Exception Management

to define a systematic approach for managing and documenting exceptions to identified vulnerabilities that deviate from established remediation protocols key elements of a vulnerability exception exception name a descriptive title summarizing the exception description a detailed explanation of the exception, including its scope and impact identifiers asset ids identifies the resources impacted by this exception use for wildcard vulnerability ids specific vulnerabilities covered by this exception use for wildcard zone ids resource zones impacted use for wildcard risk scoring turbine risk score range defines the range of scores for the vulnerabilities affected use 1 for wildcards minimum 0 maximum 1000 cvss base score range minimum and maximum cvss scores for covered vulnerabilities, using 1 for wildcards ownership the individual responsible for the exception, including contact information expiration defines a clear timeline for the exception, including an expiration date reason documented rationale for granting the exception (for example, operational necessity, low risk, and so on) status tracks the current state of the exception (active/inactive) all of the above field are required in order to create an exception exceptions are evaluated whenever a finding is ingested into the turbine platform, or when re enrichment is triggered from the vulnerability finding application