Managing CVEs in Your Own Organization (SPM) Erin Conry As an SPM user, you can add Statements to any CVE to reflect your internal understanding, for example, if you've already mitigated the risk or accepted it. Go to the Vulnerability Detection page. Use the 'Statement' column to view the current status. Select the CVE, then click the ‘Set Statement’ button at the top to update.Statement OptionsYou can choose from the following: No Statement - No action has been taken yet Unreviewed - You’ve acknowledged the CVE but haven’t reviewed it yet Not Vulnerable - You’ve determined the CVE doesn’t affect your environment Under Review - Your team is currently analyzing the CVE Risk Accepted - You’ve decided to accept the risk Tip: Save your filters to hide CVEs that don’t need attention.Statement VisibilityWhen adding a Statement, you can choose whether it should be: Internal - Only visible to your organization (in the SPM App only) External - Shared with third parties monitoring you in the CM App. Note: CVE Statements are restricted to each company/subsidiary independently. So, be aware that the CM clients may be monitoring your top-level parent company, your primary rating, or any of your subsidiaries. Tip: If you have the same CVE in different companies within your ratings tree and want to ensure that the CV clients monitoring you see the CVE Statement, regardless of the company they are monitoring, please ensure the CVE statement exists on all companies in your ratings tree. You can see if a company in your ratings tree is being monitored by third parties on the Company Details page > Company Info tile (top right corner of the dashboard) > Monitored by X companiesWhere You’ll Use StatementsVulnerability Detection Page: Filter by statement or visibility; update CVEs in bulk; and save custom filter sets to hide irrelevant vulnerabilities.Audit Logs: Every update is tracked, including who made the change and when. Tip: Hover over a CVE row in the table and click the icon on the far right to view the audit of the CVE statements.Best Practices Add statements regularly for visibility and clarity Mark irrelevant CVEs as Not Vulnerable or Risk Accepted Save filters to streamline daily triage Make statements public when transparency is beneficial Related articles Change your My Company Create Company Notes Feedback 0 comments Please sign in to leave a comment.