Vulnerability management policy

For Assess users, vulnerability policies can clean up your view of security risks. Use these policies to define if vulnerabilities of a certain severity require approval to have their statuses change, or if they should be closed automatically.

There are two types of vulnerability policy:

  • Auto-verification policies automatically change the status of a vulnerability to "Remediated - Auto-verified".

  • Violation policies mark a vulnerability as being in violation of a policy. When this is triggered, you will see a "Policy violation" notice on the vulnerabilities thermometer on the dashboard.

Either policy can be set to be triggered based on time or route.

You can set in-app notifications when vulnerabilities violate these policies. Administrators are notified of violations in-app and by email.


A RulesAdmin can set vulnerability policies, but only an Organization Administrator can set vulnerability behavior.