SSVC v2025.9

In this release, we’ve introduced major new capabilities, refined core concepts, and added supporting tools and documentation.

Significant Changes

Decision Tables as a First-Class Object

• Added a DecisionTable Python object and corresponding JSON schema to represent a complete SSVC decision model.
  • A DecisionTable contains a set of DecisionPoints, designates one as the outcome, and provides a mapping that fully enumerates input combinations and assigns each combination to a specific outcome value.
  • The Python implementation includes validation to ensure mappings are logically consistent with the partial order formed by ordered decision point values.
• Terminology change: what we previously called a Decision Tree or Decision Policy is now standardized as a Decision Table.
  • Rationale:
    1. Avoid confusion between the operations research use of "decision tree" and the machine learning sense.
    2. The word policy has overloaded meanings beyond our intended usage.
    3. Decision Table is an established term that better conveys our intent.
  • See issue #698 for discussion.
• Added DecisionTable objects for specific use cases: Deployer, CISA Coordinator, CVSS v4 equivalence sets, coordinator triage models, and qualitative severity ratings.

Formalizing Decision Point Value Selections

• Added a SelectionList Python object and corresponding JSON schema to represent shareable decision point value selections in data exchange formats.
• Integration with the OASIS CSAF working group: the SSVC SelectionList format is being incorporated into a forthcoming revision of the CSAF specification.
• Extended support for probability- and quantile-bin–based decision points.

First Steps Toward an SSVC API

• Introduced a FastAPI-based Registry API with a Registry object that manages DecisionPoint and DecisionTable instances.
• API endpoints are versioned (/v1/) to allow for future compatibility.
• Packaged for containerized deployment via docker-compose.

Namespace Improvements

• Refined namespace specification and implementation to support:
  • Reverse-domain formats
  • Fragments (e.g., ssvc#example)
  • Language tags
  • Extensions
• Aligned namespace patterns with a formal ABNF grammar.
• Updated documentation: Namespaces Reference.

Tooling Enhancements

• SSVC Calculator updated to support new schema and decision tables.
• New SSVC Policy Explorer tool.
• Docker configurations for test, docs, and api containers, all buildable with docker-compose.
  • Documentation: Container HowTo.

New How-To Articles

• Using EPSS with SSVC
  • Combining EPSS with other Exploitation-Related Decision Points
  • EPSS Quantile Binning as an SSVC Amplifier
• How to use Docker for local SSVC development
• How to implement CVSS v4 Equivalence Sets in SSVC

Documentation Improvements

• Python-driven rendering of SSVC objects (DecisionPoints and DecisionTables) for more consistent examples.
• Decision tables can now be rendered as both mermaid diagrams and tables.
• New reference pages:
  • Decision Points
  • Decision Tables
• Automated generation of CSV examples in documentation.
• ADR added: Use of Calendar Versioning (CalVer) for SSVC releases.

---

Highlights from merged PRs include:

• Introduction of DecisionTable and related objects (#795, #843, #856, #863, #868, #871, #887).
• Namespace improvements and ABNF pattern formalization (#791, #824, #882, #898, #921, #925, #934, #938).
• Selection object and schema improvements (#821, #897, #940, #971).
• Registry API and Docker integration (#893, #917, #952).
• EPSS integration and new decision points (#931, #933, #949).
• Documentation and tooling refinements (#900, #929, #885, #886, #954, #970).
• ADR on Calendar Versioning (#956).
• Bug fixes and cleanup (#822, #870, #945, #953, #928).

See the full PR list below.

---

Dependency Updates

Routine bumps to mkdocs, pandas, jsonschema, and GitHub Actions tooling.

---

What's Changed

• Attempt to resolve #764 into Publish branch for updates. by @sei-vsarvepalli in #767
• Publish v2025.3.3 by @ahouseholder in #772
• Publish v2025.6 by @ahouseholder in #793
• Refactor namespaces by @ahouseholder in #791
• Bump mkdocs-bibtex from 4.2.5 to 4.2.10 in the mkdocs group by @dependabot[bot] in #794
• Bump mkdocs-bibtex from 4.2.10 to 4.3.0 in the mkdocs group by @dependabot[bot] in #804
• Bump markdown-exec from 1.10.3 to 1.11.0 by @dependabot[bot] in #805
• Bump the mkdocs group with 2 updates by @dependabot[bot] in #811
• Bump pandas from 2.3.0 to 2.3.1 by @dependabot[bot] in #819
• Fix for Bug paging issue #818 by @sei-vsarvepalli in #822
• Bump jsonschema from 4.24.0 to 4.25.0 by @dependabot[bot] in #827
• Improve namespace implementation by @ahouseholder in #824
• Minimalist Selection Object by @ahouseholder in #821
• Bump the mkdocs group with 2 updates by @dependabot[bot] in #837
• Bump mkdocs-print-site-plugin from 2.7.3 to 2.8 in the mkdocs group by @dependabot[bot] in #840
• Initial Decision Table object by @ahouseholder in #795
• Add DecisionTable objects for Deployer and CISA Coordinator by @sei-vsarvepalli in #843
• Refactor registry construction by @ahouseholder in #844
• Fix CISA Decision Tree extra text remove by @sei-vsarvepalli in #854
• Add Coordinator Publish DecisionTable by @ahouseholder in #856
• Fix imports in `doctools.py by @ahouseholder in #857
• Add DecisionTable objects for CVSS v4 Equivalence Sets by @ahouseholder in #863
• Move a file to be consistent in data/json/decision_points folder by @sei-vsarvepalli in #866
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #864
• SSVC Cacluator to accept new schema by @sei-vsarvepalli in #867
• Create DecisionTable representation of coordinator triage decision model by @ahouseholder in #868
• Fix a few bugs around Human Impact decision point and decision table by @ahouseholder in #870
• Add CVSS v4 MacroVector to Quality Severity Rating DecisionTable by @sei-vsarvepalli in #871
• fix broken f-strings by @bernhardreiter in #881
• Add CVSS v4 DecisionTable docs for EQ1-6, Qualitative Severity Rating by @ahouseholder in #887
• DecisionTable to mermaid by @ahouseholder in #886
• Apply black and markdownlint --fix by @ahouseholder in #885
• Distinguish resource from references in Selections #833 by @sei-vsarvepalli in #897
• Namespacepattern updates from #882 by @sei-vsarvepalli in #898
• implement new namespace patterns based on ABNF by @bernhardreiter in #882
• Add Documentation for DecisionTable objects by @ahouseholder in #900
• Bump actions/upload-pages-artifact from 3 to 4 by @dependabot[bot] in #913
• Bump jsonschema from 4.25.0 to 4.25.1 by @dependabot[bot] in #912
• Bump the mkdocs group with 2 updates by @dependabot[bot] in #911
• Bump pandas from 2.3.1 to 2.3.2 by @dependabot[bot] in #910
• Update CVE items to be unique and update tests see #905 by @sei-vsarvepalli in #914
• Add FastAPI for SsvcObjectRegistry, including docker container. Also convert package management to uv by @ahouseholder in #893
• change "policy" to "decision table" in relevant docs by @ahouseholder in #906
• fix namespace ABNF and resulting pattern by @bernhardreiter in #921
• Remove default volume mount in docker-compose config by @ahouseholder in #917
• fix JSON schema pattern for namespace by @bernhardreiter in #925
• Rename description attribute to definition by @ahouseholder in #926
• Mark ssvc.dp_groups.base as deprecated by @ahouseholder in #919
• Automate CSV example generation with doctools.py by @ahouseholder in #929
• Housekeeping obsolete stuff by @ahouseholder in #928
• Add probability- and quantile-bin based decision points by @ahouseholder in #931
• Bump actions/setup-python from 5 to 6 by @dependabot[bot] in #935
• Add "Using EPSS in SSVC" How-To docs by @ahouseholder in #933
• Allow base namespaces to have fragments (e.g., ssvc#example) by @ahouseholder in #934
• Added SSVC Calculator and fixed uv editable requirements.txt file. by @sei-vsarvepalli in #937
• Update namespace documentation by @ahouseholder in #938
• Change heading bar height to not be too small when scrolling by @sei-renae in #942
• Add hyperlinks to SSVC card titles by @sei-renae in #941
• Selection scheme error by @sei-vsarvepalli in #940
• Bugfix 943 by @sei-vsarvepalli in #945
• Refactor JSON schema generation for consistency by @ahouseholder in #946
• Improve consistency of uv use in worfklows by @ahouseholder in #948
• Add a few explanatory callouts to EPSS howtos by @ahouseholder in #949
• Remove HTML from Safety Decision Point value definitions by @ahouseholder in #953
• Prefix all api routes with /v1/ to allow future increments by @ahouseholder in #952
• Make value key its own column when rendering decision point examples by @ahouseholder in #954
• Bump tj-actions/changed-files from 46.0.5 to 47.0.0 by @dependabot[bot] in #955
• Updated files to send to pypi project format with examples by @sei-vsarvepalli in #951
• Add ADR about use of CalVer for main project releases by @ahouseholder in #956
• Use pattern string instead of compiled pattern in field_specs.py by @ahouseholder in #967
• Updates and small fixes, move ascii_tree to helpers by @sei-vsarvepalli in #969
• Clean up examples by @ahouseholder in #970
• Add minLength to name and definition in SelectionList $defs by @ahouseholder in #971
• Minor refactor of Outcome and Overview documentation by @ahouseholder in #972
• Separating how-to guides ('gathering info' sections) from reference documents by @sei-renae in #792

New Contributors

• @bernhardreiter made their first contribution in #881

Full Changelog: v2025.6...v2025.9