Once a vulnerability instance has been created within a vulnerability definition that an exception has been applied to, the exception will be applied to the instance. Vulnerability instances with an exception applied will have their risk scores reduced to 0 until there are no longer any valid approved exceptions applied to them.
In order for an exception to be applied to a vulnerability instance, it must first be approved. In order for an exception to be approved, the exception must be in a workflow status specified in the Approved status is set to field on the Exception Management Preferences page. While multiple approved exceptions can be attached to a single vulnerability instance, only the one with the latest expiration date will be applied. If there are multiple exceptions with the same expiration date, the one that was created latest will be applied.
When an exception expires, the system will check if there are any further exceptions that can be applied to the instance. The applied exception will be marked with a checkmark in the Is Applied column of the vulnerability instance's Exceptions tab.