Vulnerability management policy

Either policy can be set to be triggered based on time or route.

For Assess users, an Organization Administrator can set vulnerability policy to require status change approval based on vulnerability severity, or set the policy so that vulnerabilities are closed automatically.

You can set in-app notifications when vulnerabilities violate these policies. Administrators are notified of violations in-app and by email.


You can set vulnerability policies and review pending changes, if you are an Organization RulesAdmin with RulesAdmin permissions for the target application. You must be an Organization Administrator to require vulnerability approval.

There are two types of vulnerability policy:

  • Auto-verification policies automatically change the status of a vulnerability to Remediated - Auto-verified. Hover over the status, or select the vulnerability name, then select the Activity tab for more information.

  • Violation policies mark a vulnerability as being in violation of a policy. When this is triggered, you will see a Policy violation notice on the thermometer on the vulnerabilities section of the dashboard.

    Image shows dashboard status for vulnerabilities mentions policy violations.