Remediate a vulnerability

Depending on your organization, you’ll likely want to start with the most critical vulnerabilities first, so that you can assess their severity given your particular device, its environment and its use. In the CVSS score column, you’ll see both a v2 and a v3 score. Older devices may not have a v3 score, while newer devices may not have a v2 score. We recommend that you remediate vulnerabilities that have a v3 score first.

Initially, all of your vulnerabilities will have a Status of blank. For CycloneDX status, you'll ultimately want to remediate each of these to either Exploitable or Not affected. For VEX status, you’ll ultimately want to remediate each of these to either Affected or Not affected.

To do so:

  1. If you're not familiar with a particular vulnerability, click Actions > Review to get all vulnerability information and any earlier remediation history. Close this panel when you're ready to remediate this vulnerability.

  2. If you're using both CycloneDX and VEX to remediate your vulnerabilities, then for each vulnerability with a blank status in the CycloneDX status or VEX status columns, or, click Actions > … > Remediate.

  3. You can choose to provide updated status information with corresponding evidence information, or you can add an interim note if your assessment in progress, but you have not yet determined a status.

  4. In the Specification type drop-down, select Cyclone DX 1.4. You can also choose to add a VEX status. This is the CycloneDX profile of VEX, not OpenVEX, so the statuses are a subset. For example, some MDMs use CycloneDX for assigning internal statuses, while using the CycloneDX VEX profile to assign external statuses that will be communicated to customers and other external stakeholders.

  5. In the Status drop-down, select the status corresponding to your chosen specification type.

  6. Depending on your specification type, you may also need to provide the justification for the status change.

  7. For any status change to a status other than VEX's Unknown, you'll need to provide any evidence you have that justifies this status change. This will provide you with an audit trail for this vulnerability

  8. Click Apply changes.

Last updated

© Copyright MedCrypt 2023, All rights reserved.