Vulnerability Response remediation task states
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Vulnerability Response remediation task states
Vulnerability Response (VR) in ServiceNow manages vulnerable item detections imported from third-party integrations, creating and updating Vulnerability Items (VITs). The remediation tasks associated with these VITs progress through defined states that reflect the lifecycle of vulnerability remediation. These states are synchronized with related change requests when Change Management for VR is enabled, ensuring consistent tracking of remediation efforts.
Show less
Starting with VR version 23.0, the Remediation Task State Approval workflow is deprecated and replaced by a Flow Designer flow. The Close button was removed from remediation tasks; task closure is now controlled by scanner confirmation.
Remediation Task States and Actions
Each remediation task state allows specific actions to manage vulnerabilities effectively:
- Open: Initial state. Actions include identifying duplicate VITs, starting investigation, marking false positives, requesting exceptions to defer remediation, resolving tasks, creating or associating change requests, splitting tasks by filtering vulnerable items, deferring tasks with reasons and reopen dates, and deleting tasks.
- Under Investigation: Triggered by starting investigation. Allows creating security incidents, change requests, and splitting tasks.
- Deferred: Used to postpone remediation with approval required. From here, you can create change requests, split tasks, create security incidents, reopen to Open, or delete. Deferment details are tracked, and tasks reopen automatically on the defer date.
- Awaiting Implementation: Indicates remediation is handled outside VR. Actions include creating security incidents, change requests, splitting tasks, deferring, resolving, or deleting.
- Resolved: Marked when remediation is complete but pending scanner confirmation. You can create security incidents, change requests, reopen tasks, or delete. Resolution notes are maintained.
- Closed: Set automatically by the scanner upon confirmation. Tasks can be reopened or deleted. Closure information is recorded.
Key Operational Details
- Only remediation owners can mark tasks or VITs as Resolved; closure depends on scanner confirmation.
- Administrators can delete or close multiple manually created VITs as needed.
- Deferring tasks is useful for low-risk items awaiting change windows or patches; exceptions can be requested with documented reasons.
- When VITs reopen, their state resets to Open and they are reevaluated against active remediation rules, preserving historical data while enabling continued remediation.
- State, Reason, and Until fields on remediation tasks and VITs are evaluated and updated automatically, including when tasks are split or VITs are updated.
- If all VITs in a remediation task share a defer reason, the task inherits that reason; if reasons differ, the task's reason is cleared. The earliest reopen date among VITs is reflected on the task.
- Reopening any VIT sets the remediation task state back to Open.
- A scheduled job runs every 15 minutes to roll up and synchronize vulnerability item and remediation task statuses.
Practical Implications for ServiceNow Customers
This structured remediation task state model enables customers to:
- Track and manage vulnerabilities throughout their lifecycle with clear, actionable states.
- Leverage automated synchronization between remediation tasks and change requests to streamline remediation workflows.
- Use deferral and exception mechanisms to manage remediation timelines and risk appropriately.
- Maintain audit trails and ensure accurate status tracking as vulnerabilities and remediation tasks evolve.
- Integrate with security incidents and change management processes to align security remediation with broader IT and security operations.
Third-party integrations import vulnerable item detection data that create new vulnerability items (VITs) or update existing VITs. Detection states update VIT states in so far as they’re Open or Closed.
For more information on how a detection's state affects a VIT's state, see the Detections, remediation tasks, and vulnerable item states.
With Change management for Vulnerability Response, there’s a synchronized relationship between the state fields of the remediation tasks and the state fields of the change requests (CHG) in the Vulnerability Response product. As a change
request moves through its life cycle, it also moves the state of any related remediation tasks automatically. After a change request is implemented, the remediation task is automatically resolved. See State synchronization between change requests and remediation tasks for more information.
Note:
Starting with v23.0 of Vulnerability Response:
- the Remediation Task State Approval workflow is deprecated and replaced by flow Remediation Task State Approval in the flow designer.
- the Close button has been removed for a remediation task and the closure of a remediation task is driven by the scanner.
The following table lists the remediation task states and the actions that you can perform on a remediation task at the respective state:
| State | Description |
|---|---|
| Open | State upon creation. From this state you can:
|
| Under Investigation | Triggered by the Start Investigation button. From this state, you can:
|
| Deferred | Triggered by the Request Exception button. As part of the approval workflow, the Deferred state is In Review and can't be closed until approved. From this state, you can:
Deferment information appears under the Close/Defer tab. On the defer date, the group reopens for remediation. |
| Awaiting Implementation | Triggered by the Awaiting Implementation button. From this state, you can:
|
| Resolved | Triggered from the Resolve button. From this state you can:
Notes appear under the Notes tab. Resolution information appears under the Resolution tab. |
| Closed | Triggered by the scanner. From this state, you can:
Closure information appears under the Close/Defer tab. |
- The remediation owner can only mark a vulnerable item or remediation task as resolved. Based on the confirmation from the scanner, this resolved item or remediation task can be marked as Closed or reopened.
- The Delete button is available for the administrator when there are multiple vulnerable items created manually, and these need to be closed or deleted.
- If you determine that the items are a low risk, waiting for a change window, or a patch, you can change their remediation task to the
Deferred state for a defined amount of time. You
can request an exception using the Request Exception option.Note:When remediation tasks are deferred or closed, you can specify resolutions to further define the reasons for doing so.
- When a VIT is reopened, either manually or automatically, the following happens:
- The VIT state changes to Open. The original remediation task state doesn't update.
- The VIT is reevaluated and put into a new or existing remediation task that is based on the active Remediation Task Rules.
This preserves its history while enabling further remediation.
- When a remediation task is created (automatically or manually), or split, then its State, Reason, and Until fields are evaluated.
In case of the split action, these fields are evaluated for both the old and new remediation tasks. When a VIT is updated, then the State, Reason, and Until
fields of all its associated remediation tasks are evaluated.
- If all the VITs in a remediation task are deferred and have the same reason, then the remediation task's state changes to Deferred and the VITs' reason is assigned to the remediation task. If the VITs differ in reason, then the remediation task's reason changes to None.
- The closest Until date of all the VITs is updated in the Until field of the remediation task.
- If you reopen any VIT, then the state of the remediation task changes to Open.
This evaluation is done by the Rollup vulnerability item values to vulnerability and group scheduled job, which runs every 15 minutes.