Vulnerability Response Integration with NVD release notes

  • Release version: Store
  • Updated June 11, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response Integration with NVD release notes

    The Vulnerability Response Integration with the National Vulnerability Database (NVD) enables ServiceNow customers to import and manage vulnerability data, including Common Vulnerability Exposures (CVEs) and Common Platform Enumerations (CPEs), directly from NVD. This integration supports automatic updates of vulnerability scoring and mappings, helping organizations maintain current and accurate vulnerability assessments within their ServiceNow environment.

    Show full answer Show less

    Key Features

    • Data Import and Mapping: The integration imports CVE and CPE data from NVD, including updated support for NVD API version 2.0 and API key authentication to enhance security and reliability.
    • CVSS Score Handling: It aligns with the latest CVSS version 4.0 scoring and maps secondary CVSS scores when primary ones are unavailable, ensuring accurate vulnerability severity representation.
    • Assessment Enhancements: Allows creation of vulnerability assessments using version range information without needing explicit CPE creation, streamlining the assessment process.
    • API Efficiency Improvements: Uses optimized API endpoints to reduce the number of calls required for associating software with NVD entries, enhancing performance.
    • Access Control and UI Updates: Migrated query access control definitions to a standardized codebase for consistent enforcement, along with improvements to the admin console user interface for better management.
    • Source Tracking: The integration marks CPE and reference data with 'NVD' as the source, allowing precise identification and deletion of NVD-related records.

    Key Outcomes

    • Customers can maintain an up-to-date vulnerability database synchronized with NVD, improving risk visibility and response capabilities.
    • Improved accuracy in vulnerability scoring and mapping reduces false positives and ensures prioritization aligns with industry standards.
    • Streamlined integration reduces manual effort in vulnerability assessments and enhances efficiency in vulnerability management workflows.
    • Enhanced security and access control measures ensure proper governance of vulnerability data within the ServiceNow platform.

    Version history for the Vulnerability Response Integration with NVD on the ServiceNow Store.

    Important:
    For details on system requirements and family compatibility, view the application listing on the ServiceNow Store website.

    Version history

    Version 30.3.1 - June 2026
    • Changed:
      • Admin console UI changes.
      • Migrated query access control definitions in National Vulnerability Database (NVD) to the standard product codebase, ensuring consistent access control enforcement.
    Version 30.3.0 - April 2026 (USEM)
    • Fixed: The Common Vulnerability Scoring System (CVSS) V4 score mapping to align with the latest NVD API response structure.
    • Changed: Added the no_audit_delete attribute to the NVD CPE key [sn_vul_nvd_cpe_key] table.
    Version 1.7.4 - April 2026
    • Fixed: The Common Vulnerability Scoring System (CVSS) V4 score mapping to align with the latest NVD API response structure.
    • Changed: Added the no_audit_delete attribute to the NVD CPE key [sn_vul_nvd_cpe_key] table.
    Version 1.7.1 - August 2025
    New: Create assessments without explicitly creating CPEs using the Version Range information that the National Vulnerability Database (NVD) provides.
    Version 1.6.1 - May 2025
    Changed: The 'Source' column in the reference table and the CPE field should be populated with 'NVD'. If any changes occur, only the CPE and references marked with the source 'NVD' should be deleted.
    Version 1.5.3 - December 2024
    Minor fixes for this release.
    Version 1.5.1 - November 2024
    New: The National Vulnerability Database (NVD) now includes entries for the Common Vulnerability Scoring System (CVSS) score 4.0 values.
    Version 1.4.5 - May 2024
    Fixed: The NVD integration has been fixed to utilize the secondary CVSS score when primary CVSS score is unavailable.
    Version 1.4.3 - February 2024
    Changed: CVSS3.0 will be considered for processing if CVSS3.1 is not present in the NVD response.
    Version 1.4.2 - November 2023
    Fixed: Updated unmapped integration to use the cpesearch Rest Endpoint API so that the number of API calls are reduced to NVD for associating software with NVD entry if the NVD entry exists.
    Version 1.3.3 - August 2023 (Vancouver)
    • New:
      • Created the following integrations to use NVD API 2.0 version.
      • NIST National Vulnerability Database Integration - API (CPE only). This integration fetches CPEs.
      • NIST National Vulnerability Database Integration - API (Unmapped CPE). This integration maps CPEs with the CVEs.
    • Changed: Deprecated existing integration i.e NIST National Vulnerability Database Integration - API (CVE and CPE).
    Version 1.2.0 - May 2022
    New: Added support for using API keys for calling NVD endpoints.
    Version 1.1.0 - October 2021
    • Changed:
      • Modifications to support changes to the CPE APIs done by NIST. These changes restrict CPE APIs by limiting date ranges to 120 days.
      • When you enter a start or end date for the optional parameters, you need to provide both the start and end dates.
    Version 1.0.3 - June 2021
    Fixed: The "source" attribute is populated in the Third-party entry table for NVD records. Vulnerable Software records from NVD are available as expected.
    Version 1.0.0 - February 2021
    • New:
      • Initial release.
      • Two NVD integrations that import the CVEs and CPEs information from the NIST National Vulnerability Database (NVD).