General Settings

By default, Tenable Vulnerability Management uses CVSSv2 scores to calculate severity for individual vulnerability instances. If you want Tenable Vulnerability Management to calculate the severity of vulnerabilities using CVSSv3 scores (when available), you can configure your severity metric setting.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified uniquely by plugin ID, port, and protocol.

For information about severity and the ranges for CVSSv2 and CVSSv3, see CVSS vs. VPR.

Caution: When changing your CVSS severity metric setting, the new setting is only reflected in new findings that come into your system. Any existing findings only reflect the previous severity setting (unless otherwise recasted). For more information on recast rules, see Recast/Accept Rules.

To configure your severity setting:

1. On the Severity tab, select the metric that you want Tenable Vulnerability Management to use for severity calculations.

   • CVSSv2 — Use CVSSv2 scores for all severity calculations.

   • CVSSv3 — Use CVSSv3 scores, when available, for all severity calculations. Use CVSSv2 only if a CVSSv3 score is not available.

2. Click Save.

3. The system saves your change and begins calculating severity based on your selection.

   All vulnerabilities seen before the change retain their severity. After the change, all vulnerabilities seen during scans receive severities based on your new selection. Because of this, you could see two sightings of the same vulnerability have two different CVSS scores and severities.

   Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified uniquely by plugin ID, port, and protocol.

You can configure Service Level Agreement (SLA) settings to modify how Tenable calculates your SLA data.

You can view this data in the SLA Progress: Vulnerability Age widget on the Vulnerability Management Overview dashboard. For more information, see Vulnerability Management Dashboard.

To configure your SLA settings:

1. Click the Service-Level Agreement (SLA) tab.

   The SLA options appear.

   

2. Configure the following options:

   Option	Default	Description/Actions
   Vulnerability Age SLA	Critical 7 days High 30 days Medium 60 days Low 180 days	To modify the number of days included for each severity, type an integer in the box next to Critical, High, Medium, or Low.
   Override Vulnerability Severity Metric	VPR	Specifies whether Tenable uses VPR severity, CVSSv2 severity, or CVSSv3 severity to calculate SLA data. For more information about these metrics, see CVSS vs. VPR. Note: This option affects only the calculations displayed in the SLA Progress: Vulnerability Age widget. To modify the severity metric for all other areas of the product, navigate to the Severity tab on the General page.
   Vulnerability Age Metric	First Seen	Specifies whether Tenable uses First Seen or Published Date to calculate SLA data.

3. Click Save.

   Tenable Vulnerability Management saves your SLA settings.

On the General page, you can change the plugin language in your Tenable Vulnerability Management container to English, Japanese, Simplified Chinese, or Traditional Chinese. This setting affects all users in the container.

To change the plugin language:

1. In the upper-left corner, click the button.

   The left navigation plane appears.

2. In the left navigation plane, click Settings.

The Settings page appears.

3. Click the General tile.

   The General tile appears. By default, the Severity tab is active.

4. Click the Language tab.

   The Language tab appears.

5. Under Language, select a new language.

   Tenable Vulnerability Management updates the plugin language for your container.

To configure your default export expiration:

When you create an export, you can set an expiration delay for the export file up to 30 calendar days, which is the maximum number of days that Tenable Vulnerability Management allows before your export files expire.

By default, any exports you create in Tenable Vulnerability Management have an expiration date of 30 days. If you want to decrease the number of days that Tenable Vulnerability Management allows before your export files expire, you can configure your default export expiration days.

1. Click the Exports tab.

   The Export Expiration options appear.

   

2. In the Default Expiration box, type the number of days you want to Tenable Vulnerability Management to allow before your exports expire.

   Note: Tenable Vulnerability Management allows you to set a maximum of 30 calendar days for export expiration.

   Note: You must type the number of days as an integer between 1 and 30.

3. Click Save.

   Tenable Vulnerability Management saves your settings and updates the number of allowable days before your exports expire.

Turn on Enable Plugin Output Search to store plugin output data each time you launch a scan. You can then filter vulnerability findings by plugin output and view that output on dashboards such as the AI/LLM Dashboard. Once you have enabled this setting, you must launch a scan to start storing the data.

Caution: You cannot turn off Enable Plugin Output Search once you have turned it on, but the system automatically turns it off when it goes unused for 35 days.

In this section, type comma-separated email domains where the system can send export files, for example, mycompany.com. Once you add domains, users can only send exports to to those domains. An error appears when users try to email exports to unapproved domains.

Turn on the Include Subdomains toggle to include email subdomains: for example, sales.mycompany.com.

To learn more about the export types in Tenable Vulnerability Management, see Exports.