Is there a way to get CVEs and relate them to Vendors?

Mehernosh Amrol
Giga Guru

I've been asked to Research TPRM and have been asked by the team to see if there is a way that we can get CVEs noted by Vendors.  Does anyone have any information or guidance?

 

For example, this CVE from Microsoft would be somewhere in the Third-Party form or a related list tab?

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30386 

Microsoft Office Remote Code Execution Vulnerability Recently updated CVE-2025-30386

1 ACCEPTED SOLUTION

TLDR: vendors submit CVEs via TPRM, you relate them back to VR as needed, and both modules continue doing what they’re designed to do, just slightly more connected.

It's not "straight forward" but you should be able to do so by using mostly OOB capabilities within TPRM and Vulnerability Response.

The key idea is to let your vendors submit CVE information through the Third-Party Risk Management portal as part of their ongoing assessments or issue disclosures.
You can easily add a field to the vendor profile, assessment questionnaire, or risk forms where the vendor can provide CVE IDs they’ve identified. This might be just a simple text field for the CVE number, or — if you want tighter integration — you could set it up as a reference to the Vulnerability Response vulnerability table.

Once vendors submit these CVEs, they become part of the vendor record in TPRM, giving you full visibility into which third parties are reporting which vulnerabilities.
From there, you can build simple automation (using Flow Designer or even Business Rules) to check whether the CVE already exists in Vulnerability Response. If it doesn’t, you can create a new Vulnerability record in VR and link it to the relevant applications or services in your CMDB.

The advantage of this approach is that you maintain a clean separation of responsibilities: vendors report their CVEs through TPRM, and your internal teams continue to handle the triage, risk scoring, and remediation activities through the standard Vulnerability Response workflows.
It also keeps the process largely within the existing ServiceNow data models and avoids heavy customization, which helps with long-term maintainability.


That would be my take on an approach 😄 



 If this pointed you in the right direction, hit Helpful to spread the good vibes.
If it cracked the case for you, mark it Correct so the next person doesn’t have to reinvent the wheel.

View solution in original post

3 REPLIES 3

CFrandsen
Tera Guru

I think I might have the idea of what you are trying to achieve, but before venturing deeper into it - would you be able to elaborate just a tiny bit?

My guess is (and please correct me if i'm way off):
You want to utilize the TPRM module (Third Party Portal in this case) to allow your vendors to provide you with CVE's identified or noted in their end ?
And once you have them, you want to utilize your Vulnerability Response module, for registering these Third-party CVE's against their company record?

Summarized into: 
"Get third parties to register/report CVEs via the TPRM module, while we handle internal CVEs via Vulnerability Response."



 If this pointed you in the right direction, hit Helpful to spread the good vibes.
If it cracked the case for you, mark it Correct so the next person doesn’t have to reinvent the wheel.

Yes, What I want to see is while Vulnerability Response is against the Application, I would also like to relate the CVE against my Third-Party.

 

For example, 

CVE-2025-43573 is for Adobe Acrobat Reader, so Vulnerability response would have Adobe Acrobat Reader, this CVE would also show up under Adobe or Acrobat Reader Engagement.

TLDR: vendors submit CVEs via TPRM, you relate them back to VR as needed, and both modules continue doing what they’re designed to do, just slightly more connected.

It's not "straight forward" but you should be able to do so by using mostly OOB capabilities within TPRM and Vulnerability Response.

The key idea is to let your vendors submit CVE information through the Third-Party Risk Management portal as part of their ongoing assessments or issue disclosures.
You can easily add a field to the vendor profile, assessment questionnaire, or risk forms where the vendor can provide CVE IDs they’ve identified. This might be just a simple text field for the CVE number, or — if you want tighter integration — you could set it up as a reference to the Vulnerability Response vulnerability table.

Once vendors submit these CVEs, they become part of the vendor record in TPRM, giving you full visibility into which third parties are reporting which vulnerabilities.
From there, you can build simple automation (using Flow Designer or even Business Rules) to check whether the CVE already exists in Vulnerability Response. If it doesn’t, you can create a new Vulnerability record in VR and link it to the relevant applications or services in your CMDB.

The advantage of this approach is that you maintain a clean separation of responsibilities: vendors report their CVEs through TPRM, and your internal teams continue to handle the triage, risk scoring, and remediation activities through the standard Vulnerability Response workflows.
It also keeps the process largely within the existing ServiceNow data models and avoids heavy customization, which helps with long-term maintainability.


That would be my take on an approach 😄 



 If this pointed you in the right direction, hit Helpful to spread the good vibes.
If it cracked the case for you, mark it Correct so the next person doesn’t have to reinvent the wheel.