Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Vulnerability Response release notes

Log in to subscribe to topics and get notified when content changes.

Vulnerability Response release notes

ServiceNow® Vulnerability Response product enhancements and updates in the Madrid release.

The Vulnerability Response application in Security Operations helps you identify and prioritize software vulnerabilities affecting your organization, and respond faster using workflows, automation, and orchestration.

Madrid upgrade information

If you are upgrading from a previous version of Vulnerability Response, you can begin using the Vulnerability Response new features immediately. All updates to Vulnerability Response are only available in the ServiceNow Store.

If you have previously installed Vulnerability Response and want an update from the ServiceNow Store, you do not need to activate the System Plugin Dependencies (com.snc.vul_dep) plugin prior to installing the Vulnerability Response update.

If you update from Vulnerability Response v7.0 to Vulnerability Response v8.0, you must install all the plugins listed under Dependencies & Licensing > App Dependency in the ServiceNow Store prior to installing Vulnerability Response.

If you upgraded from a previous version of Vulnerability Response, your original Overview page becomes in the Overview (Legacy) module in the left navigation pane. If you created a customized homepage overview, the overview is overwritten by the new reports dashboard. To access your customized homepage, Create a new module for your customized homepage and add it to the Vulnerability Response application.

After upgrading to the Madrid release, third-party vulnerability records are read-only.

For detailed information on Kingston or London upgrade to Madrid, see Vulnerability Response upgrade information.

Application administration is not enabled, by default, in Vulnerability Response for upgrades. If you add custom tables that rely on inherited ACLs, you must recreate the ACLs in that custom table. If you add custom roles or custom ACLs, and you enable Application administration, retest those roles and ACLs after upgrading. Ensure the assignable by attribute on the roles is set correctly to enable access to application administration.
Note: Once enabled, Application administration cannot be disabled.
Integration upgrade information
  • Rapid7 Vulnerability Integration

    Prior to London v6.2 or Kingston v5.1, the Rapid7 Vulnerability Integration used an identifier from the Rapid7 Nexpose data warehouse that was not unique across multiple data warehouses. Starting with London v6.2 and Kingston v5.1, the nexpose_id, which is globally consistent, replaced it.

    If you have an existing Rapid7 Vulnerability Integration version earlier than London v6.2 or Kingston v5.1, and you upgrade to the latest Rapid7 Vulnerability Integration version, you may get a "Import relies on nexpose_id" error. In that case, you need to update the SQL query sent to your Rapid7 Nexpose data warehouse with the nexpose_id. Without it, various features of Vulnerability Response and Rapid7 Vulnerability Integration will not work properly. See KB0751331 to add the nexpose_id to the SQL import query.
    Note: This is true for a Rapid7 Nexpose data warehouse upgrade or to migrate from the Rapid7 Nexpose data warehouse to Rapid7 InsightVM.
  • Qualys Vulnerability Integration

    To reduce upgrade time, if you have the Qualys Vulnerability Integration or a third-party integration installed, delete all attachments on your integration data sources. You can find the attachments by navigating to System Import Sets > Administration > Data Sources and searching by integration. See Manage attachments for more information.

New in the Madrid release

Features available from the ServiceNow Store
Vulnerability Solution Management
Version 8.0: Automatically correlate the vulnerabilities in your environment with the solutions that would remediate them. Identify the remediation actions that apply to your environment and prioritize them by the greatest reduction in vulnerability risk.

Available as a separate subscription within Vulnerability Response, Vulnerability Solution Management contains the Microsoft Security Response Center Solution Integration.

Preferred Solutions in vulnerability, vulnerable item, and vulnerability group records are derived from the Microsoft Security Response Center Solution Integration imports and not third-party vulnerability integrations.

Preferred Solution values can be set on the vulnerable item or the vulnerability. When set on the vulnerability, all vulnerable items associated with the vulnerability inherit that solution.
Note: Preferred Solution values at the vulnerability level are cleared if multiple highest-supersedence solutions exist for a vulnerability, since that solution depends on the affected asset. When multiple highest-supersedence solutions exist for a vulnerability, set a Preferred Solution on the vulnerable item.

Tenable and some CVE vulnerabilities with long summaries can cause excessive cell heights in the vulnerability list view on solution records.

If a CVE identifier is not present during a Tenable import, vulnerability solution information will not be available.

Risk Score calculator enhancements
Version 8.0: Configure your calculators with finer granularity. These calculators provide consistent risk scores across all vulnerable items so you can effectively prioritize the vulnerabilities in your environment.

The Default Risk Calculator and Vulnerability Severity calculators are shipped with the base system.

Vulnerability Calculators have replaced Vulnerability Calculator Groups for calculating the base Risk Score.

for remediation specialists Remediation Owner Role for remediation specialists for remediation specialists
Version 8.0: Automatically receive access to vulnerability entries and solutions assigned to you or your group using the sn_vul.remediation_owner role. By default, the itil role contains the sn_vul.remediation_owner role.
Vulnerability Response
Version 7.0: You no longer have to wait for the platform family release of Vulnerability Response to enjoy new features, updates, and fixes. The latest version of Vulnerability Response is published in the ServiceNow Store and available for download.
Setup Assistant is part of the Vulnerability Response application available in the ServiceNow Store
Version 7.0: Setup Assistant walks you through the Vulnerability Response setup process in a simple, step-by-step fashion. Setup Assistant helps you discover which capabilities of Vulnerability Response require configuration, identify what permissions are required to configure these capabilities, and learn what settings are recommended for your environment. Setup Assistant helps you deploy Vulnerability Response quickly and efficiently.
Vulnerability Response overview homepage
Version 7.0: The Vulnerability Response Overview homepage has become a responsive dashboard.
Performance Analytics - Content Pack - Vulnerability Response
Version 7.0: Using business objective definitions, trending, and forecasting, the Performance Analytics – Content Pack – Vulnerability Response application contains over 40 report widgets. These reports help you monitor metrics across all stages of the vulnerability management lifecycle. This release includes vulnerability KPIs rolled-up to the business service level. KPI rollups give you a better understanding of vulnerability exposure and remediation performance in terms of business operations, rather than technical infrastructure. A Remediation dashboard, using standard Now Platform® reports, is also provided for the IT operations personnel that execute vulnerability remediation activities. This application, is available in the ServiceNow Store.
Exploit enrichment
Version 7.0: Exploit information imported from third-party integrations has been added to vulnerability entries. Use exploit information to prioritize which vulnerabilities to address first.
CVSSv3 support
Version 7.0: Vulnerability entries display CVSSv3 metrics. By showing CVSS v3 in addition to the CVSS v2, you can prioritize based on the newest algorithm used to calculate the severity of your vulnerabilities.
Vulnerability Assignment Rules
Version 7.0: You can define the assignment rules at the vulnerable item level. These assignment rules apply to the group rules by default, and group vulnerabilities by assignment group.
Vulnerable Item Risk Rating
Version 7.0: A new Risk Rating field on vulnerable item breaks the existing 0-100 risk score tiers into five tiers (Critical, High, Medium, Low, and None) for easier reporting and prioritization.
Normalized Severity
Version 7.0: Vulnerability assessment products often report vulnerabilities with proprietary integer-based severity scales. These severities are normalized into a common and configurable scheme for improved readability, reporting, and comparison.
Updated default form and list views
Version 7.0: Various Vulnerability Response default forms and list view forms for have been updated for improved usability. These entities include but are not limited to: Vulnerability entries, Vulnerable Item, Vulnerability Group, Discovered Item, and Approvals.

ACLs were updated to ensure that fields that should not be modified are marked read-only.

New in existing integrations
Rapid 7 Vulnerability Integration

Starting with Rapid7 Vulnerability Integration v7.1, when migrating to the InsightVM integration type from the Data Warehouse integration type, the InsightVM integration recognizes existing data warehouse vulnerable items, if they were imported from the same data source. It does not create duplicate records, so you can seamlessly migrate from the Data Warehouse to InsightVM integration type.

Rapid7 Vulnerability Integration v 7.1 adds exploit data import for both the Data Warehouse and InsightVM integration types.

Rapid7 Vulnerability Integration v 6.2 adds imports using the Rapid7 InsightVM API for discovery, detection, verification, risk classification, and impact analysis to manage risk and remediation. This integration does not require the Rapid7 Nexpose data warehouse.
Note: To migrate from the Rapid7 Nexpose vulnerability integration see KB0743164.
Qualys Vulnerability Integration

The latest version of Qualys Vulnerability Integration is published in the ServiceNow Store and available for download.

Tenable for Vulnerability Response v2.0
  • When Tenable for Vulnerability Response v2.0 vulnerabilities are imported before their corresponding NVD entries, those vulnerabilities are not associated with the NVD vulnerabilities later. Ensure that NVD imports are up-to-date, and periodically re-import the full Tenable Knowledge Base (KB).

  • Tenable for Vulnerability Response does not currently support Normalized severity.
  • Tenable for Vulnerability Response does not populate exploit fields on third-party vulnerabilities.
New integrations
Microsoft Security Response Center Solution Integration

Microsoft Security Response Center Solution Integration imports solution data for known vulnerabilities and creates relationships with vulnerable items and vulnerability groups. This integration is part of Vulnerability Solution Management.

Shodan Exploit Integration

Shodan Exploit Integration v7.0 imports exploit information that helps you prioritize the vulnerabilities in your environment based on risk.

This integration enables exploit information enrichment that helps you understand the following exploitability metrics to prioritize the remediation of vulnerabilities:
  • Is there any exploit associated with the vulnerability?
  • What skill level is required to exploit the vulnerability based on the exploit code rank?
  • What is the exploit attack vector? Can the vulnerability be remotely exploited?

Once your vulnerabilities are enriched with exploit intelligence, you can define the risk score and group the vulnerabilities based on these parameters. You can also filter key reports to see the high-risk vulnerabilities.

Quick start tests for Vulnerability Response
Validate the continued functionality of Vulnerability Response after any configuration change such as an upgrade or after developing an application. All test suites and tests should pass on a default implementation. To validate a custom implementation, copy the automated tests and configure them for your customizations.

Changed in this release

NVD JSON integration

Version 8.0: To support the anticipated switch from XML to JSON by the National Vulnerabilities Database (NVD), NVD data feeds have been updated to use JSON.


By default, all data feeds for NVD Auto-update are disabled. To enable the feeds you want see Configure the scheduled job for updating NVD records.

For Madrid versions prior to Madrid Patch 4, see KB0752343 to revert to the Legacy version of NVD data feeds.

Configuration additions to Setup Assistant

Version 8.0: Added configuration for Assignment Rules, Vulnerability Solution Management within SetupAssistant.

CI Lookup Rule used for the CI appears on Discovered Item records
Version 8.0: Added the CI matching rule field to the Discovered Items record to make it easier to identify potential matching issues.
The Vulnerability Overview homepage has been converted to a dashboard.
Version 7.0: If you have the Performance Analytics – Content Pack – Vulnerability Response application installed and activated, interactive reports are available.
Updated remediation target rule behavior
Version 7.0: Remediation target behavior has been updated for easier reporting.
  • No Target status added for records without a remediation target date.
  • Target Met added for records closed before their remediation target date.
  • Target Met added for records closed before their remediation target date.
  • Target Missed renamed from Past Target for consistency with Target Met.

Remediation target dates and statuses are also rolled-up from vulnerable items to their associated vulnerability groups.

Integration changes
Qualys Ticket Integration records have moved to a related list in the vulnerable item record.

Version 7.0: Qualys Ticket Integration records are no longer imported as vulnerable items. Instead ticket records are listed on an existing vulnerable item under a related list. Where no VI exists, one is created and the ticket is listed in the related list.

Before Rapid 7 v6.2, if you have multiple databases, the vulnerability_id in Rapid 7 is not unique. Starting with Rapid 7 v6.2, the nexpose_id, which is globally unique, replaces vulnerability_id. If you have an earlier version than 6.2, and upgrade to the latest version, you do not get the nexpose_id change. See KB0751331 to add the nexpose_id in the SQL import query.

Removed in this release

  • Version 8.0: Vulnerability Calculator Groups have been renamed Vulnerability Calculators and the group module no longer exists.
  • Version 7.0: Manual creation of third-party vulnerabilities has been removed.

Activation information

Activate the Vulnerability Response Dependencies plugin (com.snc.vul_dep). Download and install Vulnerability Response from the ServiceNow Store and configure this application based on the needs of your organization using Setup Assistant. This application is available as a separate subscription.