Patching Exceptions (Risk Acceptances)

When you have business critical software that you cannot patch, you can use patching exceptions to lock specific versions of software where needed. If you are an existing Tenable customer, it is best practice to mirror your existing risk acceptances from Tenable Vulnerability Management or Tenable Security Center in Tenable Patch Management as part of the implementation process.

In production, part of your formal risk acceptance process needs to include both creating an exception in Tenable Patch Management and accepting the risk in Tenable Vulnerability Management or Tenable Security Center. A common workflow is creating the patch exception to prevent the risk of downtime, then requesting a risk acceptance, then accepting the risk in Tenable Vulnerability Management or Tenable Security Center after the appropriate executive signs off on the risk acceptance.

Note: Patching exceptions aren’t global. They apply to specific business units. If you need to block an update globally, use a blocklist.

To create a patch exception:

1. Navigate to Flex Controls > Exceptions > Patches from the menu on the left to create an exception for a specific patch.

2. Navigate to Flex Controls > Exceptions > Products to create an exception that applies to a specific product version.