Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Vulnerability Response release notes

Log in to subscribe to topics and get notified when content changes.

Vulnerability Response release notes

ServiceNow® Vulnerability Response product enhancements and updates in the New York release.

The Vulnerability Response application in ServiceNow® Security Operations prioritizes vulnerable items and adds business context to help security experts determine whether business critical systems are at risk. Using the CMDB, Vulnerability Response can easily identify dependencies across systems and quickly assess the business impact of changes or downtime. Vulnerability Response provides a comprehensive view of all vulnerabilities affecting a given service, as well as the current state of all vulnerabilities affecting the organization.

New York upgrade information

If you are upgrading from a previous version of Vulnerability Response, you can begin using the Vulnerability Response new features immediately. All updates to Vulnerability Response are only available in the ServiceNow® Store.

If you've previously installed Vulnerability Response, you don't need to install the Dependencies (com.snc.vul_dep) plugin prior to installing the Vulnerability Response update.

For detailed information on upgrade from Kingston or London to Vulnerability Response, see Vulnerability Response upgrade information.

Application administration is not enabled, by default, in Vulnerability Response for upgrades. If you add custom tables that rely on inherited ACLs, you must recreate the ACLs in that custom table. If you add custom roles or custom ACLs, and you enable Application administration, retest those roles and ACLs after upgrading. Ensure that the assignable by attribute on the roles is set correctly to enable access to application administration.

Once enabled, Application administration cannot be disabled.

Integration upgrade information
  • Rapid7 Vulnerability Integration

    Prior to London v6.2 or Kingston v5.1, the Rapid7 Vulnerability Integration used an identifier from the Rapid7 Nexpose data warehouse that was not unique across multiple data warehouses. Starting with London v6.2 and Kingston v5.1, the nexpose_id, which is globally consistent, replaced it.

    If you have an existing Rapid7 Vulnerability Integration version earlier than London v6.2 or Kingston v5.1, and you upgrade to the latest Rapid7 Vulnerability Integration version, you may get a "Import relies on nexpose_id" error. In that case, you need to update the SQL query sent to your Rapid7 Nexpose data warehouse with the nexpose_id. Without it, various features of Vulnerability Response and Rapid7 Vulnerability Integration will not work properly. See KB0751331 to add the nexpose_id to the SQL import query.
    Note: This is true for a Rapid7 Nexpose data warehouse upgrade or to migrate from the Rapid7 Nexpose data warehouse to Rapid7 InsightVM.
  • Qualys Vulnerability Integration

    To reduce upgrade time, if you have the Qualys product or a third-party integration installed, delete all attachments on your integration data sources. You can find the attachments by navigating to System Import Sets > Administration > Data Sources and searching by integration. See Manage attachments for more information.

New in the New York release

Features available from the ServiceNow Store:
Vulnerability Solution Management
Version 8.0: Automatically correlate the vulnerabilities in your environment with the solutions that would remediate them. Identify the remediation actions that apply to your environment and prioritize them by the greatest reduction in vulnerability risk. Available as a separate subscription within Vulnerability Response, Vulnerability Solution Management contains solution integrations such as the Microsoft Security Response Center Solution Integration.

Preferred Solutions in vulnerability, vulnerable item, and vulnerability group records are derived from the Microsoft Security Response Center Solution Integration imports and not third-party vulnerability integrations.

Tenable and some Common Vulnerability Exposure (CVE) vulnerabilities with long summaries can cause excessive cell heights in the vulnerability list view on solution records.

Risk Score calculator enhancements
Version 8.0: Configure your calculators with finer granularity. These calculators provide consistent risk scores across all vulnerable items so you can effectively prioritize the vulnerabilities in your environment.

The Default Risk Calculator and Vulnerability Severity calculators are shipped with the base system.

Vulnerability Calculators have replaced Vulnerability Calculator Groups for calculating the base Risk Score.

Remediation Owner Role
Version 8.0: Automatically receive access to vulnerability entries and solutions assigned to you or your group using the sn_vul.remediation_owner role. By default, the itil role contains the sn_vul.remediation_owner role.
Mobile experience for Vulnerability Response with the mobile app
Version 8.0: Access the VR application on your Now Platform instance directly from your mobile device with the Vulnerability Response mobile app.
  • View vulnerability groups. You can view and update your vulnerability groups to drive the vulnerability group through its remediation process.
  • Notifications: You can set up your mobile device to receive notifications about your most current business-critical vulnerability items. You can view and edit the related vulnerability group assigned to you or your team directly from the notification.
New in existing integrations
Tenable for Vulnerability Response v2.0
Version 8.0
  • When Tenable for Vulnerability Response v2.0 vulnerabilities are imported before their corresponding NVD entries, those vulnerabilities are not associated with the NVD vulnerabilities later. Ensure that NVD imports are up-to-date, and periodically re-import the full Tenable Knowledge Base (KB).

  • Tenable for Vulnerability Response does not currently support Normalized severity.
  • Tenable for Vulnerability Response does not populate exploit fields on third-party vulnerabilities.
New integrations
Microsoft Security Response Center Solution Integration

Version 8.0:Microsoft Security Response Center Solution Integration imports solution data for known vulnerabilities and creates relationships with vulnerable items and vulnerability groups. This integration is part of Vulnerability Solution Management.

Quick start tests for Vulnerability Response
Version 8.0: Validate the continued functionality of Vulnerability Response after any configuration change such as an upgrade or after developing an application. All test suites and tests should pass on a default implementation. To validate a custom implementation, copy the automated tests and configure them for your customizations.

Changed in this release

NVD JSON integration
Version 8.0: To support the anticipated switch from XML to JSON by the National Vulnerabilities Database (NVD), NVD data feeds have been updated to use JSON.
Note: By default, all data feeds for NVD Auto-update are disabled. To enable the feeds that you want, see Configure the scheduled job for updating NVD records.
Configuration additions to Setup Assistant

Version 8.0: Added configuration for Assignment Rules and Vulnerability Solution Management.

CI Lookup Rule used for the CI appears on Discovered Item records
Version 8.0: Added the CI matching rule field to the Discovered Items form to make it easier to identify potential matching issues.

Removed in this release

Version 8.0: Vulnerability Calculator Groups have been renamed Vulnerability Calculators and the group module no longer exists.

Activation information

Activate the Vulnerability Response Dependencies plugin (com.snc.vul_dep). Download and install Vulnerability Response from the ServiceNow Store and configure this application based on the needs of your organization using Setup Assistant. This application is available as a separate subscription.

Related ServiceNow applications and features