@sach1 : For Zero-Day vulnerabilities where a CVE is not yet published, you don’t need to extend the Vulnerability table. A more effective and scalable approach is to use Exposure Assessment in Vulnerability Response.

With Exposure Assessment, an analyst can initiate an assessment using only the impacted software, even when the CVE ID is not available. You simply input the affected software , and the assessment automatically identifies installations from the cmdb_sam_sw_install. Once the software match is established, users can :

• Create Vulnerability Items (VITs) tied to the impacted CIs

• Trigger existing automation rules, including

  • VIT assignment

  • Remediation Task generation

  • Remediation Target Rules etc 

• Continue through your full workflow exactly as it would for CVE-based vulnerabilities

• Finally, close VITs using Auto-Close Rules once remediation is complete

This approach allows you to operationalize Zero-Day vulnerabilities seamlessly, without waiting for a CVE to be published and without creating custom tables. 

In short: Exposure Assessment by software is best practice for handling Zero-Day vulnerabilities in ServiceNow. It allows you to identify the exposure, generate VITs, and drive remediation end-to-end—even before official CVE details exist.

If you're looking for an even more streamlined and coordinated process during high-severity Zero-Day events, you can also leverage Vulnerability Crisis Management. It provides an orchestrated workspace to track the Zero-Day, collaborate across teams,and monitor remediation progress all while your Exposure Assessment driven VITs and remediation tasks flow automatically in the background.

Exposure assessment document :

https://www.servicenow.com/docs/bundle/zurich-security-management/page/product/vulnerability-respons...

Vulnerability Crisis Management document: https://www.servicenow.com/docs/bundle/zurich-security-management/page/product/vulnerability-respons...

Thanks,
Sarath S