Vulnerability Response remediation task states

  • Release version: Australia
  • Updated March 12, 2026
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response Remediation Task States

    The Vulnerability Response module in ServiceNow integrates third-party data to manage vulnerability items (VITs). This includes updating the status of VITs to either Open or Closed based on detection states. The module also features a synchronized relationship between remediation tasks and change requests, ensuring that as change requests progress, related remediation tasks update accordingly. Starting with version 23.0, the Remediation Task State Approval workflow is now managed through Flow Designer, and the closure of remediation tasks is automated by the scanner.

    Show full answer Show less

    Key Features

    • Remediation Task States: Each state (Open, Under Investigation, Awaiting Implementation, Deferred, Resolved, Closed) allows specific actions, such as creating change requests, investigating vulnerabilities, and marking items as resolved or deferred.
    • Actionable States: For instance, in the Open state, you can start investigations or create change requests. In the Resolved state, you can transition to Closed upon scanner confirmation.
    • Split Tasks: If multiple VITs are present, you can filter and split remediation tasks to manage them more effectively.
    • Deferral and Exception Requests: You can defer remediation tasks for a specified period or request exceptions for vulnerabilities deemed low risk.

    Key Outcomes

    Utilizing these states and features enhances the ability to manage vulnerabilities efficiently. By automating task states based on scanner data and integrating with change management, organizations can ensure timely remediation of vulnerabilities while maintaining historical records of VITs. This structured approach aids in prioritizing tasks, minimizing risk, and streamlining the overall vulnerability management process.

    Third-party integrations import vulnerable item detection data that create new vulnerability items (VITs) or update existing VITs. Detection states update VIT states in so far as they’re Open or Closed.

    For more information on how a detection's state affects a VIT's state, see the Detections, remediation tasks, and vulnerable item states.

    With Change management for Vulnerability Response, there’s a synchronized relationship between the state fields of the remediation tasks and the state fields of the change requests (CHG) in the Vulnerability Response product. As a change request moves through its life cycle, it also moves the state of any related remediation tasks automatically. After a change request is implemented, the remediation task is automatically resolved. See State synchronization between change requests and remediation tasks for more information.
    Note:
    Starting with v23.0 of Vulnerability Response:
    • the Remediation Task State Approval workflow is deprecated and replaced by flow Remediation Task State Approval in the flow designer.
    • the Close button has been removed for a remediation task and the closure of a remediation task is driven by the scanner.

    The following table lists the remediation task states and the actions that you can perform on a remediation task at the respective state:

    Table 1. Remediation task states
    State Description
    Open State upon creation. From this state you can:
    Show Duplicate VIs
    Identify duplicate VITs reported by multiple scanners in the system. You can mark the duplicate VIT as Resolved or Closed. Duplicate entries are only shown when the combination of vulnerabilities is created using Common Vulnerabilities and Exposures (CVE). For more information, see Vulnerability Response remediation task and vulnerable item states.
    Start Investigation
    Assign this remediation task to a person or group to start investigating.
    Mark as false positive
    Mark an item or group as false positive if the scanner reports that a vulnerability exists in the system, but in reality there’s no vulnerability.
    Request exception
    Request an exception, a reopen (Until) date, a reason, and optionally, provide additional information. Defers the remediation of the item or group until the date that an exception is requested.
    Resolve
    Mark as Resolved to move the item or group to a resolved state.
    Create Change
    Create a change request or associate a remediation task to an existing change request. For more information, see Create a change request from a remediation task and Associate a remediation task to an existing change request.
    Split Remediation task
    For a remediation task with more than one vulnerable item, use a set of conditions to filter out a subset of vulnerable items and split a remediation task. The items that you select are automatically moved to a new remediation task. For more information, see Split a remediation task in the IT Remediation Workspace.
    Defer
    Select the Deferred state, a reopen date, a reason and, optionally, provide addition information. Defers the remediation task state until the reopen date.
    Delete
    Confirm the deletion. Removes the group.
    Under Investigation Triggered by the Start Investigation button. From this state, you can:
    Create a Security Incident
    For more information, see Create a security incident.
    Create Change
    Create a change request or associate a remediation task to an existing change request. For more information, see Create a change request from a remediation task and Associate a remediation task to an existing change request.
    Split Task
    For a remediation task with more than one vulnerable item, use a set of conditions to filter out a subset of vulnerable items and split a remediation task. The items that you select are automatically moved to a new remediation task. For more information, see Split a remediation task.
    Create a Change Request
    For more information, see Create a change request from a remediation task.
    Awaiting Implementation
    Changes state to Awaiting Implementation. This state indicates that remediation tasks have been referred outside a Vulnerability Response.
    Defer
    Select the Deferred state, a reopen date, a reason and, optionally, provide additional information. Defers the remediation task state until the reopen date.
    Delete
    Confirm the deletion. Removes the remediation task.
    Deferred Triggered by the Request Exception button. As part of the approval workflow, the Deferred state is In Review and can't be closed until approved.

    From this state, you can:

    Create Change
    Create a change request or associate a remediation task to an existing change request. For more information, see Create a change request from a remediation task and Associate a remediation task to an existing change request.
    Split Task
    For a remediation task with more than one vulnerable item, use a set of conditions to filter out a subset of vulnerable items and split a remediation task. The items that you select are automatically moved to a new VG. See Split a remediation task.
    Create a Security Incident
    For more information, see Create a security incident.
    Reopen
    Transition back to an Open state.
    Delete
    Confirm the deletion. Removes the remediation task.

    Deferment information appears under the Close/Defer tab. On the defer date, the group reopens for remediation.
    Awaiting Implementation Triggered by the Awaiting Implementation button. From this state, you can:
    Create a Security Incident
    For more information, see Create a security incident.
    Create Change
    Create a change request or associate a remediation task to an existing change request. For more information, see Create a change request from a remediation task and Associate a remediation task to an existing change request.
    Split Task
    For a remediation task with more than one vulnerable item, use a set of conditions to filter out a subset of vulnerable items and split a remediation task. The items that you select are automatically moved to a new remediation task. For more information, see Split a remediation task.
    Create a Change Request
    For more information, see Create a change request from a remediation task.
    Defer
    Select the Deferred state, a reopen date, a reason and, optionally, provide addition information. Defers the remediation task state until the reopen date.
    Resolve
    Add notes. The state becomes Resolved. Notes appear under the Resolution tab.
    Delete
    Confirm the deletion. Removes the remediation task.
    Resolved Triggered from the Resolve button. From this state you can:
    Create a Security Incident
    For more information, see Create a security incident.
    Create Change
    Create a change request or associate a remediation task to an existing change request. For more information, see Create a change request from a remediation task and Associate a remediation task to an existing change request.
    Reopen
    Transition back to an Open state.
    Delete
    Confirm the deletion. Removes the remediation task.

    Notes appear under the Notes tab. Resolution information appears under the Resolution tab.
    Closed Triggered by the scanner. From this state, you can:
    Create a Security Incident
    For more information, see Create a security incident.
    Reopen
    Transition back to an Open state.
    Delete
    Confirm the deletion. Removes the remediation task.

    Closure information appears under the Close/Defer tab.
    • The remediation owner can only mark a vulnerable item or remediation task as resolved. Based on the confirmation from the scanner, this resolved item or remediation task can be marked as Closed or reopened.
    • The Delete button is available for the administrator when there are multiple vulnerable items created manually, and these need to be closed or deleted.
    • If you determine that the items are a low risk, waiting for a change window, or a patch, you can change their remediation task to the Deferred state for a defined amount of time. You can request an exception using the Request Exception option.
      Note:
      When remediation tasks are deferred or closed, you can specify resolutions to further define the reasons for doing so.
    • When a VIT is reopened, either manually or automatically, the following happens:
      • The VIT state changes to Open. The original remediation task state doesn't update.
      • The VIT is reevaluated and put into a new or existing remediation task that is based on the active Remediation Task Rules.

      This preserves its history while enabling further remediation.

    • When a remediation task is created (automatically or manually), or split, then its State, Reason, and Until fields are evaluated. In case of the split action, these fields are evaluated for both the old and new remediation tasks. When a VIT is updated, then the State, Reason, and Until fields of all its associated remediation tasks are evaluated.
      • If all the VITs in a remediation task are deferred and have the same reason, then the remediation task's state changes to Deferred and the VITs' reason is assigned to the remediation task. If the VITs differ in reason, then the remediation task's reason changes to None.
      • The closest Until date of all the VITs is updated in the Until field of the remediation task.
      • If you reopen any VIT, then the state of the remediation task changes to Open.

      This evaluation is done by the Rollup vulnerability item values to vulnerability and group scheduled job, which runs every 15 minutes.