SSVC v2.1 (v2023.7)

The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management. SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.

Version 2.1 makes the following improvements on SSVC version 2.0:

• Introduced a demo SSVC Calc App which became the basis for CISA's SSVC Calculator
• Updated Deployer tree to use Automatable instead of Utility, which reduced the size from 108 leaf nodes to 72.
• Adjusted Deployer tree decisions based on stakeholder feedback
• Adjusted Supplier tree decisions based on stakeholder feedback
• Added section on Sharing Trees With Others including a discussion of decision point scope and decision tree scope.
• Improved clarity of time-sensitivity of some decision points in Representing Information for Decisions About Vulnerabilities
• Improved description of Mission Impact
• Improved consistency of Public Safety Impact usage throughout the document and tooling
• Improved consistency of Human Impact usage throughout the document
• Clarified that known default passwords are an example of Exploitation:PoC
• Clarified that unreachable code (as in unused library features) are System Exposure:small
• Mention DoD MEF definition in Mission Impact
• Updated references to EPSS to reflect recent publications
• Refactored markdown files to better track chapter and section numbering, improving findability when editing
• Automated HTML and PDF generation into a Github Workflow
• Updated python tools to maintain sync with current SSVC decision models
• Consolidated the SSVC document style guide into a single file in the repository
• Miscellaneous typo fixes and readability improvements (e.g., headings, bulleted lists)

What's Changed

• Add SSVC v2 PDF to pdfs dir by @ahouseholder in #145
• fixed typos by @brianadeloye in #146
• All Schema v2.02 updates. Simplifying the code by @sei-vsarvepalli in #152
• Somehow missed these schema files from last PR by @sei-vsarvepalli in #153
• Examples of schema is missing. by @sei-vsarvepalli in #154
• changed virulence to automatable by @j--- in #156
• Removing hard-coded final keyword and final outcome by @sei-vsarvepalli in #157
• recreated CSV files and added a folder for them with readme; updated generation scripts by @j--- in #161
• Multiple updates 160,163 by @sei-vsarvepalli in #165
• propagate change in markdown to deployer image; prepare CSVs for sub-trees by @j--- in #170
• Update CISA-Coordinator-v2.0.3.json by @fruehaufm in #172
• Update CISA-Coordinator-v2.0.3.json by @fruehaufm in #173
• Tree updates and code update to fulfill request and recent issues by @sei-vsarvepalli in #174
• add scripts for coordinator stakeholder. Fix typo in triage graphic by @j--- in #176
• Update 060_decision-trees.md by @fruehaufm in #179
• fixed a typo by @fruehaufm in #182
• Pdf update by @j--- in #180
• Fixed a typo by @fruehaufm in #193
• decided on semver scheme for PDF generation script by @j--- in #194
• Bugfix for Space in values of decision by @sei-vsarvepalli in #192
• Typo (stray text) in bullet by @j--- in #196
• Updated the Mission Impact values by @fruehaufm in #197
• Fixed redundant option for Mission Impact by @fruehaufm in #187
• Updates to Dryad SSVC Calcultor to use radio buttons in Analyst mode by @sei-vsarvepalli in #201
• Fix bug in svgzoom by @fneur in #204
• make the ssvc_v2.py file work with current CSV file names and columns by @ahouseholder in #207
• fixed a typo by @2shiori17 in #205
• add github workflow to generate html and pdf artifacts by @ahouseholder in #231
• reasona-bly typo by @zmanion in #232
• Updates to Abbreviated format GH Issue #177 by @sei-vsarvepalli in #233
• Updating text to conform to Human Impact change by @jeroenh in #236
• Address time-sensitivity of some decision points by @ahouseholder in #241
• Add detail about customization, tree sharing, and decision point scope by @ahouseholder in #242
• Replace Utility with Automatable in Deployer tree by @ahouseholder in #248
• Two small typo fixes by @jeroenh in #253
• Improve Mission Impact description by @j--- in #250
• add subsubsection header for tree versioning by @ahouseholder in #256
• Remove version strings from file names by @ahouseholder in #247
• Adjust deployer tree decisions by @ahouseholder in #262
• Rename markdown files to match current chapter and section names by @ahouseholder in #263
• mention publicly known default passwords as example of Exploitation:PoC by @ahouseholder in #265
• Replace κ with k to avoid pandoc font errors in build process by @ahouseholder in #264
• Change default tree to Deployer.json by @ahouseholder in #258
• Make Public Safety Impact values consistent throughout by @ahouseholder in #267
• Update analyze_csv.py to reflect csv column name changes by @ahouseholder in #270
• EPSS changes by @laurie-tyz in #271
• Update README docs to make finding recent pdf easier by @ahouseholder in #277
• Adjust Supplier Tree decisions by @ahouseholder in #276
• Update style guide and acks by @ahouseholder in #279
• Mention DoD 3020.26 MEF definition in Mission Impact by @cgyarbrough in #281
• Unreachable code -> System Exposure: Small by @cgyarbrough in #282
• Update Changelog for v2.1 by @ahouseholder in #269
• update pdf and html drafts by @ahouseholder in #283

New Contributors

• @brianadeloye made their first contribution in #146
• @fruehaufm made their first contribution in #172
• @fneur made their first contribution in #204
• @2shiori17 made their first contribution in #205
• @zmanion made their first contribution in #232
• @jeroenh made their first contribution in #236
• @cgyarbrough made their first contribution in #281

Full Changelog: v2.0...v2.1