Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Understanding the Vulnerability Response application

Log in to subscribe to topics and get notified when content changes.

Understanding the Vulnerability Response application

The ServiceNow® Vulnerability Response application imports and automatically groups vulnerable items according to group rules allowing you to remediate vulnerabilities quickly. Vulnerability data is pulled from internal and external sources, such as the National Vulnerability Database (NVD) or third-party integrations.

Compare vulnerability data pulled from internal and external sources. For any vulnerable items, create change requests and security incidents using vulnerability groups to remediate issues and mitigate risk.

Watch an overview of the typical vulnerability response within an enterprise versus the vulnerability response with ServiceNow®. It defines vulnerable items, vulnerability groups, and their lifecycles.

Vulnerability Response and the Now Platform®

Vulnerability Response is one member of the Security Operations application suite. Together these applications connect security to your IT department, increase the speed and efficiency of your response, and give you a definitive view of your security posture.

Security Operations overview

Vulnerability Response flow

You use Vulnerability Response to follow the flow of information, from integration through investigation, and then on to resolution.

Vulnerability Response flow

Available versions

Release version Release Notes

Vulnerability Response v9.0

Vulnerability Response v8.0

Vulnerability Response release notes

Integrate your Vulnerability scanner

After vulnerability data is imported, you can compare the data to CIs and software identified in the ServiceNow® Asset Management application. You can perform the following tasks.
  • Compare vulnerability-related data, if a vulnerability is found on a configuration item.
  • Escalate issues by creating change requests, and security incident records (if the ServiceNow® Security Incident Response application is activated).
  • Manage vulnerable items grouped by the vulnerability, or CI, or individually. Each vulnerability represents a vulnerability entry in the NVD, Common Weakness Enumeration (CWE), or third-party libraries.
  • Relate a single third-party vulnerability to multiple Common Vulnerabilities and Exposure (CVE) entries.
  • Use CWE records, downloaded from the CWE database, for reference when deciding whether a vulnerability must be escalated. Each CWE record also includes an associated knowledge article that describes the weakness. You cannot escalate a vulnerability from the Common Weakness Enumerations page. That page is for reference only.

Multi-source support

You can have multiple deployments of the Qualys Vulnerability Integration and, starting with version 9.0, the Rapid7 InsightVM type integration.

Assets, identified by multiple third-party deployments and their vulnerabilities, are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments. Data sourced from each deployment is identified and available in a single instance of Vulnerability Response.

Qualys Vulnerability Integration KnowledgeBase records are normalized across deployments, ensuring that instances of the same vulnerability across deployments are treated as the same vulnerability. Setup for the Qualys Vulnerability Integration multi-source integration is available within the Setup Assistant.

Prioritize vulnerabilities

Vulnerability Response data correlation is performed using groups, calculators, and libraries. You can perform the following tasks.
  • Create vulnerability groups to contain vulnerable items from NVD, CWE, and third-party integrations.
  • Assign prioritization, rules, and access.
  • Create assignment rules.
  • Create vulnerability group rules based on vulnerabilities, filters, filter conditions, and group keys.
  • Use calculator groups to determine business impact, specify varying conditions using filters, apply simple calculations, or use a script.
  • View ungrouped vulnerable items and vulnerabilities.

Create change requests and coordinate planning

Vulnerability Response remediation is primarily a manual process performed at the group level. There are multiple ways to remediate vulnerability groups.

Starting with Vulnerability Response v9.0, create emergency, standard, and normal change requests directly from vulnerability groups to expedite your investigation and remediation of vulnerabilities with change management for Vulnerability Response. Create change requests that contain pre-populated information imported directly from a vulnerability group, filter out a subset of vulnerable items and create a new vulnerability group, or associate vulnerability groups to existing change requests.

Prior to Vulnerability Response v9.0, from a vulnerability group in the Under Investigation state, create change requests, defer, or close the group.

If the vulnerability is a security incident and Security Incident Response is activated, you can create security incident records.

Assignment rules are used to automate vulnerable item or vulnerability assignments. Due to the large volume in data imports, care should be taken with automated vulnerable item assignment.

Confirm vulnerability resolution

Vulnerability Solution Management contains solution integrations such as the Microsoft Security Response Center Solution Integration. Automatically correlate the vulnerabilities in your environment with the solutions that would remediate them. Identify the remediation actions that apply to your environment and prioritize them by the greatest reduction in vulnerability risk.

Vulnerability Response provides several useful reports, charts, and an Explorer dashboard for you to analyze and monitor data before and after remediation. You can also return Vulnerability Response-related information using the global search feature.

Automated rescan confirms that your changes have taken effect or the need to reschedule.

Mobile experience for Vulnerability Response

Access the Vulnerability Response application on your Now Platform® instance directly from your mobile device.

View and search vulnerabilities, vulnerability groups, and assignments using the Vulnerability Response mobile application.

This mobile application gives you the flexibility to reassign, edit fields, and begin remediation without being tied to the desktop.

Vulnerability Response terminology

The following terms are used in Vulnerability Response.
Common Vulnerability and Exposure (CVE)
Dictionary of publicly known information-security vulnerabilities and exposures.
Common Vulnerability Scoring System (CVSS)
Open framework for communicating the characteristics and severity of software vulnerabilities. CVSS3 was not available prior to 2015.
Common Weakness Enumeration (CWE)
List of community-developed software weakness types.
Discovery models
Software models used to help normalize the software you own by analyzing and classifying models to reduce duplication.
National Vulnerability Database (NVD)
U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
Vulnerability calculators and vulnerability calculator rules and Vulnerability Rollup Calculators
Calculators used to prioritize and categorize vulnerabilities based on user-defined criteria.
Vulnerability groups and group rules overview
Used to group vulnerable items based on vulnerability, vulnerable item conditions, or filter group.
Vulnerability Integrations
Scheduled jobs that pull report data from NVD, CWE, or a third-party system, such as the Qualys Cloud Platform, to retrieve vulnerability data.
Records of potentially vulnerable software downloaded from the National Institute of Standards and Technology (NIST) NVD, CWE, or third-party integrations.
Vulnerable items
Pairings of vulnerable entries, downloaded from the NIST NVD or third-party integrations, and potentially vulnerable configuration items and software in your company network.