SSVC v2.1.1 (v2023.9)

What's Changed

• fix typos in json schema descriptions by @aamedina in #286
• consistency fixes by @jeroenh in #293
• update authors, ack previous authors by @ahouseholder in #298
• update draft docs to reflect author updates by @ahouseholder in #300

New Contributors

• @aamedina made their first contribution in #286

Full Changelog: v2.1...v2.1.1

SSVC v2.1 (v2023.7)

The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management. SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.

Version 2.1 makes the following improvements on SSVC version 2.0:

• Introduced a demo SSVC Calc App which became the basis for CISA's SSVC Calculator
• Updated Deployer tree to use Automatable instead of Utility, which reduced the size from 108 leaf nodes to 72.
• Adjusted Deployer tree decisions based on stakeholder feedback
• Adjusted Supplier tree decisions based on stakeholder feedback
• Added section on Sharing Trees With Others including a discussion of decision point scope and decision tree scope.
• Improved clarity of time-sensitivity of some decision points in Representing Information for Decisions About Vulnerabilities
• Improved description of Mission Impact
• Improved consistency of Public Safety Impact usage throughout the document and tooling
• Improved consistency of Human Impact usage throughout the document
• Clarified that known default passwords are an example of Exploitation:PoC
• Clarified that unreachable code (as in unused library features) are System Exposure:small
• Mention DoD MEF definition in Mission Impact
• Updated references to EPSS to reflect recent publications
• Refactored markdown files to better track chapter and section numbering, improving findability when editing
• Automated HTML and PDF generation into a Github Workflow
• Updated python tools to maintain sync with current SSVC decision models
• Consolidated the SSVC document style guide into a single file in the repository
• Miscellaneous typo fixes and readability improvements (e.g., headings, bulleted lists)

What's Changed

• Add SSVC v2 PDF to pdfs dir by @ahouseholder in #145
• fixed typos by @brianadeloye in #146
• All Schema v2.02 updates. Simplifying the code by @sei-vsarvepalli in #152
• Somehow missed these schema files from last PR by @sei-vsarvepalli in #153
• Examples of schema is missing. by @sei-vsarvepalli in #154
• changed virulence to automatable by @j--- in #156
• Removing hard-coded final keyword and final outcome by @sei-vsarvepalli in #157
• recreated CSV files and added a folder for them with readme; updated generation scripts by @j--- in #161
• Multiple updates 160,163 by @sei-vsarvepalli in #165
• propagate change in markdown to deployer image; prepare CSVs for sub-trees by @j--- in #170
• Update CISA-Coordinator-v2.0.3.json by @fruehaufm in #172
• Update CISA-Coordinator-v2.0.3.json by @fruehaufm in #173
• Tree updates and code update to fulfill request and recent issues by @sei-vsarvepalli in #174
• add scripts for coordinator stakeholder. Fix typo in triage graphic by @j--- in #176
• Update 060_decision-trees.md by @fruehaufm in #179
• fixed a typo by @fruehaufm in #182
• Pdf update by @j--- in #180
• Fixed a typo by @fruehaufm in #193
• decided on semver scheme for PDF generation script by @j--- in #194
• Bugfix for Space in values of decision by @sei-vsarvepalli in #192
• Typo (stray text) in bullet by @j--- in #196
• Updated the Mission Impact values by @fruehaufm in #197
• Fixed redundant option for Mission Impact by @fruehaufm in #187
• Updates to Dryad SSVC Calcultor to use radio buttons in Analyst mode by @sei-vsarvepalli in #201
• Fix bug in svgzoom by @fneur in #204
• make the ssvc_v2.py file work with current CSV file names and columns by @ahouseholder in #207
• fixed a typo by @2shiori17 in #205
• add github workflow to generate html and pdf artifacts by @ahouseholder in #231
• reasona-bly typo by @zmanion in #232
• Updates to Abbreviated format GH Issue #177 by @sei-vsarvepalli in #233
• Updating text to conform to Human Impact change by @jeroenh in #236
• Address time-sensitivity of some decision points by @ahouseholder in #241
• Add detail about customization, tree sharing, and decision point scope by @ahouseholder in #242
• Replace Utility with Automatable in Deployer tree by @ahouseholder in #248
• Two small typo fixes by @jeroenh in #253
• Improve Mission Impact description by @j--- in #250
• add subsubsection header for tree versioning by @ahouseholder in #256
• Remove version strings from file names by @ahouseholder in #247
• Adjust deployer tree decisions by @ahouseholder in #262
• Rename markdown files to match current chapter and section names by @ahouseholder in #263
• mention publicly known default passwords as example of Exploitation:PoC by @ahouseholder in #265
• Replace κ with k to avoid pandoc font errors in build process by @ahouseholder in #264
• Change default tree to Deployer.json by @ahouseholder in #258
• Make Public Safety Impact values consistent throughout by @ahouseholder in #267
• Update analyze_csv.py to reflect csv column name changes by @ahouseholder in #270
• EPSS changes by @laurie-tyz in #271
• Update README docs to make finding recent pdf easier by @ahouseholder in #277
• Adjust Supplier Tree decisions by @ahouseholder in #276
• Update style guide and acks by @ahouseholder in #279
• Mention DoD 3020.26 MEF definition in Mission Impact by @cgyarbrough in #281
• Unreachable code -> System Exposure: Small by @cgyarbrough in #282
• Update Changelog for v2.1 by @ahouseholder in #269
• update pdf and html drafts by @ahouseholder in #283

New Contributors

• @brianadeloye made their first contribution in #146
• @fruehaufm made their first contribution in #172
• @fneur made their first contribution in #204
• @2shiori17 made their first contribution in #205
• @zmanion made their first contribution in #232
• @jeroenh made their first contribution in #236
• @cgyarbrough made their first contribution in #281

Full Changelog: v2.0...v2.1

SSVC v2.0 (v2021.5)

The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management. SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.

Version 2 improves on Version 1.1 with the addition of the coordinator stakeholder perspective, improvements to terminology, integration of feedback on decision point definitions, and tools to support practical use.

---

This section summarizes the changes between SSVC version 2 and SSVC version 1.1 as published at the Workshop on the Ecnomics of Information Security (WEIS 2020). The details of what changes were made can be viewed below in these release notes. We addressed about 60 issues. About 10 issues identified “bugs” or errors in version 1.1. About 20 issues improved documentation of tools or improved the clarity of document text. The remaining 30 issues were focused on enhancing SSVC based on feedback received on version 1, though several of the bug fixes and documentation improvements also provided improvements. This section focuses on changes that provided enhancements.

Coordinator stakeholder

Version 1 only considered two stakeholders: those who make software, and those who use information systems. Version 2 introduces a coordinator stakeholder and two distinct decisions for that stakeholder group: vulnerability intake triage and publication about a vulnerability. These decisions use some existing decision points, but also introduce six new decision points to support coordinators in making these decisions. The coordinator stakeholder is based on CERT/CC's experience coordinating vulnerabilities.

Terminology changes

Some terms have been adjusted to better align with other usage in the field or based on feedback. Therefore, “patch developer” became supplier and “patch applier” became deployer. These terms in version 2 better reflect the stakeholder's relationship to the vulnerable component and also help keep clear that SSVC is about prioritization of work items in vulnerability management, not just patches. We have also generally removed the word patch and instead use the more general “remediation” for a complete fix and “mitigation” for actions that reduce risk but do not remove a vulnerability from a system. “Virulence” was renamed Automatable in a effort to be more direct and clear, rather than relying on an epidemiology metaphor. We changed “out-of-band” to out-of-cycle.

Some concepts needed to be clarified or added. These changes are a bit more substantive than the above terminology changes, but are similar. For example, we clarified how end-of-life products are prioritized with SSVC. We also clarified in Scope concepts around vulnerability identificatin and disambiguation. Version 2 adopts an explicit definition of risk (from ISO Guide 73). We also differentiated between vulnerability risk, or that risk arising from an unmanaged vulnerability in an information system, and change risk, or that risk from modifying or updating an information system to mitigate or remediate a vulnerability. SSVC version 2 focuses on assessing and managing vulnerability risk, not change risk. This stance was not explicit in SSVC version 1.

Improvements to decision points

Version 1 had a decision point for well-being impact that was shared between supplier and deployer stakeholders. Since these types of stakeholder have access to different information about safety and well-being, Version 2 splits this concept into Public Safety Impact and Situated Safety Impact. The underlying definition remains largely the same. However, Public Safety Impact has fewer output options (it is less granular) in recognition that a supplier or coordinator has less information about the context of deployment than a deployer does.

In addition, based on feedback from SSVC users, the SSVC version 2 recommended applier tree makes use of a combined value for Mission Impact and Situated Safety Impact. The intuition behind this change is that if a person is going to die OR the organization is going to fail (for example, go bankrupt), then the organization will likely want to act with highest priority. Either situation is sufficient to increase the priority, and there do not appear to be situations where a low Mission Impact would mitigate a high Situated Safety Impact or vice versa. On the other hand, a low Utility or System Exposure may mitigate a high mission or well-being impact. So the Version 2 recommended tree is more usable than the Version 1 tree, thanks to these changes.

Tree management and communication tools

The section Tree Construction and Customization Guidance is largely new or revised. We produced new software tools for interacting with SSVC, which are documented in that section. Version 2 adds reasoning behind why a stakeholder might customize a decision tree, what aspects of the tree are best to customize, tools for encoding custom trees in JSON, and scripts for visualizing custom trees.

Similarly, the section on Guidance on Communicating Results is largely new. The section presents both an abbreviated and unabridged format for communicating SSVC information about a vulnerability. This communication may be connected to the formats for communicating a whole decision tree. Version 2 also addresses several other questions about SSVC information management, such as handling information changes over time, partial information, sourcing information for each decision point, and how collection and analysis of SSVC decision points can be automated.

What's Changed

• Issue #5 by @laurie-tyz in #37
• s/virulence/automatability/g by @ahouseholder in #40
• rephrase kill chain automation text to active voice by @ahouseholder in #41
• Create CONTRIBUTING.md by @j--- in #45
• Fix #17 by @ahouseholder in #48
• Issue #5 (Deployer/Supplier) changes by @laurie-tyz in #47
• add paragraph about risk tolerance by @ahouseholder in #43
• add text for automatability and vul chaining by @ahouseholder in #52
• Address EOL products in scope section by @ahouseholder in #54
• Compress safety and mission impacts fix for #1 (+11 squashed commits) by @ahouseholder in #51
• split 040_trees... into 4 separate files to reduce edit conflicts by @ahouseholder in #55
• Update of 040 - Remediation & Mitigation by @laurie-tyz in #57
• "Coordinating Patches" switched back by @laurie-tyz in #58
• Fix for #3 by @ahouseholder in #59
• Added python script to convert CSV files to latex for tree viz by @j--- in #62
• Fix22 by @j--- in #63
• Started comms guidance; vector string notation rewrite by @j--- in #64
• carried thank yous over from WEIS paper to README by @j--- in #68
• typo correction by @laurie-tyz in #73
• fixed display of table 10 by converting to HTML by @j--- in #75
• added risk definition from ISO by @j--- in #69
• deployer option generation script and output for v2 by @j--- in #80
• Described customization options by @j--- in #71
• added passage on dealing with partial information by @j--- in #67
• New subsection to discuss relation to other systems by @j--- in #81
• documented the relationship between existence of a vul and Technical Impact by @j--- in #70
• mentioned considerations on whose security policy by @j--- in #72
• #46 remediation/mitigation by @laurie-tyz in #85
• Schemas updated and merged adh suggestions excep vector representatio… by @sei-vsarvepalli in #91
• Related to item #79 by @laurie-tyz in #90
• Part 2 of Item #79 - only affecting section 040 by @laurie-tyz in #93
• Better described Utility, differenting it from exploitation. by @j--- in #82
• reorg, updated compile, updated README by @j--- in #95
• Support a yes/no automatable question by @j--- in #97
• Feature/fix 32 by @ahouseholder in #100
• updated section headers/intros after #95 by @j--- in #99
• discuss changing information by @j--- in #96
• Info sources 27 by @j--- in #101
• Initial draft of the coordination stakeholder's decision at intake by @j--- in #94
• added draft labels for new deployer tree by @j--- in #98
• Explain json fix65 by @j--- in #105
• initial draft of coordinator publication decision by @j--- in #103
• Proposed fix for 106 jso...

SSVC v1.1 (v2020.9)

SSVC Version 1.1 includes changes made for the publication at WEIS 2020.

SSVC v1.0 (v2019.12)

Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This paper—the second part of a research agenda about prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with the CVSS. SSVC takes the form of decision trees for different vulnerability management communities.