Application Vulnerability Response release notes

  • Release version: Yokohama
  • Updated May 28, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Application Vulnerability Response release notes - Yokohama Release

    The ServiceNow Application Vulnerability Response application, included within the Vulnerability Response suite, integrates security and IT teams to accelerate remediation of critical application vulnerabilities. The Yokohama release enhances monitoring, management, and remediation capabilities specifically for application vulnerabilities, improving efficiency and collaboration across teams.

    Show full answer Show less

    Key Features

    • Penetration Test Workspace: Centralized monitoring of penetration test requests, findings, and team progress with dashboards highlighting critical items, remediation status, and assignments.
    • Application Vulnerability Management: Reevaluate risk scores, assignments, remediation dates, exceptions, and remediation tasks for application vulnerable items (AVITs) via the Vulnerability Manager Workspace.
    • Third-Party Scanner Integration: Import vulnerability data from supported external scanners to consolidate findings.
    • Manual Vulnerability Ingestion: Import AVITs from external sources using standardized templates (CSV, Excel) to streamline data consolidation into the penetration test workspace.
    • Application Remediation Task Creation: Users with the appropriate roles (snvul.appsecmanager, snvul.appsecuritychampion) can manually create remediation tasks in Vulnerability Manager and IT Remediation Workspaces, grouping AVITs by selected criteria.
    • Unassign Workflow Support: Allows reassignment or unassignment of AVITs and remediation tasks with optional approval steps to maintain accurate triage records.
    • Software Bill of Materials (SBOM) Integration: Upload valid SBOM documents via GitHub Action and manage BOM entities with capabilities like bulk deletion, automatically closing related AVITs.
    • Enhanced Penetration Test Assessment Types: Support for additional test types including Emergency Release, Bug Bounty Program, Release Approvals, One-off reviews, and Executive Interest.
    • Change Request Creation: Users with specified roles can create change requests from remediation tasks for AVITs linked to configuration items (CIs), expediting manual vulnerability investigations.
    • Risk Score Tracking: Optionally track and view changes to risk scores in the Work notes section, with updates logged only when risk scores change.

    Activation and Upgrade Information

    • Application Vulnerability Response must be installed via the ServiceNow Store and is part of the Vulnerability Response application suite.
    • The Software Bill of Materials applications require separate subscriptions.
    • For upgrade details, compatibility, and related release notes, customers should consult the Vulnerability Response Compatibility Matrix and relevant knowledge base articles.
    • Change request functionality requires that discovered applications be associated with configuration items, which can be configured via system properties.

    Benefits for ServiceNow Customers

    This release empowers customers to better consolidate and manage application vulnerability data from various sources, prioritize remediation efforts, improve collaboration between security and IT teams, and track penetration testing activities comprehensively. Enhanced task management, integration capabilities, and visibility into risk changes enable faster and more accurate vulnerability resolution, thereby strengthening overall application security posture.

    The ServiceNow® Application Vulnerability Response application brings security and IT together to enable you to remediate your most critical vulnerabilities more quickly and efficiently. Application Vulnerability Response is included as part of the ServiceNow® Vulnerability Response application. Application Vulnerability Response was enhanced and updated in the Yokohama release.

    Application Vulnerability Response highlights for the Yokohama release

    • Monitor your penetration test requests and findings, as well as your team's overall progress in the Penetration Test Workspace.
    • Reevaluate the risk score, assignments, remediation target date, exceptions, and remediation task for a specific set of application vulnerable items in the Vulnerability Manager Workspace.
    • Integrate with supported third-party scanners to import vulnerability data.
    • Compare application vulnerability-related data and determine if application vulnerabilities are found in an application.
    • Prioritize, remediate, and manage application vulnerable items (AVIT)s. Each application vulnerability represents a vulnerability entry in the Common Weakness Enumeration (CWE) or third-party libraries.
    • With the sn_vul.app_sec_manager role, create application remediation tasks manually in the Vulnerability Manager Workspace.
    • With the sn_vul.app_security_champion role, create application remediation tasks manually in the IT Remediation Workspace.

    See Application Vulnerability Response for more information.

    Important:
    Application Vulnerability Response is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    Important information for upgrading Application Vulnerability Response to Yokohama

    New in the Yokohama release

    Enhancements to Application Vulnerability Response
    The Unassign workflow is supported for application vulnerable items (AVITs) and remediation tasks (AVULs).
    • Streamline application vulnerability assignments with the Unassign UI action from the more actions menu on an AVIT.
    • Reassign incorrectly assigned AVITs, clarify ownership for reassessment, and maintain accurate triage records in workspace views.
    • You have the option to send unassign requests for approval prior to clearing the Assigned to and Assignment group fields on records.
    SBOM document upload via Github Action
    Upload valid Software Bill of Material (SBOM) documents to ServiceNow platform with the help of GitHub Action.
    Create application remediation tasks manually in the Vulnerability Manager Workspace
    With the sn_vul.app_sec_manager role, you can create application remediation tasks manually by selecting some or all the records in the Application vulnerable items’ lists in the Vulnerability Manager Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating application remediation tasks.
    Create application remediation tasks manually in the IT Remediation Workspace
    With the sn_vul.app_security_champion role, you can create application remediation tasks manually by selecting desired records in the Application vulnerable items’ lists in the IT Remediation Workspace. These records are grouped into one or more remediation tasks according to the grouping criteria selected while creating application remediation tasks.
    Manual Ingestion of vulnerabilities for application vulnerability response
    Import AVITs from external sources via a standardised template (e.g., CSV, Excel) and manage Penetration test findings lifecycle. Now, you can ingest vulnerability data, including details such as affected application, vulnerability description, severity, remediation recommendations, including other necessary details. This enhancement allows you to simplifies the process of consolidating vulnerability data from diverse sources into a centralised Penetration test workspace.
    Penetration Test Workspace

    Monitor your penetration test requests and findings as well as your team's overall progress in the Penetration Test Workspace. Prioritize tests that need your attention, track findings, and view assignments with the following data visualizations on the dashboard:

    • Important items.
    • Penetration test requests that are critical and by state.
    • Reported findings.
    • Overall remediation progress based on assignment.
    Enhancements to Penetration Test Assessment Requests
    Along with Full Penetration, Focused, and Re-test, the following assessment types are included for Penetration Test Assessment Requests forms in the Penetration Test Workspace:
    • Emergency Release - Supports emergency releases that are required for rapid software updates to address critical issues like security vulnerabilities.
    • Bug Bounty Program - Rewards ethical hackers to find and report security vulnerabilities.
    • Release Approvals - Ensure that all necessary checks are completed before deploying new software.
    • One-off reviews - Assess specific projects outside regular development and release cycles to evaluate performance and implement improvements.
    • Executive Interest - Report on senior management's engagement and support for critical projects within the organization.

    Enhancements to the Release Approval and Release Notes fields help you ensure quality and security for your pen test findings.

    The following states have been added to the Release approval field:
    • Not Applicable (Default).
    • Approved.
    • Denied.

    You can add details to justify your release approvals in the Release notes field.

    Associate CWEs for manual AVIT creation from Penetration Test Assessment Requests
    On the Penetration test findings tab on Penetration Test Assessment Requests, you have the option to associate Common Weakness Enumerations (CWE)s or Common Vulnerabilities and Exposures (CVE)s in the Vulnerability field for manually created AVITs.
    Create change requests in Application Vulnerability Response
    Users with the sn_vul.app_sec_manager and sn_vul.app_sec_champion roles as well as users with the sn_vul.app_developer role who have the ITIL role can create change requests from remediation tasks in the Application Vulnerability Response application. Create change requests to expedite your investigation for application vulnerabilities (AVIT)s that require manual intervention.
    • Create change requests with prepopulated information for scanned applications that are classified as configuration items (CI)s.
    • The change request workflow in Application Vulnerability Response is similar to the workflow supported in Vulnerability Response. For more information about the Vulnerability Response change request workflow, see Change management for Vulnerability Response.
    Note:
    Change requests are supported for Application Vulnerability Response only if the discovered application is associated with a configuration item (CI). You must set Product model to False in the Use Product Model [sn_vul.use_product_model] system property to associate a discovered application with a CI.
    Enhancements to the Software Bill of Materials Workspace
    • You can delete multiple BOM entity records and their related components with bulk edit from the Software Bill of Materials SBOM SBOM Workspace.
    • Any Application Vulnerable Items (AVIT)s that are associated with deleted BOM entities automatically transition to Closed.
    View risk score details of a vulnerable items in the Work notes section
    Starting with v25.0.3 of Application Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of an application vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.

    Activation information

    Install Application Vulnerability Response by requesting it from the ServiceNow Store. Application Vulnerability Response is included as a part of the Vulnerability Response application. The Software Bill of Materials applications require a separate subscription. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.