We are interested in using the feature that enables you to use the Compliance module for vulnerability exceptions instead of the VR module.
I am interested in how people manage this due to what appear to be limited functionality.
Example: I have a Windows Server which has a control objective that requires a critical patch to be deployed within 14 days. The patching schedule is 16 days later so they have asked for an exception 'Waiting for maintenance window'.
The server gets its exception. Then they also find that the server also has a patching issue with Firefox, but they cant patch it as the new patch conflicts with other applications. So they would like to put a 'Mitigating control' in place.
Due to the fact that the entity can only have one exception against it, how do you accommodate dropping to this level with this method?
