Manage Vulnerabilities
When SBOM scans discover vulnerabilities, they automatically appear on the Vulnerability Management page for triage and assessment. You can also manually add vulnerabilities or import them via Excel. This guide covers the complete workflow for tracking vulnerabilities from discovery through remediation.
Before You Begin
- You have created a product in Product Security Hub
- You have imported your SBOM and run a vulnerability scan, or plan to add vulnerabilities manually
🔑 Key Concept: Vulnerability Sources
Vulnerabilities appear on the Vulnerability Management page from three sources:
SBOM Scans
Automatically created when scanning your SBOM against Google OSV database
Manual Entry
Add vulnerabilities via the "+ Assess a New Vulnerability" button
Excel Import
Bulk import using the downloadable Excel template
Navigate to Vulnerability Management
From your product page, click Vulnerability Mgmt in the top navigation tabs. This opens the vulnerability management dashboard showing all identified vulnerabilities.
Dashboard Overview:
The dashboard displays all vulnerabilities in a sortable table. New vulnerabilities from scans appear at the top of the list, highlighted so you can easily identify them.
Use Severity Filters
In the top-right corner of the dashboard, you'll see colored circles showing counts by severity level. Click any circle to filter the list.
Critical
High
Medium
Low
💡 Tip: Click on a severity circle to filter the list to only those vulnerabilities. Click again or use the search box to clear the filter.
Run a KEV Check
Click the KEV Check button to check all CVE numbers against the US DHS CISA Known Exploited Vulnerabilities (KEV) list. This identifies vulnerabilities that are actively being exploited in the wild.
⚠️ Important
KEV Check also runs automatically every night. Use the manual check when you need immediate results, such as after importing new vulnerabilities or before a security review.
Vulnerabilities found on the KEV list will show a checkmark in the KEV column. These should be prioritized for immediate remediation regardless of CVSS score.
Understand the Dashboard Columns
The vulnerability dashboard provides extensive information. Click the Settings icon to customize which columns are visible.
Available Columns:
VM ID
Internal reference
Status
In Triage, In Progress, etc.
Component
Affected component name
Ver #
Component version
Vuln ID
CVE or other identifier
KEV
On CISA KEV list
Severity
Critical/High/Medium/Low
Base CVSS 3.1
CVSS 3.1 base score
CVSSV4
CVSS 4.0 score
Date Identified
Discovery date
Vuln Age
Days since discovery
Product Component
Your product component
View all available columns
Add a New Vulnerability
Click + Assess a New Vulnerability to open the vulnerability assessment page. You can also import vulnerabilities using an Excel file.
+ Assess a New Vulnerability
Opens the full assessment form to manually add and document a new vulnerability
Download Template File
Get an empty Excel template for bulk importing vulnerabilities
Download Pre-Populated Template
Export current vulnerabilities to Excel for offline editing
Complete the Vulnerability Details
The vulnerability assessment page follows the CycloneDX specification. Fill in the header fields to link the vulnerability to your product.
Header Fields:
Select Component
Link to your product component
Select SBOM
Associate with an SBOM container
Select SBOM Component
Link to specific SBOM component
Source
Where vulnerability was reported
Status
Triage status of the vulnerability
Priority
Remediation priority level
Date Identified
When vulnerability was discovered
Date Added to PSH
Auto-populated, read-only
Document the Vulnerability Details Section
The VULNERABILITY DETAILS section captures identifying information about the vulnerability. For vulnerabilities created from SBOM scans, the OSV fields are pre-populated and cannot be edited.
Bom-Ref
Internal reference ID (e.g., VM_331b)
CVE #
CVE identifier if available
Source Name
Reporting source (e.g., NVD, GitHub)
Source URL
Link to original advisory
CWEs
Separate by comma if more than one
Date Published
When vulnerability was published
☑️ KEV
Checkbox indicating if on CISA KEV list
Description Fields:
One Sentence Summary: Provide a brief summary of the potential vulnerability, risk, or threat being assessed
Detailed Description: Provide a detailed description of the potential vulnerability, risk, or threat being assessed
🔒 OSV Fields (Read-Only)
For vulnerabilities created from SBOM scans, the following fields are pulled from Google OSV and cannot be edited:
Add Ratings, References, and Ranges
Use the expandable sections to add scoring information and supporting documentation. Each section has an orange button to add new entries.
+ Add Rating(s)
Add CVSS and other vulnerability scores
+ Add Reference(s)
Link to external resources and advisories
+ Add Range(s)
Specify affected and fixed version ranges
Complete the Vulnerability Analysis
The VULNERABILITY ANALYSIS section captures your organization's assessment of the vulnerability's impact.
Are Any Customers Impacted?
Select Yes/No/Unknown
Complaint Ticket #
Link to customer complaints
CAPA #
Corrective action reference
Was Internal Replication Performed?
TBD / Yes / No
Is There a Potential Safety Impact?
TBD / Yes / No
Is The Risk to Safety Controlled/Uncontrolled?
Select controlled/uncontrolled
Safety Risk ID #
Reference to safety risk assessment
Select Response
Initial response determination
Justification
Dropdown for justification type
Detailed Description
Detailed description of the impact including methods used during assessment
Select Associated Residual Risks
+ New Residual RiskSelect Associated Threats
+ New ThreatDocument the Vulnerability Response
The VULNERABILITY RESPONSE section captures your remediation plan and any patches or advisories issued.
Remediation Plan
Select remediation approach
Target Remediation Date
Planned date for fix
Summary of Current Action or Remediation Plan
Describe the current action or remediation plan
Justification or Mitigation Details
Provide a justification or mitigation details for this vulnerability
+ Add Advisory
Document security advisories you've published about this vulnerability
Select Associated Patches
+ New PatchDelete Multiple Vulnerabilities
To delete multiple vulnerability records at once, use the checkboxes in the RM column on the dashboard.
- 1. Click the checkbox in the RM column next to each vulnerability you want to delete
- 2. Click the trash can icon in the table header to delete selected records
- 3. Confirm the deletion when prompted
Best Practices
Prioritize KEV vulnerabilities
Vulnerabilities on the CISA KEV list are actively exploited. Address these first regardless of CVSS score.
Use severity filters for triage
Click the colored circles to focus on critical and high severity vulnerabilities during triage sessions.
Document your analysis
Capture detailed justification when determining a vulnerability is not applicable—this supports regulatory evidence.
Link to related records
Connect vulnerabilities to threats, residual risks, and patches to maintain full traceability.
Review new vulnerabilities promptly
New vulnerabilities appear highlighted at the top. Review them within your organization's SLA window.
Export for regulatory submissions
Use the Excel export to generate reports for FDA submissions or customer security questionnaires.
What's Next?
Continue building your vulnerability management workflow:
- 1 Understand CVSS Scoring
Learn how to score vulnerabilities with CVSS 3.1 and 4.0
- 2 Triage Vulnerabilities
Review and assess discovered vulnerabilities for impact and exploitability
- 3 Manage Residual Risks
Document residual risks that arise from vulnerabilities you cannot fully remediate
Need help with vulnerability management?
We can help you establish an efficient vulnerability triage and remediation workflow.