Vulnerability Exemption Process
- Solomon F Prophete
If a finding can not be addressed it has to fit one of the following exceptions outlined below. These requests have to be submitted by the Application Owner or Systems with a valid reason on why the finding can not be addressed.
Business Requirement
If the resolution of the vulnerability finding could provide a negative impact to the application of the system this would classify as an exemption. These exemptions do have an expiration date based on the timeframe of the fix.
False Positive
If a vulnerability is discovered and an application owner or system team discovers a false positive this would qualify for an exemption. Security does take a proactive approach in preventing false positives by checking the RPM (Red Hat Package Manager) and software installed using authentication. However, we are aware that no software is perfect.
Requests will be submitted via Service Now self-service module and assigned to the Cybersecurity assignment group.
Required Information:
Exemption Type: Business Requirement or False Positive
Asset: List Hostnames/ IP Address(es)
Vulnerability: List specific vulnerability. For example: RHSA-2015:1330: python security, bug fix, and enhancement update
Remediation Step: Upgrade python
Exemption Justification: Upgrading to the latest version of python would break a production application
Timeframe: It will require 6 months of effort to rewrite the code and to the latest version of python (needed if exemption type is a business requirement)
False Positive Notes: Nexpose is reporting on the kernel incorrectly. Vulnerability impacts version Y and the installed version is X. (needed if exemption type is a false positive)