Home Paris Release Notes Paris release notes Learn about Paris Release notes for upgrading from Orlando Features and changes by product Security Operations release notes Vulnerability Response release notes

Vulnerability Response release notes

The ServiceNow® Vulnerability Response application brings security and IT together to remediate your most critical vulnerabilities quickly and efficiently. Vulnerability Response was enhanced and updated in the Paris release.

Vulnerability Response highlights for the Paris release

Help your organization respond faster and more efficiently to vulnerabilities.
Connect your security and IT teams to provide real-time visibility into your security posture.
Provides your security and IT teams a single platform for response by connecting vulnerability scan data from leading vendors with the workflow and automation capabilities of the Now Platform®.

Important: Vulnerability Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

Important information for upgrading Vulnerability Response to Paris

Versions 10.0, 10.3, 11.0, 12.0, 12.1, 12.2, and 13.0 of Vulnerability Response are compatible with Paris. If you're upgrading from a previous version of Vulnerability Response, the initial Paris version is available immediately in your instance. All updates to Vulnerability Response are only available in the ServiceNow® Store.

For upgrade information for the Vulnerability Response application to Paris, see Vulnerability Response upgrade information.

For more information about released versions of the Vulnerability Response application, compatibility with Paris, and schema changes, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes.

New in the Paris release

Chief Information Security Officer (CISO) dashboard in Performance Analytics for Vulnerability Response (v 13.0)

With version 12.0 of Performance Analytics for Vulnerability Response and version 13.0 of Vulnerability Response, executives can view the following information on the CISO dashboard:

Key Performance Metrics (KPIs) for vulnerability remediation
Highlights for areas in the business that have the highest risk
Recommended actions to lower risk

Define Service classification for Performance Analytics reports (v 13.0)

With version 12.0 of Performance Analytics for Vulnerability Response and version 13.0 of Vulnerability Response, configure the kinds of service CIs you want to include in the business scorecard reports.

Vulnerability Response Integration with the National Vulnerability Database (NVD) (v 13.0)

With two integrations in version 1.0 of the Vulnerability Response Integration with NVD, choose if you want to import CVE or CVE and CPE information from the NIST National Vulnerability Database to better understand your vulnerability exposure.

The NVD integrations prior to v 13.0 of Vulnerability Response have been deprecated.

Security Champion overview (v 13.0)

Security champions can quickly gain insight into their organization's vulnerability exposure and security posture on the dashboard by viewing results of scanned applications in Application Vulnerability Response.

Reapply CI lookup rules (v 13.0)

If you change your CI lookup rules, reapply them on-demand and manually reconcile selected discovered items with your CMDB without having to reimport all the asset data.

Reapply the CI matching rules on discovered items with unmatched CI states on-demand.
Reapply CI lookup rules on selected discovered items.
The following updates occur if the link between a discovered item and a CI is changed after reapplying the lookup rules:
- Open vulnerability detections are updated.
- Corresponding VI-CI associations are updated for active VIs.
- Assignment rules, group rules, risk scores, risk ratings, and remediation targets are reevaluated.
- Discovered item status is updated accordingly. For example, discovered item status changes from Unmatched to Matched

Case sensitivity option for condition builder in forms and records (v 13.0)

By default (Case sensitive check box disabled), the search text you enter is not case-sensitive in the condition builder. Enable or disable case-sensitivity for the rule-matching text you enter in the following forms and records:

Assignment rules
Group rules
Remediation target rules
Vulnerability calculators

Network partition identifier in IRE rules for Vulnerability Response Integration with Tenable (v 13.0)

Version 13.0 of Vulnerability Response includes the CMDB CI Class Models (1.0.21) that include the network partition identifier in the IRE identification rules for the Vulnerability Response Integration with Tenable (v 2.1). Update your existing CIs to include the network partition identifier or create new ones. See Vulnerability Response integrations release notes and Vulnerability Response upgrade information.

Veracode Vulnerability Integration (v 13.0)

Version 13.0 of Vulnerability Response supports version 2.0 of the Veracode Vulnerability Integration. The following additional fields are imported and mapped to display on the Application Vulnerable Item form:

Agile Development Status
Vulnerability Summary
Vulnerability Explanation
Recommendation

Vulnerability Assignment Recommendations (v 12.1)

Vulnerability Assignment Recommendations uses machine learning with ServiceNow Predictive Intelligence to recommend owners for vulnerability findings.

With Vulnerability Assignment Recommendations, view a short list of the most appropriate assignees for vulnerable items and vulnerability groups along with confidence scores for each recommendation. Reduce the time you spend chasing down ownership issues across your organization as you discover vulnerabilities and are unsure where they need to go for remediation. Vulnerability Assignment Recommendations is available with a separate subscription from the ServiceNow® Store.

Create CIs with the Identification and Reconciliation Engine (IRE) v 12.1

Use the IRE to create new CIs in the CMDB for Vulnerability Response when an existing CI cannot be matched with an imported host from third-party vulnerability assessment products. Using IRE helps prevent the creation of duplicate CIs.

The CMDB CI Class Models app dependency for this feature is installed automatically with Vulnerability Response and may take some time to install.

The Tenable Vulnerability Integration (v 12.1)

Starting with version 12.1 of Vulnerability Response, the Tenable Vulnerability Integration developed by ServiceNow engineering uses data imported from the Tenable.io and Tenable.sc products to help you prioritize and remediate vulnerabilities for your assets. The Vulnerability Response Integration with Tenable application is available with a separate subscription from the ServiceNow® Store.

Application Vulnerability Response (v 12.0)

ServiceNow Application Vulnerability Response (AVR) is a new feature in v12.0 of Vulnerability Response.

Import the flaws (vulnerabilities) resulting from Veracode Dynamic Application Security Testing (DAST) and prioritize and efficiently drive remediation of detected flaws from within the Vulnerability Response application. Imported flaws are automatically assigned to the right team with a risk score and a remediation target date based on the rules you define.

Imported vulnerabilities are further enriched with the CWE imported from MITRE.

Quickly gain insight into your security posture and remediation trends, and view applications with the most critical, overdue vulnerabilities with Scoreboard.

Application Vulnerability Response supports the ServiceNow Vulnerability Response Integration with Veracode.

Filter decommissioned CIs (v 12.0)

Filter out decommissioned CIs while running the CI lookup rules. The filtered, updated list is used by CI Lookup Rules during the next import and may promote faster import times.

Exception rules for Exception Management (v 12.0)

Automate the exception process for vulnerable items (VIs) by creating exception rules. Request an exception for vulnerabilities or a set of CIs that cannot be remediated immediately, or a set of vulnerabilities that must be deferred. This enables you to update multiple VIs instead of requesting individual exceptions for the same condition every time new VIs are identified.

Risk Score recalculated and updated (v 11.0)

The Risk Score is updated on vulnerable item records when the severity value is updated on a vulnerability that is imported from third-party scanners.

Enhanced exception management with Governance, Risk, and Compliance (GRC) v 10.3

Eliminate manual reporting and streamline the workflow between ServiceNow®Governance, Risk, and Compliance and Vulnerability Response, use the GRC policy exception management capability within the Vulnerability Response application.

This feature is available starting with v 10.3 of Vulnerability Response and v 10.1 of Governance, Risk, and Compliance.
Obtain better visibility about exceptions raised for vulnerabilities.
Request policy exceptions for vulnerable items or vulnerability groups for a specific duration.
Route requests through multiple approvals based on risk rating, policy, and control objective associated with an exception.

See Allow policy exception requests from other applications for more information.

Enhancements to the false positive workflow (v 10.3)

Manage false positives more intuitively for vulnerable items or vulnerability groups. Easily distinguish false positives from exceptions and submit them for approval directly from vulnerable item and vulnerability group records. Also, analysts have the option to request specific durations for false positives.

Configure the vulnerable item key (v 10.3)

Configure how vulnerability findings (detections) imported from your vulnerability assessment applications are consolidated into vulnerable items. For example, you can consolidate a vulnerability identified on multiple network ports into a single vulnerable item, or split it into vulnerable items distinguished by unique port.

Performance enhancements (v 10.3)

New modules in the navigation panel display categories of vulnerable items that include:

Critical and High Risk
Exploitable
Approaching Target
Missed Target
Within Past 90 Days
Older than 90 Days
Ungrouped
All

Quickly view a broad range of vulnerable items to help you prioritize your remediation.

New indexes have been added on the vulnerable items table to improve performance.

With auto-close stale vulnerable items, you have the option to automatically close older vulnerable items not recently detected by your third party integrations. Set a time period and choose if you want to close VIs by their last-found dates, or by dates when assets were last scanned.

Enhanced user and group roles (v 10.3)

With pre-defined personas and new granular roles in the Vulnerability Response application, assign tasks, views, and permissions as required by your organization to limit or expand access easily, quickly, and according to your needs.

Vulnerable item detections (v 10.0)

Import all scanner findings as detections to give you better visibility. Preserving these findings enables you to reconcile the data between the scanner and what you imported into Vulnerability Response.

Performance Analytics for Vulnerability Response (v 10.0)

View both data trends and certain reports in real time. Visually display all of your vulnerable item activity on the Vulnerability Management [PA] dashboard using Performance Analytics for Vulnerability Response. Separate subscription required.

Reapply assignment rules (v 10.0)

Assignment rules can also be reapplied to existing Open VIs on-demand, or automatically on a scheduled basis using the Reapply all vulnerability assignment rules scheduled job. Reapplying ensures VIs reflect the latest rule changes or ownership updates in the CMDB.

Reapply vulnerability group rules (v 10.0)

Use the Reapply button on the vulnerability group rule page to rerun the changed rule on all active Open vulnerability groups created by that rule.

Auto delete rules (v 10.0)

Delete vulnerability item (VI) and vulnerability group (VG) records without archiving them, using Auto Delete Rules.

Vulnerability reference on the vulnerability group form (v 10.0)

Added a reference to the vulnerability on the vulnerability group form.

Automatic updates to VG group state, risk score and rating, and metrics (v 10.0)

Use the Update status related link in the vulnerability, solutions, and vulnerability group forms.

Enhanced vulnerable item age calculation and display (v 10.0)

An enhanced Age column (Age) is inserted into the Vulnerable Item table upon upgrade or install to v10.0 and replaces the Age column previously used to calculate VI age. VI age is calculated more efficiently on-demand and displayed with more significant digits in Day/Hour/Minute format.

Quick start tests for Vulnerability Response

After upgrades and deployments of new applications or integrations, run quick start tests to verify that Vulnerability Response still works. If you customized Vulnerability Response, copy the quick start tests and configure them for your customizations.

Changed in this release

Vulnerability Response (v 13.0)

The following features were fixed or enhanced for version 13.0:

Domain separation support for the Reapply Calculator feature.
The App-Sec-Manager role has permission to cancel an Application Vulnerability Integration run.
Performance enhancements for updates to the vulnerability entry rollup of the Vulnerability Rollup calculator.
Domain separation support for the exception rule in Exception Management.
The Reapply remediation target rule job works as expected when the BETWEEN operator is used in the Condition builder.
False positive Until date validation works as expected.
The Cancel Exception rule works as expected.
Domain separation support for the auto-close VI feature.

Deprecated: The NVD integrations in Vulnerability Response prior to v13.0

This feature has been deprecated in favor of the Vulnerability Response integration with NVD available in the ServiceNow Store. See the New REST-based NVD Integrations [KB0870291] article for more information.

Vulnerability Response (v 12.2)

Fixes for performance issues related to concurrency processing of remediation target rules and other minor defect fixes.

Qualys Vulnerability Integration

Starting with v12.1 of Vulnerability Response and v11.1 of the Qualys integrations: New Host Import maps are added for Unclassed Hardware. Discovery source VR-Qualys is created and passed to IRE to create CIs.

Rapid7 Vulnerability Integration

Starting with v12.1 of Vulnerability Response and v11.1 of the Rapid7 integrations: Discovery source VR-Rapid7 is created and passed to IRE to create CIs. New Host Import maps are added for Unclassed Hardware. Two new CIs, Network Adaptor and IP Address, are created along with the Unclassed Hardware CI.

12.1: Granular role removed for Application Vulnerability Response

Removed granular role, app_read_application_release. This role was assigned to the App-Sec Manager group for Application Vulnerability Response and is being removed.

12.1 NVD feeds are automatically updated to v1.1.

Starting with v12.1 of Vulnerability Response, the NVD downloads URL is automatically updated to v1.1. You no longer have to update your feeds manually.

Reapply remediation target rules (v 12.0)

Reapply remediation target rules to existing vulnerabilities. Make adjustments to target rules without having to re-import data or perform custom scripting.

Rapid7 import for Assets last scanned with Auto-close Stale Vulnerable items (v 12.0)

closing vulnerable items through the Auto-Close Stale Vulnerable Items module with the Assets Last scanned option selected eliminates the need for a completed import from one of the Rapid7 comprehensive integrations.

Assess your exposure to vulnerable software with normalized product names (v 12.0)

With SAM Pro with the Exposure Assessment module, normalize the product names of your assets to promote more accurate matches.

NVD downloads URL updated to v1.1

In early 2020, the JSON URL for NVD downloads updated to v1.1. For versions of Vulnerability Response prior to v 12.1, you must update your feeds manually. See the KB859923 article in the HI Knowledge Base.

Reopen resolved vulnerable items not closed by third-party scans (v 10.3)

Vulnerable items set to Resolved in your Now Platform instance but not transitioned to Closed/Fixed by the third party integration runs are reopened if they are detected during rescans.

For Qualys detections, if the scanner continues to find VIs that were set to Resolved but then not transitioned to Closed/Fixed by subsequent scans, these VIs move back to Open when the last found date is later than the Resolved date.

For Rapid7 detections, an option is now available on the Rapid7 configuration page in your instance to reopen resolved VIs by age. If enabled, VIs set to Resolved but then not transitioned to Closed/Fixed by subsequent scans transition back to Open after the number of days that you enter.

Qualys host tags in Vulnerability Response (v 10.3)

Imported Qualys host tags are ingested using the Qualys Asset List Integration, instead of the Qualys Host Detection Integration, and processed using the common tags framework. See the Migrate Qualys Host tags to new tag framework KB0825682 article in the HI Knowledge Base for more information on how to transition from existing Qualys tags to the new framework.

New Attributes available for the integrations List view (v 10.3)

Two attributes have been added that apply to all third-party integrations with Vulnerability Response.

When enabled, (true), The Run separately attribute ensures that integrations of the same type that also have this flag enabled do not run simultaneously. Status is displayed in the Run separately column in the integrations list view.

For some third-party integrations, a series of integration runs is required to import requested data. For these types of chained integration runs, the Next integration column on the integrations List view displays the next integration scheduled to run in the series after the integration displayed in the Name column is successfully completed.

Enhanced vulnerable item age calculation and display (v 10.0)

The scheduled nightly job Update Vulnerable Item Age used to calculate VI age has been removed, and the Age column has been deprecated and changed to Age (Deprecated). An enhanced Age column (Age) is inserted into the Vulnerable Item table upon upgrade or install and VI age is calculated more efficiently on-demand and displayed with more significant digits in Day/Hour/Minute format.

View Vulnerability Response vulnerable item detection data (v 10.0).

When viewing detection data, note the Qualys severity [qualys_severity] and Last updated by source [last_updated_by_source] fields listed in the Vulnerable item table [sn_vulnerable_item] are deprecated and no longer populated. Since the Business Rule (BR) Map Qualys Values uses Last updated by source, it is also deprecated.

Table removed (v 10.0)

The Associated IP Addresses table in Vulnerability Response was removed.

Scheduled job removed to update vulnerable items (v 10.0)

The scheduled job Update Vulnerable Item Age was removed and deprecated for upgrade customers. The enhanced Age column is automatically added to replace it when you upgrade to v10.0.

Activation information

Install Vulnerability Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

Related ServiceNow applications and features

Previous topic

Next topic

Release version

Vulnerability Response release notes

Vulnerability Response highlights for the Paris release

Help your organization respond faster and more efficiently to vulnerabilities.
Connect your security and IT teams to provide real-time visibility into your security posture.
Provides your security and IT teams a single platform for response by connecting vulnerability scan data from leading vendors with the workflow and automation capabilities of the Now Platform®.

Important: Vulnerability Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

Important information for upgrading Vulnerability Response to Paris

For upgrade information for the Vulnerability Response application to Paris, see Vulnerability Response upgrade information.

New in the Paris release

Chief Information Security Officer (CISO) dashboard in Performance Analytics for Vulnerability Response (v 13.0)

With version 12.0 of Performance Analytics for Vulnerability Response and version 13.0 of Vulnerability Response, executives can view the following information on the CISO dashboard:

Key Performance Metrics (KPIs) for vulnerability remediation
Highlights for areas in the business that have the highest risk
Recommended actions to lower risk

Define Service classification for Performance Analytics reports (v 13.0)

Vulnerability Response Integration with the National Vulnerability Database (NVD) (v 13.0)

The NVD integrations prior to v 13.0 of Vulnerability Response have been deprecated.

Security Champion overview (v 13.0)

Reapply CI lookup rules (v 13.0)

If you change your CI lookup rules, reapply them on-demand and manually reconcile selected discovered items with your CMDB without having to reimport all the asset data.

Reapply the CI matching rules on discovered items with unmatched CI states on-demand.
Reapply CI lookup rules on selected discovered items.
The following updates occur if the link between a discovered item and a CI is changed after reapplying the lookup rules:
- Open vulnerability detections are updated.
- Corresponding VI-CI associations are updated for active VIs.
- Assignment rules, group rules, risk scores, risk ratings, and remediation targets are reevaluated.
- Discovered item status is updated accordingly. For example, discovered item status changes from Unmatched to Matched

Case sensitivity option for condition builder in forms and records (v 13.0)

Assignment rules
Group rules
Remediation target rules
Vulnerability calculators

Network partition identifier in IRE rules for Vulnerability Response Integration with Tenable (v 13.0)

Veracode Vulnerability Integration (v 13.0)

Agile Development Status
Vulnerability Summary
Vulnerability Explanation
Recommendation

Vulnerability Assignment Recommendations (v 12.1)

Vulnerability Assignment Recommendations uses machine learning with ServiceNow Predictive Intelligence to recommend owners for vulnerability findings.

Create CIs with the Identification and Reconciliation Engine (IRE) v 12.1

The CMDB CI Class Models app dependency for this feature is installed automatically with Vulnerability Response and may take some time to install.

The Tenable Vulnerability Integration (v 12.1)

Application Vulnerability Response (v 12.0)

ServiceNow Application Vulnerability Response (AVR) is a new feature in v12.0 of Vulnerability Response.

Imported vulnerabilities are further enriched with the CWE imported from MITRE.

Quickly gain insight into your security posture and remediation trends, and view applications with the most critical, overdue vulnerabilities with Scoreboard.

Application Vulnerability Response supports the ServiceNow Vulnerability Response Integration with Veracode.

Filter decommissioned CIs (v 12.0)

Filter out decommissioned CIs while running the CI lookup rules. The filtered, updated list is used by CI Lookup Rules during the next import and may promote faster import times.

Exception rules for Exception Management (v 12.0)

Risk Score recalculated and updated (v 11.0)

The Risk Score is updated on vulnerable item records when the severity value is updated on a vulnerability that is imported from third-party scanners.

Enhanced exception management with Governance, Risk, and Compliance (GRC) v 10.3

This feature is available starting with v 10.3 of Vulnerability Response and v 10.1 of Governance, Risk, and Compliance.
Obtain better visibility about exceptions raised for vulnerabilities.
Request policy exceptions for vulnerable items or vulnerability groups for a specific duration.
Route requests through multiple approvals based on risk rating, policy, and control objective associated with an exception.

See Allow policy exception requests from other applications for more information.

Enhancements to the false positive workflow (v 10.3)

Configure the vulnerable item key (v 10.3)

Performance enhancements (v 10.3)

New modules in the navigation panel display categories of vulnerable items that include:

Critical and High Risk
Exploitable
Approaching Target
Missed Target
Within Past 90 Days
Older than 90 Days
Ungrouped
All

Quickly view a broad range of vulnerable items to help you prioritize your remediation.

New indexes have been added on the vulnerable items table to improve performance.

Enhanced user and group roles (v 10.3)

Vulnerable item detections (v 10.0)

Performance Analytics for Vulnerability Response (v 10.0)

Reapply assignment rules (v 10.0)

Reapply vulnerability group rules (v 10.0)

Use the Reapply button on the vulnerability group rule page to rerun the changed rule on all active Open vulnerability groups created by that rule.

Auto delete rules (v 10.0)

Delete vulnerability item (VI) and vulnerability group (VG) records without archiving them, using Auto Delete Rules.

Vulnerability reference on the vulnerability group form (v 10.0)

Added a reference to the vulnerability on the vulnerability group form.

Automatic updates to VG group state, risk score and rating, and metrics (v 10.0)

Use the Update status related link in the vulnerability, solutions, and vulnerability group forms.

Enhanced vulnerable item age calculation and display (v 10.0)

Quick start tests for Vulnerability Response

Changed in this release

Vulnerability Response (v 13.0)

The following features were fixed or enhanced for version 13.0:

Domain separation support for the Reapply Calculator feature.
The App-Sec-Manager role has permission to cancel an Application Vulnerability Integration run.
Performance enhancements for updates to the vulnerability entry rollup of the Vulnerability Rollup calculator.
Domain separation support for the exception rule in Exception Management.
The Reapply remediation target rule job works as expected when the BETWEEN operator is used in the Condition builder.
False positive Until date validation works as expected.
The Cancel Exception rule works as expected.
Domain separation support for the auto-close VI feature.

Deprecated: The NVD integrations in Vulnerability Response prior to v13.0

Vulnerability Response (v 12.2)

Fixes for performance issues related to concurrency processing of remediation target rules and other minor defect fixes.

Qualys Vulnerability Integration

Rapid7 Vulnerability Integration

12.1: Granular role removed for Application Vulnerability Response

Removed granular role, app_read_application_release. This role was assigned to the App-Sec Manager group for Application Vulnerability Response and is being removed.

12.1 NVD feeds are automatically updated to v1.1.

Starting with v12.1 of Vulnerability Response, the NVD downloads URL is automatically updated to v1.1. You no longer have to update your feeds manually.

Reapply remediation target rules (v 12.0)

Reapply remediation target rules to existing vulnerabilities. Make adjustments to target rules without having to re-import data or perform custom scripting.

Rapid7 import for Assets last scanned with Auto-close Stale Vulnerable items (v 12.0)

Assess your exposure to vulnerable software with normalized product names (v 12.0)

With SAM Pro with the Exposure Assessment module, normalize the product names of your assets to promote more accurate matches.

NVD downloads URL updated to v1.1

Reopen resolved vulnerable items not closed by third-party scans (v 10.3)

Vulnerable items set to Resolved in your Now Platform instance but not transitioned to Closed/Fixed by the third party integration runs are reopened if they are detected during rescans.

Qualys host tags in Vulnerability Response (v 10.3)

New Attributes available for the integrations List view (v 10.3)

Two attributes have been added that apply to all third-party integrations with Vulnerability Response.

Enhanced vulnerable item age calculation and display (v 10.0)

View Vulnerability Response vulnerable item detection data (v 10.0).

Table removed (v 10.0)

The Associated IP Addresses table in Vulnerability Response was removed.

Scheduled job removed to update vulnerable items (v 10.0)

The scheduled job Update Vulnerable Item Age was removed and deprecated for upgrade customers. The enhanced Age column is automatically added to replace it when you upgrade to v10.0.

Activation information

Related ServiceNow applications and features

How search works:

Topics are ranked in search results by how closely they match your search terms

Vulnerability Response release notes

Vulnerability Response release notes

Vulnerability Response highlights for the Paris release

Important information for upgrading Vulnerability Response to Paris

New in the Paris release

Changed in this release

Activation information

Related ServiceNow applications and features

On this page

Vulnerability Response release notes

Vulnerability Response release notes

Vulnerability Response highlights for the Paris release

Important information for upgrading Vulnerability Response to Paris

New in the Paris release

Changed in this release

Activation information

Related ServiceNow applications and features

Log in to personalize your search results and subscribe to topics