Qualys Enterprise TruRisk Platform (VMDR)
Limited Customer Release Notes
Version 2.2.0
March 17, 2025
What is Risk Acceptance Rules
Accepting risks from vulnerability findings means making a conscious decision to recognize and tolerate certain vulnerabilities without addressing them right away. There may be several reasons for this inaction, such as a lack of available downtime, the absence of a patch, or the incompatibility of applications with new updates.
This approach is usually taken when the cost of mitigation is greater than the potential impact of a vulnerability or when the risk is within the organization’s acceptable risk tolerance level.
After consulting with internal stakeholders, you may categorize certain vulnerabilities as false positives or conclude that specific findings cannot be addressed.
Documenting accepted risks and assigning responsibility for regular monitoring and reassessment is crucial.
What are the benefits of accepting risk
Following are the benefits:
- Resource Optimization: Focus resources on higher-priority vulnerabilities.
- Strategic Alignment: Align risk acceptance with business goals and risk appetite.
Steps to Create a Risk Acceptance Rule
You can create this rule from the Responses tab.
Go to the Responses tab > Risk Acceptance Rules > Create Rules.
Step 1: Enter Basic Details
A Risk Acceptance Rule allows you to acknowledge certain vulnerability risks without immediately remediating them. This may be due to effective mitigation controls or an internal agreement classifying the vulnerabilities as accepted risks or false positives.
Start by providing rule information and setting the exception duration, which defines the period during which the risk is accepted.
| Field Name | Description |
| Rule Information |
Enter a rule name and description. Rule Name is required. |
| Exception Duration |
Define the time period during which a risk acceptance rule remains in effect or how long specific vulnerabilities or findings are excluded from remediation and TruRisk calculation. Once the exception period expires, the previously exempted findings may be flagged again for review or remediation. |
Step 2: Define Scope
Enter QQL queries to define the scope of the acceptance rule and validate your query.
Vulnerability queries are mandatory.
Queries for Defining Scope
You can only use a limited set of queries, as listed below, to define your scope.
| Asset | Vulnerability | RiskFactor |
| interfaces.address interfaces.hostname netbiosName agent.agentID operatingSystem tracking method criticalityScore riskScore aws.ec2.instanceId azure.vm.vmId |
vulnerabilities.vulnerability.qid vulnerabilities.typeDetected vulnerabilities.port vulnerabilities.hostOS vulnerabilities.protocol vulnerabilities.severity vulnerabilities.status vulnerabilities.vulnerability.cveIds vulnerabilities.detectionScore vulnerabilities.nonRunningKernel vulnerabilities.nonExploitableConfig |
vulnerabilities.riskFactor.cisaKnownExploits vulnerabilities.riskFactor.threatActorName vulnerabilities.riskFactor.exploitType vulnerabilities.riskFactor.rti vulnerabilities.riskFactor.malwareName vulnerabilities.riskFactor.exploitCodeMaturity |
Step 3: Provide Reason for Exception
Explain why this risk is accepted or does not apply to your environment.
- If you choose Risk Accepted, you are acknowledging and accepting the risk, and it will be excluded from TruRisk calculations.
- If you choose False Positive, it means that although findings will be identified, they will be deemed irrelevant to the environment and excluded from TruRisk calculations.
Step 4: Define Expiry Notification Settings
Configure when and to whom expiry notifications should be sent.
Recipients: Provide the email addresses of recipients who should receive the notification.
Days Before Exception: Specify the number of days before expiry when the notification email should be sent.
After saving, review and confirm your configurations, then save again. Finally, acknowledge the selected exception.
Once created, the exception rule will appear on the Risk Acceptance Rule listing page.
A risk acceptance rule is applied only after a scan runs; it is not enforced immediately upon creation.
About Asset and Finding Inventory
The Assets and Finding fields provide an overview of the asset and finding inventory detected on your assets.
- Clicking an Asset Inventory redirects you to the Vulnerabilities > Assets page, where you can view the assets in your inventory.
- Clicking a Finding Inventory redirects you to the Vulnerabilities > Vulnerabilities page, where you can see the vulnerabilities detected on your assets.
In both cases, the vulnerabilities.riskAcceptanceId is applied as a filter to display relevant assets or vulnerabilities.
Quick Action Menu
Using the Quick Action Menu that appears next to a rule on mouse hover, you can perform the following actions:
- View Details of the rule. This is read-only.
- Edit the rule.
Changes to a risk acceptance rule take effect 12 hours after editing, regardless of when the last scan was run.
- Delete the rule.
About Excluded Vulnerabilities Filter
The Excluded Vulnerabilities filter helps you identify and manage vulnerabilities intentionally omitted from reporting or remediation workflows. By deselecting the "Ignored - Risk Accepted" and "Ignored - False Positives" options in this filter, you can specifically view vulnerabilities your organization has previously classified as accepted risks or false positives.
Using these filter options, security teams can regularly review vulnerabilities that have been accepted as risks or marked as false positives, ensuring that these decisions remain valid over time.
New Tokens
The following table lists the new tokens introduced with this enhancement.
| Token | Description |
| vulnerabilities.riskAcceptance |
Use the token to indicate different statuses for how a vulnerability is being handled or categorized. You can choose from the following options: RISK_ACCEPTED, FALSE_POSITIVE Example Show vulnerabilities where associated risks have been accepted without immediate remediation. vulnerabilities.RiskAcceptance:RISK_ACCEPTED Show vulnerabilities that were identified as a false positive, meaning it does not exist or are incorrectly flagged vulnerabilities.RiskAcceptance:FALSE_POSITIVE |
| vulnerabilities.riskAcceptanceId |
Use this token to see vulnerabilities associated with a unique identifier that links it to a corresponding risk acceptance record. Example Show vulnerabilities associated with RiskAcceptanceID 12345 vulnerabilities.RiskAcceptanceID:12345 |
Limitations
To ensure clarity and consistency, the following limitations apply when defining your scope using queries:
- Enablement Restrictions: This feature can only be activated if the Remediation Policy is not in use.
- Scope of Risk Acceptance: Risk acceptance is limited to the Vulnerability Management Detection and Response (VMDR) UI and is not supported in Vulnerability Management Reports or API.
- Restricted Query Set: Only the queries listed in this section can be used.
- Rule Application Timing: A risk acceptance rule is applied only after a scan runs and is not enforced immediately upon creation.
- Editing Rules: Changes to a risk acceptance rule take effect 12 hours after editing, regardless of the timing of the last scan.