Finding statuses

This article provides an overview of finding statuses and the associated lifecycle of a finding within Nucleus.

Finding statuses

Screenshot 2025-06-25 at 4.34.07 PM.png

Each status represents a specific stage of the vulnerability management process so you can manage and track vulnerabilities through the entire workflow. These statuses appear on either the Vulnerabilities > Active page or the Vulnerabilities > Resolved page.

Finding statuses can be set manually by a user in the UI and/or API, by automation rules, or by imported scans. When a status is set, it is then intelligently tracked and updated or persisted based on the method that set it, as well as the time that the status was changed.

When a status is set by an imported scan, it can be overwritten by users or automation rules which will then always* persist even if there are further status changes that have been made in the scan source.

* This is true for all scan sources except for HackerOne and Bugcrowd, which tracks persistence differently due to their findings being manually discovered, and the primary use case of these tools being their workflow. See the HackerOne and Bugcrowd articles for more details.

Findings that have had their status most recently set from a scan source will also have their status changed if an update occurs from a more recent scan or snapshot of findings. For example, if a finding is ingested with a status of Potential, and a later scan is then ingested with a status of Waiting For Verification, the status of the finding will change.

To view all the Active Vulnerabilities with specific status, go to the Status column search box and enter one of the Active Statuses below.

Screenshot 2025-06-25 at 4.44.44 PM.png

Here are the statuses for vulnerabilities in Nucleus:

Active Statuses

Active

This is the default value of a vulnerability in Nucleus. All findings which are found by scanners are considered active. Active means that the vulnerability is present and has not been resolved.

When a finding is in this status, Nucleus will create a ticket if you have a ticketing integration and a rule that meets other criteria in the finding.

Exception Requested

Indicates a finding can't be remediated to meet a security standard or policy.

When a finding is in this status, Nucleus will not close or update tickets. This status is a way for remediation teams to signal to the security team that a vulnerability is a false positive, duplicate, needs a risk acceptance, or otherwise needs to be taken off their books. The individual requesting the exception needs to include a comment stating what type of exception they are requesting and upload evidence or artifacts justifying it. A member of the security team will then review the evidence and change the state to exception granted, risk accepted, mitigated, or false positive as appropriate.

Fixed

Indicates a finding has been marked as fixed, but it needs to be confirmed by a scanner. This status works well for network security vulnerabilities which can easily be detected by a network scanner (e.g., disabling SSLv2 and SSLv3). Once it is complete, the sysadmin marks the vulnerability as fixed, but it is not officially mitigated until it is confirmed by a scanning tool.

When a finding is in this status, Nucleus will not close or update tickets. It will close or update a ticket as appropriate after verification from the scanner.

Note on Fixed Status

The Fixed status in Nucleus is a unique status. If a new scan comes in that shows the vulnerability is still active then the "Fixed" status will switch back to "Active". It is designed to handle the situation where you think a vulnerability has been resolved but you want the scanner to verify it.

This is the only status that behaves this way. All other statuses are permanent.

In-Progress

Denotes vulnerabilities that are in the process of being fixed. This is a similar concept to using a board in development, which can give quick insight into which tasks are in progress at a quick glance.

When a finding is in this status, Nucleus will not close or update tickets. This status is a way for teams to signal they are working on an issue while providing more clarity than simply stating they are working on it.

Potential

Indicates a finding may be a vulnerability but hasn't yet been confirmed and is not yet awaiting verification. Some scanners will report vulnerabilities as potential, indicating the system exhibits signs of having a vulnerability, but the scanner was unable to determine conclusively. This most frequently happens with unauthenticated scans. Another common scenario is when a scanner finds a system as a pending reboot. The scanner will report this as a potential vulnerability, since the typical reason for a system wanting to reboot is because patches have been applied. A system being in this state may potentially be affecting its security posture.

When a finding is in this status, Nucleus will not close or update tickets. It is possible to use this status in finding processing rules to trigger different workflows, such as assigning them to a different team or setting longer due dates.

Waiting for 3rd Party

This status is similar to "Waiting for Verification", but it denotes when a 3rd party is involved and we are waiting on them. An example would be we found a vulnerability in an MSP-managed system, and we have told them about it, but we are waiting for their confirmation it has been fixed.

When a finding is in this status, Nucleus will not close or update tickets. This status is a way for teams to signal they are working on an issue, while providing more clarity than simply stating they are working on it.

Waiting for Verification

Used when validating that the vulnerability has been tasked with a ticket to somebody else. Implies that someone is working on it and we are waiting to see if it is a true vulnerability or not.

Resolved Statuses

Accepted Risk

Indicates the risk associated with a vulnerability has not met the threshold for business risk, or the vulnerability is valid but the business has accepted the risk associated with it.

When a finding is in this status, Nucleus will close existing tickets and will not open new tickets based on scan results, unless the vulnerability appears on new assets that were not previously seen.

Duplicate

Occasionally, vulnerability scanners will find the same vulnerabilities. You can mark findings as duplicates with this status, indicating the vulnerability is being tracked elsewhere.

There are a few situations where this status is useful. The most common is when a scanner uses a different signature for authenticated and unauthenticated scans, resulting in some of each in Nucleus. This allows you to mark the unauthenticated results as duplicates to prevent inflated vulnerability counts.

Exception Granted

Sometimes you will have a need to not count a vulnerability as open but it isn’t a false positive, or you may want to count it as mitigated but it's not really a risk acceptance. You can use this status to take the finding off the remediation team’s list when those situations apply.

False Positive

Indicates a vulnerability is a false positive. Scanners may incorrectly mark something as a vulnerability and this status removes the vulnerability from the active vulnerability list. Vulnerabilities marked as false positives will move to the Vulnerabilities > Resolved page, where you can click on the finding and review its details. In the event you accidentally marked the finding as a false positive, you can change the status of the vulnerability back to active from the Vulnerabilities > Resolved page.

When a finding is in this status, Nucleus will update an existing ticket, removing any assets marked as false positive. It will close the ticket if all assets are marked as false positives and will not open new tickets based on new scan results, unless the vulnerability appears on new assets that were not previously seen.

Mitigated

This status is similar to "Fixed", but does not need to be validated by a scan. Generally, this status should be accompanied by some sort of comment or evidence that the vulnerability has been mitigated as it does not need to be validated by the scanner to be considered fully mitigated. Think of this status as "Fixed - Confirmed Manually", but it can also apply to other mitigations, such as when a compensating control is in place to mitigate the effects of a specific vulnerability, which can be noted in the comments and evidence section.

When a finding is in this status, Nucleus will close an existing ticket and will not open new tickets based on new scan results, unless the vulnerability appears on new assets that were not previously seen.

Partially Mitigated

Indicates some of the assets for this vulnerability have been manually marked as mitigated, but there are still active vulnerabilities present. This commonly occurs when you mark a single asset as a False Positive but there are other assets affected by that vulnerability.

When a finding is in this status, Nucleus will update an existing ticket, if you have a ticketing integration, but it will not close a ticket until the vulnerability is mitigated on all the remaining assets, whether through a scan or other exception handling.

Vulnerabilities > Resolved Page Statuses

The following are only relevant to the Resolved page:

Mitigated Via Scan

Indicates the vulnerability was mitigated via a scan ingest, so Nucleus automatically marked this vulnerability as mitigated without user interaction.

When a finding is in this status, Nucleus will close any existing tickets, if you have a ticketing integration.

Partially Scan Mitigated

Indicates some of the assets were mitigated via a scan ingest, but some of the assets are still actively affected by the vulnerability. So this finding will show up as Active in the "Active" page, and as "Partially Scan Mitigated" on the Mitigated Page.

When a finding is in this status, Nucleus will update an existing ticket, if you have a ticketing integration, but it will not close a ticket until the vulnerability is fixed on all the remaining assets.