Good Morning.  To answer your question we do get reports of security vulnerabilities with the most recent being ShellShock (see thwack post ShellShock Vulnerability and Solarwinds Products) and we evaluate our susceptibility to those vulnerabilities. If a zero day vulnerability is found to be exploitable then we start testing patches and deployment strategies that will guarantee the patch will not break the VMAN appliance or prevent future upgrades, if implemented out of band of our normal release cycle. If an exploit is identified but its risk is mitigated on the VMAN appliance then we generally plan to implement the patch on the next release.

To add to the previous post, automated security scanners usually do not test the vulnerability itself, just the versions of the packages installed on the system. As a result, they report vulnerabilities which cannot be exploited because the vulnerable feature was disabled, high-grade ciphers are enforced in the settings, the vulnerability is only exploitable on Windows or there is simply no attack vector through which an attacker could exploit a weakness (you don't have to lock your car when it's in a safe garage), just to give you a few examples.

ok so if we have the vman vm running and our security scan tool calls out 130+ vulnerabilities, that are on the vman vm. option 1 would be to remove the vman vm from the scan...( the vman vm itself is running on our interior network and is behind at least 2 fw and a dmz). what would option , option3,  etc be?

Option 3 - Make sure you are on VMAN 6.1.1. We updated a bunch of the bundled software on the appliance in that release that addressed almost all critical vulnerabilities that were found by a Nessus scan. Any remaining vulnerabilities fell into the previously mentioned "unexploitable" category. We run Nessus internally before release and log issues as we find them, so always make sure you are on the latest version.