After reviewing findings, you can take action to address risk in your supply chain. As a VRM, you can apply actions to either finding groups or individual findings. The available actions and steps are the same in both cases; only the scope of what is selected differs.
From the Supply Chain Findings > Open view, use the leftmost selection column to select one or more finding groups or individual findings. Then, go to the Actions menu (...) and choose one of the available actions.
Actions that notify vendors
- Flag
- Request remediation
- Accept risk
Actions for internal investigation
- Send internal request
- Send notification only (no vendor signal, no flag)
- Request remediation (internal notification + flag, vendor link generated)
Note: Actions applied to a finding group affect all findings within that group.
After taking action, you can monitor progress by checking the Vendor Status, Status, or Flagged columns at either the vendor or finding level.
Flag findings
Flag highlights a finding for vendor visibility without sending a notification. Use Flag for low-urgency findings, when no vendor contact is available, or when vendor communication is handled in another system
When you flag a finding:
- The finding is marked as flagged in both your view and the vendor’s view.
- No notification is sent to the vendor.
Example: Flag a finding so your vendor can see it during their next login, but don’t need to send an alert.
Request remediation
Request remediation initiates a formal workflow that prompts a vendor to address one or more findings. Use Request remediation when you have a vendor contact on file and want to request action via email.
When you request remediation:
- The selected vendor contact receives an email notification containing your message and a link to access the platform.
- The finding’s status is updated to External Request, visible only to your organization, so you can track outreach efforts.
- Vendors can log in to view the findings, respond, and mark items as resolved after remediation is complete.
Example: Use Request remediation when you identify a critical vulnerability that requires prompt vendor attention.
Accept risk
Accept Risk allows your organization to formally acknowledge and accept a finding without requiring vendor remediation. Use Accept Risk when the finding is known, mitigated by compensating controls, or deemed low impact.
When you accept risk:
- The finding is moved to the Resolved Findings view.
- This action is applied regardless of the vendor’s status.
Example: Accept the risk associated with a non-exploitable configuration issue your organization has chosen to tolerate.
Finding status (internal tracking)
Actions you take on findings update your organization's internal finding status. This status is used for internal tracking only and reflects how your team is handling a finding. It is independent of vendor communications and the vendor’s response lifecycle.
| Status | Definition |
| Backlog | The finding is currently active and has not yet been actioned by your organization. |
| Triaged External | An external request has been sent to the vendor asking them to respond to the finding. |
Vendor responses update the Vendor status, which has its own lifecycle. For more information, see Vendor responses and status lifecycle.
Send an internal request about a finding
If you need to investigate a finding further but are not ready to involve the vendor, you can send an internal communication directly from the Actions menu. This allows you to collaborate internally without unintentionally signaling the vendor.
Choose a request type
From the Actions menu, select Send internal request. A guided workflow opens, allowing you to review recipients, select the request type, preview the message, and send the communication.
When communicating internally, you can select one of the following options:
Send notification only
Sends an internal notification to the selected contacts. The finding is not flagged, and the vendor is not notified.Request remediation
Sends an internal notification and flags the finding. The message includes a copy link that can be shared with the vendor when appropriate.
All internal communications include a link to the selected finding(s) using a filtered view, so recipients can log in and review the findings directly.