Vulnerability Status

Vulnerability status may be Open, Closed, Accepted, Out of Scope, Mitigated, or Invalid.

Status	Description
Open	An open vulnerability has been identified but has not been remediated (closed), accepted, mitigated, or noted as invalid.
Closed	A closed vulnerability was identified at one point but has since been remediated, and retesting did not find that the vulnerability was still exploitable.
Accepted	An accepted vulnerability is one that the customer has noted as "accepted," meaning that the vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk.
Out of Scope	A vulnerability may be Out of Scope if it was associated with a hostname that has been removed from the asset in Sentinel.
Mitigated	A vulnerability may be mitigated if it is known, and has not been remediated (closed), but steps have been taken to minimize the associated risk (e.g., by the use of RASP tool).
Invalid	A vulnerability may, rarely, be labeled as "invalid" if it was incorrectly verified as a vulnerability or if it was a duplicate of an existing vulnerability. Invalid vulnerabilities are not security issues, though if an invalid vuln is a duplicate of a valid vuln, that valid vuln is still an issue.

Status

Description

Open

An open vulnerability has been identified but has not been remediated (closed), accepted, mitigated, or noted as invalid.

Closed

A closed vulnerability was identified at one point but has since been remediated, and retesting did not find that the vulnerability was still exploitable.

Accepted

An accepted vulnerability is one that the customer has noted as "accepted," meaning that the vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk.

Out of Scope

A vulnerability may be Out of Scope if it was associated with a hostname that has been removed from the asset in Sentinel.

Mitigated

A vulnerability may be mitigated if it is known, and has not been remediated (closed), but steps have been taken to minimize the associated risk (e.g., by the use of RASP tool).

Invalid

A vulnerability may, rarely, be labeled as "invalid" if it was incorrectly verified as a vulnerability or if it was a duplicate of an existing vulnerability. Invalid vulnerabilities are not security issues, though if an invalid vuln is a duplicate of a valid vuln, that valid vuln is still an issue.