Fortra Vulnerability Management (Fortra VM)

NOTE: Formerly known as Frontline Vulnerability Manager (Frontline VM).

February 2024

Version 7.0.0.0

February 28, 2024

New Features
  • This version of Fortra Vulnerability Management, formerly Frontline Vulnerability Manager, introduces new Fortra VM branding and integration with Fortra's platform.
  • Users will soon have access to Fortra IdP to simplify login, Fortra Support Portal access to support ticket submission and tracking, along with knowledge base articles and FAQs. '
  • Frontline VM users will be seamlessly transitioned to Fortra VM over the coming months with the opportunity to opt-in to Fortra's platform with native SSO version once eligible.
Enhancements
  • Branding alignment:
    • Removed 'Frontine' verbiage throughout UI and reports
    • Theme changes for branding alignment
  • PCI Self Service:
    • CVSS Score of 4.0 assigned to auto-fail vulns with no associated CVE-ID.
    • Changed "3b note" to "Special Note (3b)"
    • Limited SSL/TLS auto-fails to a list of known vulnerabilities
  • Updated agent documentation on help site
  • Improvements added to vulnerability dictionary (additional information and filters)
  • Added support for switching account via API request
  • Allowed nested General accounts
  • Allowed entry of multiple phone numbers in a theme
  • Report auto-scaling for improved report generation speed / capacity
  • Account level settings to manage Fortra IdP eligibility and active status
Fixes
  • File upload requests redirect to login in platform
  • Build Report in Active View errors and fails to show dialog box

January 2024

Version 6.5.9.0

January 6, 2024

New Features
  • Support for 'ephemeral' vulnerabilities.
Enhancements
  • PCI Self Service:
    • List vulnerabilities by all CVE-IDs in part 3a of the ASV Scan Summary.
    • Add verbiage for auto-failures per ASV Program Guide 4.0r2.
    • Ensure "Special Notes" align with ASV Program Guide 4.0r2.
  • Delay report server shutdown until all current reports have completed.
  • Support physical devices for RNA Conversion pipeline.
Fixes
  • PCI Self Service:
    • Passing and Failed vulns are mixed when sorting by severity.
    • Components for 3b notes are maintained and displayed when not required.
    • ASV Scan Vulnerability Details report is consolidating vulnerabilities that are not the same.
    • ASV Scan Report Summary's Exceptions column needs to be on the same row as corresponding columns.
  • Correct the Agents CSV Export report errors.
  • Japanese translation error in Appendix D False Positive statement.
  • Scan Groups "+ Add Scan" disabled in WAS App when "Auto Generate WAS Scans" is enabled.
  • Custom path manually added pagevulns not carried forward in AV.
  • Shared user role not available to use for new accounts created in nested account tree.
  • WAS Scan Template Tuning Policies always shows default policy.

December 2023

Version 6.5.8.1

December 18, 2023

Enhancements
  • This version of Frontline Vulnerability Manager introduces various bug fixes and enhancements to improve overall usability and quality.
Fixes
  • PCI Self Service:
    • PCI Compliance report failing with accepted dispute for WAS URL Redirection vulnerability.
    • PCI Compliance report not displaying ad-hoc hostname targets.

August 2023

Version 6.5.6.0

August 30, 2023

New Features
  • This version of Frontline Web Application Scanner introduces several enhancements for the PCI Self Service feature
  • Initial Support for RNA Upgrade Pipeline to Install Ubuntu 20.04
Enhancements
  • PCI Self Service:
    • Scan Groups now support dynamic auto-creation of WAS scans from VM scans that detect webservers
    • Support file attachments for PCI Disputes
    • Support assignment of PCI disputes to selected PCI analyst
    • System generated WAS Audit policy created for PCI Compliance Scans
    • Enforce PCI workflow parameters in scans created for Scan Groups with applied settings
    • New notifications added to ensure assigned PCI analyst is notified whenever a dispute comment is made
    • New PCI Vulnerabilities CSV Export report
    • Generate PCI Compliance Reports sections as reports and ZIP
Fixes
  • PCI Self Service:
    • Disable ability to dispute on scans older than 90 days
    • Revert to original vuln status when disputes sent back to pending
    • Revert status (Pass or Fail) on expired disputes when rescanned
    • Set dispute expiration to end of quarter
    • Prevent PCI Compliance Report for only WAS scans
    • Correctly note WAS webapps not found during scan in section 4c of PCI Compliance Report
    • PCI Compliance Report Scan Summary part 3b needs to show most recent note
  • Scan Groups:
    • New Scan Group button forwards to link with query information on url
    • Sorting by "Next Period Start" sort does not sort correctly
  • Intermittent failures recrypting scanner credentials
  • Scans attempting to launch on artificial RNAs error out immediately

July 2023

Version 6.5.5.2

July 7, 2023

Enhancements
  • One-Time Scans: Add OTS configuration for IBM i DDM Service Unauthenticated RCE One-Time Scan
Fixes
  • One-Time Scans: Updated verbiage for consistency and grammatical correctness
  • PCI Self-Service: Fix the incorrectly filtered global view of the PCI dispute list
  • Multi-scan reports potentially error from setting value on incorrect field

May 2023

Version 6.5.4.1

May 31, 2023

Fixes
  • PCI Compliance Reports marked incorrectly as "Failing"
Version 6.5.4.0

May 31, 2023

New Features
  • Linux Agent Support
Enhancements
  • PCI Self Service: Update our PCI ASV number and POC in PCI Compliance Report
  • PCI Self Service: Support PCI reporting on undetected hosts
  • Add "status" support for completed Scan Group runs to Scan Group Template controller / page
Fixes
  • Update package dependency versions
  • Fix max CVSS scores displayed in the Vulnerability Dictionary
  • Miscellaneous filters
  • WAS vuln assessment workflow unavailable on accounts with on the Web Application Scanning subscription
  • Console Error when resetting password

April 2023

Version 6.5.2.5

April 7, 2023

Enhancements
  • Internal improvements for tracking metrics and maintaining stability in Frontline.
Version 6.5.2.4

April 3, 2023

Enhancements
  • Internal improvements for tracking metrics and maintaining stability in Frontline.

March 2023

Version 6.5.2.3

March 17, 2023

Enhancements
  • Allow scoping PCI multi-scan reports by specific quarters as windows to query selectable scans.
Fixes
  • Fix asset matching functions in multi-scan reports and provide report option to opt-out.
  • Dates displayed in the interface are not reflecting DST timezone offset.
  • Japanese translated report cover page displays broken HTML.
  • Theme files on report generating task workers aren't always in sync as expected.
  • Business groups incorrectly being associated to AV hosts outside of AV window on insert.
Version 6.5.2.2

March 3, 2023

Enhancements
  • Japanese exception list for translation service.
  • Allow the instant translation service to handle HTML document.
Fixes
  • Themed reports are not working; consistently falling back to the default theme.
  • Theme data cannot be viewed in the UI.
  • PCI Self Service: All items from WAS scan not showing up in PCI compliance report using multi scan.
  • PCI Self Service: 3B items that are changed are not showing the most recent entry in compliance reports.
  • Multi-process functions from stats gerneation are exceeding task worker resource capacities.
  • Hide PCI / PT workflows in WAS when no sub.
  • Add 'Max webapp count' field to 'Web Application PCI Compliance Scanning'.
  • Restricted accounts display partial menus when engaged by Global Admin.
  • Partial scan results are no longer displayed when a WAS scan is errored.
  • Console error opening Scanner Profile detail page.
  • WAPT Subscription - icon missing and moved to bottom of list.
  • Incorrect resource ACL inheritance from Business Groups of Scan Source.
  • Scanner-side update to set WAS scan blocks to 'completed' are causing scans to complete without reconciling.
  • VM insert error from saving JSON object with null byte value in it.

February 2023

Version 6.5.2.1

February 22, 2023

New Features
  • This version include Windows 11 CIS Benchmark checks.
Enhancements
  • Improve scan execution efficiency in SPARKS.
  • Add PCI workflow backend support to WAS.
  • Create dedicated app server type for external users.
  • Add AWS instant translation to translation service.
  • PCI Self Service: Create a CRON to remove old validated disputed_accepted vulns.
  • Create new WAS Tuning Policy for PCI.
  • PCI Disputes should trigger notifications to analysts.
  • Improve logging in the RNA activation controller.
  • Use caching to improve account ownership functions.
  • PCI Self Service: Add ability in PCI tabs to remove a dispute.
  • PCI Self Service: When an official report is created and sent in review all PCI analysts are notified.
  • PCI Self Service: Add sorting/filtering for 3B notes.
  • Enable Windows 11 CIS reports in Frontline.
  • Create standard PCI WAS scanning policy.
Fixes
  • Performance fixes for stats generation.
  • Fix PCI Tab default sorting.
  • Fix Recurring Reports that run on different days. Only the most recent report appears to be available.
  • Creating multi-scan VM / WAS Compliance Report includes All Active View.
  • Trigger reconciliation of WAS scan where scan is marked completed, but has not reconciled.
  • PCI Self Service: PCI dispute page not displaying UI control for individual line items.
  • PCI Self Service: UI elements to Accept or Reject a PCI Dispute are present for a MSP Global Admin.
  • PCI Self Service: PCI Scans Show Analysis tab when managed workflow is not being used.
  • PCI Self Service: When hostname scanning the IP Address that the hostname is being resolved to is brought forth when attesting.
  • Fix VM scan results PCI tab to allow re-dispute.
  • Show Customer svope in PCI Attestation.
  • VM scan links have a value appended to them.
  • Spelling error in WAS > PCI tab > Dispute button.

January 2023

Version 6.5.1.9

January 27, 2023

Enhancements
  • Added a new command in RNA utils to grab scan status from RNAs.
Fixes
  • PCI Self Service: Reports - Assets with different IPs and same DNS Name is not being reported.
  • Error generating Language localization Reports with size that exceeds the limit.
  • Creating new Business Groups will not allow assigning Group Members.

December 2022

Version 6.5.1.5

December 22, 2022

Enhancements
  • PCI Self Service: Send notifications on disputed approved/denied.
  • PCI Self Service: Provide a way to override PCI Vulnerability instances.
  • PCI Self Service: Hide PCI related notes from Vuln instance expanded row on Results vulns tab.
  • PCI Self Service: Unhide override pass tools.
  • PCI Self Service: Add filter for 3B/disputes.
  • PCI Self Service: Use Hostname from Scan Template in reports for VM Scans.
Fixes

  • PCI Self Service: If a vulnerability is discovered on both a VM and WAS scan, the PCI Compliance report incorrectly puts the WAS dispute note on the VM vulnerabiliy.

  • PCI Self Service: Dispute Page - Scan Type is blank for VM and WAS vulnerabilities.

  • PCI Self Service: PCI Compliance report formatting issue.

  • PCI Self Service: No report data source displayed for PCI Compliance Reports.

  • PCI Self Service: Hide PCI tab in Container and Agent Scans.

  • PCI Self Service: Additional PCI dispute comments are not showing on Dispute Management Page.

  • PCI Self Service: PCI Dispute Page does not show override value.

  • PCI Self Service: Hide Update PCI Value button unless permission is granted.

  • PCI Self Service: Require 3B Documentation value always set to off when editing vuln dictionary.

  • PCI Self Service: Part 3 Component Compliance summary can fail to list some passing components.

Version 6.5.1.4

December 17, 2022

Enhancements
  • PCI Self Service: Add additional infromation for WAS in vuln details in the Vulnerability details section of the PCI Compliance Report.
  • PCI Self Service: Add out-of-scope items in the PCI Compliance Report.
  • PCI Self Service: Users should be able to re-dispute a culn where previous dispute is rejected.
  • PCI Self Service: Provide a way to allow customers to enter Out-of-Scope Components.
  • PCI Self Service: Provide a way to override PCI Vulnerability Instances.
  • PCI Self Service: Make PCI Component editable in vulndictionary.
  • PCI Self Service: PCI Reports available on WAS new scan template.
  • PCI Self Service: Remove attestation for uncertified PCI Compliance Report.
Fixes

  • PCI Self Service: Include the IPs that were added in the additional required pop-up for Part 4A in PCI Compliance Report.

  • PCI Self Service: Error attempting to add a 3B note as a client account admin.

  • PCI Self Service: Error attempting to Dispute a WAS Vuln.

  • Fix Vuln dictionary CVSSv2 and CVSSv3 incorrect info.

  • PCI Self Service: Error attempting to add a comment to a disputed vuln that had a comment deleted.

  • PCI Self Service: Client cannot re-dispute vulns with rejected vuln disputes.

  • PCI Self Service: Filter PCI Compliance report out of Report template list when an Agent or Container scan is selected as the scan source.

  • PCI Self Service: Add additional information requested for section A4 and Part 3B.

  • PCI Self Service: Remove dispute modal display button that reads 'Dispute'.

Version 6.5.1.3

December 14, 2022

Enhancements
  • PCI Self Service: Add option to send to the official certification workflow.
  • PCI Self Service: Removed Unofficial from PCI Reports.
  • PCI Self Service: Add more WAS details in our PCI Compliance Report.
  • PCI Self Service: Add new permission for PCI Analyst.
  • PCI Self Service: Allow users to move a pending Dispute back to Undisputed.
  • PCI Self Service: Support scan name filtering on /disputedvulns endpoint.
  • PCI Self Service: Add controls for analyst override of PCI values.
  • PCI Self Service: Add PCI Required Remediation report to multi-scans.
  • PCI Self Service: Add Attestation date to A4 of the Attestation of Compliance in PCI Compliance Report.
  • PCI Self Service: Update report "Officially certified" toggle to use Modal
Fixes

  • PCI Self Service: Unable to dispute a vulnerability as a client account admin.

  • PCI Self Service: Report erroring on hidden dictionary entries.

  • PCI Self Service: Include Resolved toggle does not display as active or not until page refreshed.

  • PCI Self Service: Electing to dispute multiple VM scan vulnerabilities fails - no vulns displayed as being Disputed.

Version 6.5.1.2

December 10, 2022

Enhancements
  • PCI Self Service: Capture analyst overrides for various PCI items
  • PCI Self Service: Allow MSPs to view Disputed List Page
  • PCI Self Service: PCI Tab add 3B note status badge in PCI Tab
  • PCI Self Service: Add PCI assessment administration permissions
  • PCI Self Service: Add link to PCI Disputes page
  • PCI Self Service: Show 3B notes on vuln row in Scan Results tabs
Fixes
  • PCI Self Service: Accepted vulns still showing as Failing in PCI Reports
  • PCI Self Service: PCI Compliance reports errors with multiple accounts

June 2022

Version 6.4.4.0

June 11, 2022

New Features
  • Edge Network support increases the scalability and responsiveness of our scanning communication network.
  • Implementation of Business Groups.
  • Reports enhancements with support for scheduled and emailed reports.
  • Added a Global Vulnerability Search for MSP accounts.
Enhancements
  • Business Group Column in active view display (Ticket 18151).
  • Auth Scan Config: Add a "Test Your Config" button (Ticket 20422).

  • Dynamic Labels used as Rules for Business Groups (Ticket 18019).

  • Preserve access to historical scans / reports after Business Group access levels change (Ticket 20046).

  • Report Scheduler (Ticket 17363 and 1456).

  • Vulnerability Age Report (Ticket 17601).

  • Added the ability to save report filters for future use (Ticket 19099 and 1457).

  • Included an Authenticated Creds Test button (Ticket 19473).

  • Enterprise Admin Group able to view other groups dashboard (Ticket 19635).

  • Custom Report Templates - Data Filters (Ticket 20275).

  • Change how we manage IP restrictions for Business Groups (Ticket 22207).

  • Custom email lists for scanning notifications (Ticket 22633).

  • Added the ability to enable recurring reports (Ticket 23319).

  • Made Scan Description variable visible in UI (Ticket 23827).

  • Fulfilled request for NVD Reporting Functionality (Ticket 24517).

  • Choose what reports automatically generate after a scan (Ticket 24885).

  • Sending reports (Ticket 25073).

  • Added Business Group column to Scanners page (Ticket 18553).

  • Added support for a Microsoft patches only report (Ticket 1831).

  • Auth Scan / Credential PDF Detailed Status Report (Ticket 1094).

  • Add support for emailing reports to users (Ticket 1514).

Fixes

  • Fixed subject for some automated emails to match email content (Ticket 25212).

  • Updating Business Group shows IPs as not associated to Scanner Profile (Ticket 24695).

  • Email headers do not match email content (Ticket 25212 and 25289).

  • Graphs & Trending - "Asset Rating Counts" not displayed in DDI Asset Rating colors (Ticket 658).

  • Asset Rating not viewable with NVD/PCI (Ticket 1072).

  • Executive Summary Report does not respect NVD/PCI options (Ticket 1082).

  • Input fields for AV Window Size and SLA Days are active (Ticket 1323).

  • AV Summary incorrectly processes non-default options (Ticket 1369).

  • CIS CSV Export defaulting to PDF format (Ticket 1486).

  • Several filters have multiple entries in the Vuln Dictionary and Vuln Trend filter sets (Ticket 1502).

  • Clicking on 'Vuln Definition' on scan results causes loading the accounts page removes the active context and takes to the account page (Ticket 1548).

  • Vulnerabilities have multiple unique instances in agent scans (Ticket 1658).

  • Spelling error in DB/OS Tooltip (Ticket 1725).

  • Unable to delete manually added labels to Assets (or Vulnerabilities) (Ticket 1822).

April 2022

Version 6.4.3.4

April 22, 2022

Fixes
  • Fix incorrect vulnerability count when using asset labels.

March 2022

Version 6.4.3.3

March 2, 2022

Fixes
  • Increase logs disk size to 180Gb.

January 2022

Version 6.4.3.2

January 26, 2022

Enhancements
  • Moved additional logs into Loki logging subsystem for Frontline.Cloud.
Fixes
  • Corrected failure of some cases related to deleted user roles in Managed Account Users CSV Export.
  • Fixed the automatic spin down of Trial accounts on TryFrotnline.Cloud shortly after creation.
  • Fixed missing owner filed in CSV export of Managed Accounts Security GPAs.
  • Fixed spelling error in "Approved management access request user" filter.
  • Removed Test Credentials button from Credential management pages.
Version 6.4.3.1

January 19, 2022

Fixes
  • Fixed Asset and Scanner Profile IP address "is (or)" and "is not (or)" filtering that did not work properly.
  • Multiple fixes to Frontline TAP threat intelligence feed processing for Threat Rank.
  • Frontline.Cloud infrastructure fixes related to expiring certificates.
Version 6.4.3.0

January 12, 2022

New Features

  • Introduced comprehensive authenticated scan status and credential validity management.

    • See the success or failure of authenticated scans at all levels of scan results and reports.

    • Identify which credentials were used in each scan and if they are valid or not.

  • Added a comprehensive suite of management reports targeted specifically for MSPs.

    • Includes CSV reports, PDF reports and email alerts.

    • Manage customer base and understand usage and trends.

Enhancements

  • Added ability to search for vulnerabilities by authentication method (Bug 25256).

  • Added ability to supply custom trending intervals for reports (Bug 20480).

  • Added delay-time-period before automatically spinning down Trial accounts (Bug 25048).

  • Added support to filter scan results by a list of CVEs (Bug 23333).

  • Changed default RNA Access Request time to be 8 hours.

  • Deprecated Oracle Image Virtual RNA download.

  • Included authenticated scan status within reports (Bug 24978).

  • Introduced Asset Rating Trends Report.

  • Introduced SSL Certificates Report.

  • Introduced report review workflow into Frontline.Cloud (Bug 20672).

  • Introduced scoped credentials for authenticated scanning (Bug 24886).

  • Allow Trial account options to be set during Trial account creation.

  • Removed per-account limits for Virtual RNA appliance tokens.

  • Replaced Digital Defense, Inc with Digital Defense by HelpSystems.

  • Display authentication detect method on-hover for vulnerabilities (Bug 23369).

  • Improved support for NVD / PCI rating schemes within Frontline.Cloud (Bug 23934, 25071)

  • Introduced suite of MSP / Super account management reports (Bug 24793, 20040, 20517)

  • Replaced logo with favicon for themes list.

  • Implemented various infrastructure improvements and security updates.

Fixes

  • Removed rounding for Active Risk Score in some locations within Frontline UI and reports.

  • Fixed the incorrect inclusion of tag with Container scanning license when calculating usage.

  • Fixed Core Impact scan exports that could not be filtered by date range.

  • Corrected the mistake allowing the Credential PGP cipher text.

  • Fixed dysfunctional filtering on Frontline Agent list page.

  • Fixed IP Address filter that did not properly respect quoted search terms (Bug 25297).

  • Fixed slow speed on Manage RNAs list page.

  • Broken links to help pages on new account dashboard are resolved (Bug 24931)

  • Fixed performance for statistics object management.

  • Corrected body text on RNA Access Approved email.

  • Populated data in reports based on container scans.

  • Fixed error in scan insertion when ping-type is not defined (Bug 25011)

  • Fixed report options that are not displayed in the report's options appendix.

  • Updated super account usage metrics in instances of error.

  • Allowed additional groupings for Threat Landscape reports.

  • Corrected inability to upgrade Trial accounts to General accounts (Bug 25253, 25060).

  • Fixed various bugs for reports including grammar, spelling, and style fixes.

  • Fixed Virtual RNAs that could not be downloaded on TryFrontline.Cloud due to trade.gov API changes (Bug 25299).

Back to Digital Defense Products