The ServiceNow® Vulnerability Response application brings security and IT together to enable you to remediate your most critical vulnerabilities more quickly and efficiently. Vulnerability Response was enhanced and updated in the Vancouver release.

Vulnerability Response highlights for the Vancouver release

  • Starting from version 20.0 of Vulnerability Response, request a reduction in risk for host vulnerable items and remediation tasks.
  • Starting from version 20.0 of Vulnerability Response, set up a questionnaire for exception requests based on condition.
  • Starting with version 20.0 of Vulnerability Response, manage critical vulnerabilities from inception to resolution using the Vulnerability Crisis Management workflow from the Vulnerability Assessment Workspace.
  • Starting from version 19.0 of Vulnerability Response, view the dashboards in the Vulnerability Response Workspaces.
  • Starting with version 19.0, assess the exposure of your assets to critical vulnerabilities by using the Vulnerability Assessment Workspace.

See Vulnerability Response for more information.

Important: Vulnerability Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

Important information for upgrading Vulnerability Response to Vancouver

Due to a data model change in the Vulnerability Response application, upgrading might take noticeably longer than previous upgrades. For more information, see KB0856498.

While upgrading to a newer version, the upgrade time might increase based on the data and version that you’re upgrading from. This issue is due to additional schema changes that were added during the upgrade. For more information, see KB0856498.

Starting with version 20.0 of the Vulnerability Response application and version 2.03 of the Vulnerability Emergency Response application, the Vulnerability Analyst Workspace is renamed to Vulnerability Assessment Workspace. All references to Vulnerability Analyst workspace now are Vulnerability Assessment workspace.

New in the Vancouver release

Enhancements to the Unified Vulnerability Response Dashboard
Starting with version 20.0, you can view the status on the EPSS scores attained by vulnerability entries, and external facing host vulnerable items on the Vulnerability Intelligence tab in the Unified Vulnerability Response dashboard.
Enhancements to the Software Bill of Materials applications
Starting with version 20.0, you can view the vulnerability intelligence information about the Software Bill of Materials (SBOM) files that you upload in the SBOM Workspace dashboard. The following enhancements to the applications help you view more detailed vulnerability data about your components:
  • Import a version list for a given package (library) and the package intelligence for Stale and Abandoned components with the Deps.dev source API that is included with the SBOM Response application.
  • Import the vulnerability intelligence information for a given version of a package with the OSV.dev open-source API that is included with the SBOM Response application.
  • Import data with the third-party Snyk Vulnerability Insights integration to view information about how to fix the components.
  • View the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) data for the components that are broken down by severity.
CI Lookup Rules have moved
Starting with version 19.0, you can find the CI Lookup Rules module at Security Operations > CMDB > Lookup Rules in your instance.
Enhancements to the Software Bill of Materials applications
The data model for SBOM, SBOM Core, and the SBOM Response applications that are required for the Software Bill of Materials product have the following enhancements. These changes are compatible with the version 19.0.6 of the Vulnerability Response:
  • Data model for SBOM (version 1.0.4): The Display name field is new on the BOM Component table. This field uses the name and version as the displayed value of a component.
  • SBOM Core (version 1.0.8): The BOM Entities related list is added on the component form. You can see all the BOM entities that the component is used in on this related list. You can manually upload the BOM documents as expected.
  • SBOM Response (version 2.0.6): The data model is updated so that it supports the Vulnerability Intelligence use case. The Discovered application and SBOM component are two new fields that are displayed on the application vulnerable item (AVI) record.False positive and Request exception are supported on the AVIs in the SBOM Workspace.
Enhancements to the Software Bill of Materials applications
View a list of the open source and third-party software components that include the transitive dependencies on a software bill of materials SBOM). Upload the SBOMs in the CycloneDX JSON format into your Now Platform:
  • View the potential risks in your software projects.
  • Identify the vulnerabilities in your components.
  • Manage your risk exposure by creating and assigning application-vulnerable items automatically.
  • Resolve the vulnerabilities with the Vulnerability Response workflow.
Configuring assessment types for penetration testing
Enhancements give you more options to match the testing requirements to sprint availability:
  • Updates to the configuration page for effort estimation, assessment size, and assessment type let you enter more details about the testing requirements.
  • Creating a request or copying and modifying the existing requests can be done directly from the Penetration Test Assessment Requests [sn_vul_pen_test_assessment_request] table.
  • Additional fields for Vendor, Joint venture, and Business impact provide you with the options to record details about the third parties and the financial impact.
Dashboards in the Vulnerability Manager Workspace.
Starting with version 19.0 of Vulnerability Response, the Vulnerability Management (PA), CISO Dashboard, Vulnerability Approvals, Vulnerability Management, and Container Vulnerability Response dashboards are available in the Next Experience UI from Vulnerability Manager workspace.
Viewing the dashboards in the IT Remediation Workspace.

Starting with version 19.0 of Vulnerability Response, the Vulnerability Remediation Dashboard is available in the Next Experience UI from IT Remediation workspace.

Unified Vulnerability Response Dashboard from the Vulnerability Response Workspaces
Starting with version 19.0 of Vulnerability Response, the Unified Vulnerability Response Dashboard is available from Vulnerability Response Workspaces. The centralized aggregated dashboard provides visibility from multiple vulnerability scanners and security tools. The dashboard provides a comprehensive view of an organization's vulnerabilities and risks.
Requesting exceptions for test result groups and Container Vulnerabilities from the Vulnerability Manager Workspace
Starting with version 19.0, you can request exceptions for test result groups and Container Vulnerabilities from Vulnerability Manager Workspace.
Requesting policy exceptions for test result groups and Container Vulnerabilities from the IT Remediation Workspace
Starting with version 19.0, you can request policy exceptions for test result groups, test results, and Container Vulnerabilities from IT Remediation Workspace.
Splitting remediation tasks for test results in the Vulnerability manager Workspace
Starting with version 19.0, you can split remediation tasks for test results in Vulnerability Manager Workspace.
Splitting remediation tasks containing test results in the IT Remediation Workspace
Starting with version 19.0, you split remediation tasks for the test results in IT Remediation Workspace.
Weekly and daily frequency for Recurring Remediation Effort
Starting with version 19.0, you can schedule Recurring Remediation Efforts at daily and weekly frequencies in Vulnerability Manager Workspace.
Explore the Vulnerability Assessment workspace
The Vulnerability Emergency Response application is used by vulnerability event managers to address zero-day or critical vulnerabilities. By identifying the affected configuration items (CIs), vulnerability event managers can respond by generating vulnerable items and assigning them to the remediation team for analysis. Some key features are
  • Visibility to exposure from additional discovery model and assets
  • Ability to perform standalone assessments for a single CVE or vulnerable software for critical vulnerabilities
  • Automatic assessments of the Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog or Common-Platform Enumeration (CPE)-based assessment.
  • Assess the exposure of your assets to zero-day vulnerabilities with Exposure assessment in the workspace.
  • Use the Vulnerability Crisis Management workflow to handle vulnerability crisis events from creating a vulnerability assessment record, recording the key attributes of the vulnerability to calculate risks, performing an assessment to identify exposure levels and engage stakeholders for immediately responding to vulnerabilities.
Extension of a deferred vulnerable item before the due date
Starting with version 20.0 of Vulnerability Response, you can request an extension for a deferred vulnerable item before the due date.
Extension of a deferred vulnerable item before the due date in the Vulnerability Manager Workspace
Starting with version 20.0 of Vulnerability Response, you can request an extension for a deferred vulnerable item before the due date from Vulnerability Manager Workspace.
Extension of a deferred exception rule before the due date
Starting with version 20.0 of Vulnerability Response, you can request an extension for a deferred exception rule before the due date.
Extension of a deferred remediation task before the due date
Starting with version 20.0 of Vulnerability Response, you can request an extension for a deferred remediation task before the due date.
Adding compensating controls in Vulnerability Manager Workspace
Starting from v20.0 of Vulnerability Response, you can add compensating controls to the Compensating Controls library in Vulnerability Manager Workspace.
Reducing the risk using compensating controls on the exception management requests in IT Remediation Workspace
Starting from v20.0 of Vulnerability Response, you can request a reduction in the risk rating for a vulnerable item or remediation task by using Compensating Controls from IT Remediation Workspace.
Aggregated Reports Framework in Vulnerability Response Common
Starting from v20.0 of Vulnerability Response, you can create reports by using the Aggregated Reports Framework that is provided in Vulnerability Response Common for better performance.
Applying an exception rule on a deferred VI automatically
Starting from v20.0 of Vulnerability Response, the Check Vulnerable Item and Groups Deferment Expiration system property checks if any exception rule is applicable on a deferred VI that is due and updates the Reason and Until fields as per the exception rule.
Accessing only the vulnerable items assigned to you and your group with the exception approver role
For the exception approver role, sn_vul.exception_approver, the granular role, sn_vul.read_all, has been removed so that you can access the vulnerable items and remediation tasks assigned to you and your group only.
Adding the work notes for a deferred vulnerable item
Starting from v20.0 of Vulnerability Response, you can add the relevant information in the Work Notes field for a deferred vulnerable item also.
Eliminating the need for exception management of closed VIs
Starting from v20.0 of Vulnerability Response, when a detection moves to the stale state, a closed VI remains in the closed state even though a new detection is identified. This change eliminates the need for requesting an exception request or approval for the reopened vulnerable items.
Set up a questionnaire for exception requests based on condition
Starting from v20.0 of Vulnerability Response, you can set up a questionnaire for exception requests based on condition specified in the approval rule.
Set up a questionnaire for false positive requests based on condition
Starting from v20.0 of Vulnerability Response, you can set up a questionnaire for false positive requests based on condition specified in the approval rule.
Set up a questionnaire for risk reduction requests based on condition
Starting from v20.0 of Vulnerability Response, you can configure a questionnaire for risk reduction requests based on condition specified in the approval rule.
Global search enabled for Vulnerability Response Workspaces
Starting from v20.0 of Vulnerability Response, Global search is enabled for Vulnerability Response Workspaces.
Receiving threat intelligence information from Qualys
Starting from version 20.0 of Vulnerability Response, a new list Threat intel is included in the Third-Party Vulnerabilities Entries table.
Quick Start Tests for Vulnerability Response

After upgrades and deployments of new applications or integrations, run quick start tests to verify that Vulnerability Response works as expected. If you customized Vulnerability Response, copy the quick start tests and configure them for your customizations.

Activation information

Install Vulnerability Response and Vulnerability Emergency Response by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.