Feature Focus: Automated Email Notifications of New Component Vulnerabilities
How to subscribe to vulnerability email notifications?
The Vulnerability Notification capability allows users to be notified by email of a vulnerability that has been disclosed or updated in the National Vulnerability Database (NVD) which impacts a component of one or many applications, without having to rescan the application.
Filter on criticality
- Critical only: you’ll receive notifications only on critical vulnerabilities
- At least high: you’ll receive notifications on critical and high vulnerabilities
- At least medium: you’ll receive notifications on critical, high, and medium vulnerabilities
- At least low: you’ll receive notifications on all vulnerabilities, except advisories
- All vulnerabilities: you’ll receive notifications on all vulnerabilities, including advisories
Filter on status (new/modified)
- New only: you’ll receive notifications on newly disclosed vulnerabilities only
- Modified only: you’ll receive notifications on recently updated vulnerabilities only (e.g., the CVSS score or criticality of an existing CVE has been modified, CPEs have been updated, etc.)
- All status changes
Once your preferences are set, click on the “save” button.
If one or more vulnerabilities are disclosed (and/or modified according to your notification preferences), you will receive an email from CAST Highlight (example below).
When will you get notified of a new vulnerability?
When a CVE is added or modified in the National Vulnerability Database, CAST Highlight automatically updates existing SCA results of impacted applications, and the corresponding CVE will be visible from the dashboards without requiring a rescan of applications. Users who subscribed to CVE notifications will receive a notification by email.
It is important to note that CAST Highlight will notify you only if new or recently modified CVEs are added to the National Vulnerability Database (i.e., after the notification subscription date).
All CAST Highlight user roles can subscribe to these vulnerability notifications, the scope of application CVEs reported depending on the domain where the user is attached.
Finally, you can unsubscribe from the vulnerability notifications by switching the notification button off and click on save.