How do I keep track of vulnerabilities?
Quick answer
Section titled “Quick answer”In the Operations area, the Vulnerabilities tab holds a list of known vulnerabilities. Use “Add Vulnerability” to record a Name, optionally the CVE ID, the Severity and the Status, and link the vulnerability to an affected asset if needed.
Prerequisites
Section titled “Prerequisites”Operations is part of the Operations module and available from the Pro tier.
Instructions
Section titled “Instructions”-
Open Operations → Vulnerabilities. Choose Operations and the Vulnerabilities tab. The table shows name, CVE ID, severity and status.
Screenshot pendingbetrieb-schwachstellen-01Vulnerabilities tab in the Operations area with a list of CVE entriesThe 'Vulnerabilities' tab in the Operations area. -
Record a vulnerability. Click “Add Vulnerability” and fill in the dialog:
- Name (required) — a short description.
- CVE ID (optional) — e.g.
CVE-2026-1234. - Severity (required) —
Low,Medium,HighorCritical. - Status (required) —
Open,Mitigated,ResolvedorAccepted. - Description (optional) — details, references, mitigations.
Screenshot pendingbetrieb-schwachstellen-02'Add Vulnerability' dialog with Name, CVE ID, Severity, Status and DescriptionRecording a vulnerability with CVE ID, severity and status. -
Maintain it. Once a vulnerability has been addressed, set its Status to
Mitigated,ResolvedorAcceptedvia the pencil icon.
Vulnerabilities are a POST to /api/v1/vulnerabilities (scope write).
name is required; severity (default medium) and status (default
open) are tiered.
curl -X POST https://demo.notory.io/api/v1/vulnerabilities \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "name": "OpenSSL Pufferüberlauf", "cve_id": "CVE-2026-1234", "severity": "high", "status": "open", "affected_asset_id": "a2f1c9e4-7b3d-4a11-9c2e-8f6b1d0a7e55", "description": "Betrifft alle Hosts mit OpenSSL < 3.5.2" }'{ "id": "d4e5…", "tenant_id": "3d9b0c12-…", "name": "OpenSSL Pufferüberlauf", "cve_id": "CVE-2026-1234", "severity": "high", "status": "open", "affected_asset_id": "a2f1c9e4-7b3d-4a11-9c2e-8f6b1d0a7e55", "description": "Betrifft alle Hosts mit OpenSSL < 3.5.2", "created_at": "2026-07-08T10:02:00Z", "updated_at": "2026-07-08T10:02:00Z"}Values: severity ∈ low | medium | high | critical; status ∈
open | mitigated | resolved | accepted.
Possible errors: 401, 403 (the Operations module is not in your
tier or no write access), 422 (validation).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- Optional asset link:
affected_asset_idpoints to an asset. If the asset is deleted, the vulnerability is kept; the link is set tonull. - Tenant isolation & audit: Entries belong to your tenant; every change is logged.
- Purely documentary: Notory does not assess vulnerabilities automatically and does not query any CVE database — you maintain severity and status yourself. For active network discovery, see Discovery.