# Remediate vulnerabilities in bulk or individually

You can use our powerful bulk vulnerability remediation to remediate large groups of vulnerabilities within a product, across products, or target a particular component's vulnerabilities with the click of a button, enabling you to speed triage and ensure remediation consistency of particular vulnerabilities across your product portfolio.

To make the most of your time, you'll likely want to start with the most critical vulnerabilities first, so that you can assess their severity given your particular device, its environment and its use. The **CVSS v3** column in shown by default in the **Vulnerabilities** table. You can click the **Columns** link above the table header row to customize your data display, including adding the **CVSS v2** column.

Initially, all of your vulnerabilities will have a **Status** of **blank**. For CycloneDX status, you'll ultimately want to remediate each of these to either **Exploitable** or **Not affected**. For VEX status, you’ll ultimately want to remediate each of these to either **Affected** or **Not affected**.  Some MDMs use CycloneDX for assigning internal statuses, while using the CycloneDX VEX profile to assign external statuses that will be communicated to customers and other external stakeholders.

## Bulk remediate vulnerabilities

1. In the toolbar of the **Vulnerabilities** table, you'll see a **Remediate N vulns** link. If you have vulnerabilities selected in the table, this N indicates how many you have selected.&#x20;
2. Click **Remediate N vulns** to display the **Remediate** panel.&#x20;
3. If you're still investigating a vulnerability, choose the interim status for CycloneDX of *In triage*. If you have any information that will help triage these vulnerabilities, you will be able to add that to the **Evidence** field once you have chosen a status.&#x20;
4. If you're ready to remediate the vulnerability to a final status, choose the appropriate status. For CycloneDX, depending on the status, you may also need to select a remediation and justification for that remediation.&#x20;
5. If you'd also like to add a VEX status, click the **Add CycloneDX VEX** status link. Note that this is the CycloneDX profile of VEX, not OpenVEX, so the statuses are a subset. If you're still investigating a vulnerability, choose the interim status for CycloneDX VEX of *Unknown*.
6. If you select any status besides an interim status for either CycloneDX or CycloneDX VEX, you'll need to provide information to explain this status change in the **Evidence** field. This will provide you with an audit trail for this vulnerability.
7. Click **Remediate N vulnerabilities**. In the **Vulnerabilities** table, you'll see the respective status(es) display in the **CycloneDX status** and **VEX status** columns, respectively.

## Remediate individual vulnerability

1. If you're not familiar with a particular vulnerability, click **Actions > View details** to get all vulnerability information. Close this panel when you're ready to remediate this vulnerability.
2. In the **Vulnerabilities** table, click **Actions > ... > Remediate vulnerability** for the vulnerability that you'd like to remediate. This will display the **Remediate** panel.
3. If you're still investigating a vulnerability, choose the interim status for CycloneDX of *In triage*. If you have any information about the vulnerability that will help triage it, you will be able to add that to the **Evidence** field once you have chosen a status.&#x20;
4. If you're ready to remediate the vulnerability to a final status, choose the appropriate status. For CycloneDX, depending on the status, you may also need to select a remediation and justification for that remediation.&#x20;
5. If you'd also like to add a VEX status, click the **Add CycloneDX VEX** status link. Note that this is the CycloneDX profile of VEX, not OpenVEX, so the statuses are a subset. If you're still investigating a vulnerability, choose the interim status for CycloneDX VEX of *Unknown*.
6. If you select any status besides an interim status for either CycloneDX or CycloneDX VEX, you'll need to provide information to explain this status change in the **Evidence** field. This will provide you with an audit trail for this vulnerability.
7. Click **Apply remediation**. In the **Vulnerabilities** table, you'll see the respective status(es) display in the **CycloneDX status** and **VEX status** columns, respectively.