You can request to defer the remediation of a vulnerable item or remediation task for a specified period. For example, as a remediation owner, you can request an exception if a patch is not available for a machine. Approvers who have access can approve requests from other users.

You can request exceptions from the Vulnerability Response Workspaces. See Request an exception in the IT Remediation Workspace.

You can also request policy exceptions using GRC: Policy and Compliance Management:

  • Request an exception using GRC: Policy and Compliance Management
  • Request a bulk exception using GRC: Policy and Compliance Management
Note:

Email notifications are sent at every stage of exception management, providing the status and other details of a request. For example, when an exception is requested, the requester receives an email confirming that the request is raised. The approver also receives an email stating that an exception has been requested.

Starting from v21.0 of Vulnerability Response, you can configure the time frames for approving false positives and exceptions, along with email notifications for both the approver and requester after a set number of days. When a request is raised, the vulnerable item changes to In-Review status and a state change record is created. If the approver doesn't respond within the configured time frame, the vulnerable item or remediation task reverts to Open status. The previous state is stored in the backup_state field. For more information, see Configure approval rules for Exception Management.