Skip to Main Content

Vulnerability Management

Vulnerability management services are provided via the Qualys platform to help the organization proactively detect and mitigate high risk vulnerabilities on systems deployed across the campus network. UCLA utilizes Qualys to regularly scan the campus network for known vulnerabilities.

The goal of the Vulnerability Management Program is to facilitate the attainment of IS-3 compliance for all UCLA units. To achieve compliance, units are responsible for meeting the IS-3 requirements below, (regardless of who manages scans and reports, the unit or the IT Security Office). Ultimately, the Campus Unit are accountable for the remediation and protection of their environments, and for meeting the following compliance requirements.

Scanning - VMP uses Qualys host and web vulnerability scanners. Campus Units have tenancies set up by IT Security to manage scans and reports

Scanning Options

  1. IT Security centrally-managed scanners – credentialed or non-credentialed.
  2. Unit scanner (Virtual scanners)   – credentialed or non-credentialed, reporting to the central cloud-based console.

Note: Non-credentialed scans are prone to false positives and as a result, more Unit resource effort is required to validate that reports are IS-3 compliant.

  1. Qualys Cloud Agents – Reports back to the central cloud-based console (on par with credentialed scans).

Reporting – Upon the completion of the scans, reports will be generated by or for the unit.

Remediation Guidance – The IT Security Office will assist units in interpreting vulnerability results and providing best practices for managing vulnerabilities.

Training –  Due to the complex nature of VMP, the following training will be provided to the relevant stakeholders:

  1. Leadership training – reading and understanding reports
  2. Service Providers and UISL – understanding scans and reports
  3. Discussion Forum – in depth response to VMP questions


This service is provided at no cost to campus.


  • Standardized, enterprise grade vulnerability assessment and testing
  • Full tenancy-based options for individual, granular based control and access
  • Advanced reporting and remediation guidance integrated into the platform.
  • Integrated with the campus SSO
  • Training and guidance available through the IT Security Office
  • Provided free of charge to all areas

Key Features

  • Scanning via network-based authenticated and non-authenticated scanning
  • Virtual private scanners can be deployed to scan non-public IP space
  • Qualys Cloud Agent can be deployed on systems for additional efficacy in vulnerability assessment and easier tracking


All Campus Units are required to participate in vulnerability management efforts as defined by the UCOP IS-3 Security policy.


  • Severity 5 Vulnerabilities detected by Qualys must be remediated within 14 days
  • Severity 4 Vulnerabilities detected by Qualys must be remediated within 30 days

Getting Started

All campus units should have pre-existing tenancy in Qualys. To add/remove or modify your department settings, please email