sn_vul_m2m_vul_group_item] have not changed.
  • Resolve, Close, and Reopen UI actions are available for application vulnerable items in Application Vulnerability Response.

Version 14.0.6 - June 2021

• New:
  • The Auto-close stale detections module helps you clean up older, stale vulnerability detections not recently found by your third-party integrations.
  • For Vulnerability Calculators in Vulnerability Response and Application Vulnerability Response, specify custom fields and weights to generate risk scores with vulnerability data unique to your environment.
• Changed:
  • The vulnerable Item detection key is integration-specific. Configure how vulnerability findings (detections) are imported from each of your vulnerability assessment applications and consolidated into vulnerable items.
  • Changes to the common background job framework ensure that jobs are executed in a resource-optimized manner. You can configure how jobs are processed.
  • A vulnerability analyst or remediation owner can view accurate and current deployment metrics for a preferred solution. Updated solutions data are displayed on a related list on the vulnerability group forms.
  • The API key for the Microsoft Security Response Center (MSRC) Solution Integration is no longer mandatory.
• Fixed on vulnerable item, vulnerability group, and detection records:
  • The Source field on the vulnerable item record is read-only.
  • Users can see detection records associated with vulnerability groups as expected.
  • The vulnerability item is moved to the In Review state as expected when the associated vulnerability group moves to In Review.
  • The type of change request you select is created as expected from a vulnerability group record.
  • SLAs are set as expected when a vulnerability group is split.
  • A deferred vulnerability group is set to the Open state when the associated GRC policy expires.
  • The Proof field on the vulnerable item detection record is populated as expected after an upgrade to the new detection framework.
  • Status changes for vulnerable items and vulnerability groups are updated and displayed as expected.
  • The time zone for the Remediation target date on a vulnerability group record is set by the reapply job.
  • When they are deferred, the system property (sn_vul.vulnerable_item.approval_required) is ignored and the State field on vulnerable items or vulnerability groups is set as expected.
• Fixed on integration runs:
  • When an integration run is queued when another integration is in process, the new integration's start time is set as expected.
  • If a current integration run is in the Wait Complete state, the next integration run will not start.
• Fixed for date-time formats:
  • All date-time formats are supported when configuring the Tenable Vulnerability Integration in the Setup Assistant.
  • The system's date format is supported for Exception rules.
• Fixed:
  • Nulled configuration items are filtered out when calculating Impacted Services, which might improve your performance for this job.
  • Vulnerability Calculators use weight values as expected to calculate risk scores for vulnerable items. If an exploit exists but there is no information for Exploit attack vector or Exploit skill level, these weights are not added to the VI’s risk score.
  • Users in assignment groups can see the Mark as False positive and Request Exception UI actions.
  • Deferral expiration emails are triggered as expected.
  • Exception rules also work for vulnerable items without detections.
  • Work notes are available when setting filters even when you add fields.
  • All supported languages are available for the Change Request Type field.
  • The Summary field on the Rapid7 Solution records is populated as expected.
• Removed:
  • The Auto-Close Stale Vulnerable Items module has been deprecated. To close stale detections and their associated vulnerable items and vulnerability groups, use the Auto-Close Stale Detections module. For more information, see the Vulnerability Response product documentation and the Auto-Close Stale Detections [KB 0958638] article.

Version 13.0.5 - May 2021

Fixed: Removed RCA (Restricted Caller Access) record that is not used by VR.

Version 13.0.3 - February 2021

• New:
  • Reapply CI lookup rules
    • If you change your CI lookup rules, reapply them on-demand and manually reconcile selected discovered items with the CMDB without having to reimport all the asset data. ]
  • Vulnerability Response Integration with NVD
    • With two integrations, import CVE and CPE information from the NIST National Vulnerability Database (NVD) to better understand your vulnerability exposure.
  • Security Champion overview added
    • Security champions can quickly gain insight into their organization's vulnerability exposure and security posture on the dashboard by viewing results for scanned applications in Application Vulnerability Response.
  • Define Service classifications for Performance Analytics reports.
    • Configure the kinds of service CIs to include in business scorecard reports.
  • CISO dashboard in Performance Analytics for Vulnerability Response
    • The dashboard provides executives with Key Performance Metrics (KPIs), areas that have the highest risk, and reports along with recommendations for lowering risk.
• Changed:
  • Choose if you want to use case-sensitivity for search criteria you enter in the Conditions builder. By default, the text you enter for filter conditions is not case-sensitive.
• Fixed:
  • Domain separation support for the Reapply Calculator feature. The App-Sec-Manager role has permission to cancel an Application Vulnerability Integration run.
  • Performance changes for updates to the vulnerability entry rollup of the Vulnerability Rollup calculator.
  • Domain separation support for the exception rule in Exception Management.
  • The Reapply remediation target rule job works as expected when the BETWEEN operator is used in the condition builder.
  • False positive Until date validation works as expected.
  • The Cancel Exception rule works as expected.
  • Domain separation support for the auto-close VI feature.

Version 12.2.0 - December 2020

Fixed: Added fixes to address the performance issues related to concurrency processing of Remediation target rules, and other Minor fixes.

Version 12.1.4 - November 2020

• New:
  • Import vulnerability data from the Tenable.io and Tenable.sc products with the Vulnerability Response Integration with Tenable built by ServiceNow.
  • Use IRE to create new CIs in the CMDB when an existing CI cannot be matched with an imported host from third-party vulnerability assessment products.
  • With Vulnerability Assignment Recommendations, view assignment group recommendations for vulnerable items (VIs) and vulnerability groups (VGs) driven by the ServiceNow Predictive Intelligence. Identify appropriate assignees for VIs and VGs that didn't match your existing assignment rules.
• Changed: Starting with v12.1, your NVD feeds are automatically updated to v1.1. You no longer are required to update feeds manually.

Version 12.0.3 - October 2020

• New:
  • With Exception Management, automate your exception process for vulnerable items by requesting exceptions for vulnerabilities or a set of CIs that cannot be remediated immediately or must be deferred.
  • The Application Vulnerability Response (AVR) feature in Vulnerability Response. AVR is available by separate subscription.
  • An optional condition builder has been added to the CI lookup rules that permits you to filter out specific assets in your IT environment. The filtered, updated list is used by CI Lookup Rules during your next import.
• Changed:
  • Reapply remediation target rules to existing vulnerable items. Make adjustments to target rules without having to re-import data or perform custom scripting.
  • When you choose to close vulnerable items based on 'Asset last scanned' with the Auto-Close Stale Vulnerable Items module, a completed import from the Rapid7 comprehensive integrations is no longer required.
  • With SAM Pro with the Exposure Assessment module, normalize the product names of your assets to promote more accurate matches.

Version 11.0.3 - July 2020

• New:
  • Recertified for version 11.0.3
  • Changed exception management with Governance, Risk, and Compliance (GRC). Use the GRC policy exception management capability within the Vulnerability Response application.
  • Configure how vulnerability findings (detections) imported from your vulnerability assessment applications are consolidated into vulnerable items.
  • Enable the Auto-Close Stale Vulnerable Items module to automatically close older vulnerable items not recently detected by your third-party integrations. Two new integrations with Rapid7 support this module.
  • With new persona and granular roles, expand, limit, and manage the permissions and access your users and groups have to Vulnerability Response at the task level.
  • Correlate the vulnerabilities in your environment with Linux recommended solutions using the Red Hat solution intelligence integration.
• Changed:
  • Intuitively manage false positives for vulnerable items or vulnerability groups with changes to the false positive workflow.
  • Quickly view a broad range of vulnerable items with new modules in the navigation panel. Modules include High Risk, Exploitable, Missed Target, Older than 90 days and other categories to help you prioritize your remediation.
  • Performance improvements with new index additions to the vulnerable items table.
  • Imported Qualys host tags are ingested using the Qualys Asset List Integration and processed using the common tags framework.
• Fixed: The process described in KB0819117 to create change requests and use change management with ITSM legacy Change Management plugins is now fully supported.
• Removed: The ‘Close by age’ option has been deprecated. Use the Auto-Close Stale Vulnerable Items module to transition older vulnerable items to ‘Closed’.

Version 10.3.8 - June 2020

• New:
  • Recertified for version 10.3.8.
  • Changed exception management with Governance, Risk, and Compliance (GRC). Use the GRC policy exception management capability within the Vulnerability Response application.
  • Configure how vulnerability findings (detections) imported from your vulnerability assessment applications are consolidated into vulnerable items.
  • Enable the Auto-Close Stale Vulnerable Items module to automatically close older vulnerable items not recently detected by your third-party integrations. Two new integrations with Rapid7 support this module.
  • With new persona and granular roles, expand, limit, and manage the permissions and access your users and groups have to Vulnerability Response at the task level.
• Changed:
  • Intuitively manage false positives for vulnerable items or vulnerability groups with changes to the false positive workflow.
  • Quickly view a broad range of vulnerable items with new modules in the navigation panel. Modules include High Risk, Exploitable, Missed Target, Older than 90 days and other categories to help you prioritize your remediation.
  • Performance improvements with new index additions to the vulnerable items table.
  • Imported Qualys host tags are ingested using the Qualys Asset List Integration and processed using the common tags framework.
• Fixed: The process described in KB0819117 to create change requests and use change management with ITSM legacy Change Management plugins is now fully supported.
• Removed: The ‘Close by age’ option has been deprecated. Use the Auto-Close Stale Vulnerable Items module to transition older vulnerable items to ‘Closed’.

Version 10.0.4 - April 2020

• Fixed: Occasional processing errors that prevented the Rapid7 InsightVM integration from successfully importing all the payload data and creating or updating vulnerable items as expected

Version 10.0.3 - March 2020

• New:
  • The Change Management - Core plugin (com.snc.change_management) is required for change management for Vulnerability Management. See KB0819117 for more information.
  • Separated out detections from vulnerable items (VIs) to avoid de-duplication
  • Introduced rules caching mechanism to improve VI ingestion performance
  • Implemented reapply mechanism for assignment rules and group rules
  • Added functionality to allow users to auto-delete VIs and VGs
• Changed:
  • Updated group rule UI to support more than one CI and vulnerability entry value
  • Updated VI age calculation process
  • Added Solution Management changes
  • Minor bug fixes

Version 9.0.6 - December 2019

• The Change Management - Core plugin (com.snc.change_management) is required for change management for Vulnerability Management. See KB0819117 for more information.
• Minor bug fixes

Version 9.0.5 - November 2019

• New:
  • The Change Management - Core plugin (com.snc.change_management) is required for change management for Vulnerability Management. See KB0819117 for more information.
  • Updated Change Management for Vulnerability Response: Expedite remediation by creating pre-populated change requests (CRs) directly from vulnerability groups, associating vulnerability groups to existing CRs, and automatically resolving groups after CRs are implemented.
  • Software exposure assessment - Assess your exposure to a vulnerability by looking up the affected software publisher, product name, and version number in your ServiceNow Software Asset Management (SAM).
  • Split vulnerability groups on-demand - Split large vulnerability groups into more manageable segments using ServiceNow condition builder or by manually selecting vulnerable items for segmentation.
  • Last scan date and time: View asset-level timestamps for the last authenticated and unauthenticated vulnerability scans.
  • Quick start tests for Vulnerability Response: Use the Automated Test Framework (ATF) to validate the continued functionality of Vulnerability Response after upgrades and configuration changes.
• Removed: The Configure SAM NVD and Vulnerable Software modules have been removed. These modules have been deprecated, due to dependent content from the National Vulnerability Database (NVD) that is no longer available.