Releases · CERTCC/SSVC

The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management. SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.

Version 2.1 makes the following improvements on SSVC version 2.0:

Introduced a demo SSVC Calc App which became the basis for CISA's SSVC Calculator
Updated Deployer tree to use Automatable instead of Utility, which reduced the size from 108 leaf nodes to 72.
Adjusted Deployer tree decisions based on stakeholder feedback
Adjusted Supplier tree decisions based on stakeholder feedback
Added section on Sharing Trees With Others including a discussion of decision point scope and decision tree scope.
Improved clarity of time-sensitivity of some decision points in Representing Information for Decisions About Vulnerabilities
Improved description of Mission Impact
Improved consistency of Public Safety Impact usage throughout the document and tooling
Improved consistency of Human Impact usage throughout the document
Clarified that known default passwords are an example of Exploitation:PoC
Clarified that unreachable code (as in unused library features) are System Exposure:small
Mention DoD MEF definition in Mission Impact
Updated references to EPSS to reflect recent publications
Refactored markdown files to better track chapter and section numbering, improving findability when editing
Automated HTML and PDF generation into a Github Workflow
Updated python tools to maintain sync with current SSVC decision models
Consolidated the SSVC document style guide into a single file in the repository
Miscellaneous typo fixes and readability improvements (e.g., headings, bulleted lists)

What's Changed

Add SSVC v2 PDF to pdfs dir by @ahouseholder in #145
fixed typos by @brianadeloye in #146
All Schema v2.02 updates. Simplifying the code by @sei-vsarvepalli in #152
Somehow missed these schema files from last PR by @sei-vsarvepalli in #153
Examples of schema is missing. by @sei-vsarvepalli in #154
changed virulence to automatable by @j--- in #156
Removing hard-coded final keyword and final outcome by @sei-vsarvepalli in #157
recreated CSV files and added a folder for them with readme; updated generation scripts by @j--- in #161
Multiple updates 160,163 by @sei-vsarvepalli in #165
propagate change in markdown to deployer image; prepare CSVs for sub-trees by @j--- in #170
Update CISA-Coordinator-v2.0.3.json by @fruehaufm in #172
Update CISA-Coordinator-v2.0.3.json by @fruehaufm in #173
Tree updates and code update to fulfill request and recent issues by @sei-vsarvepalli in #174
add scripts for coordinator stakeholder. Fix typo in triage graphic by @j--- in #176
Update 060_decision-trees.md by @fruehaufm in #179
fixed a typo by @fruehaufm in #182
Pdf update by @j--- in #180
Fixed a typo by @fruehaufm in #193
decided on semver scheme for PDF generation script by @j--- in #194
Bugfix for Space in values of decision by @sei-vsarvepalli in #192
Typo (stray text) in bullet by @j--- in #196
Updated the Mission Impact values by @fruehaufm in #197
Fixed redundant option for Mission Impact by @fruehaufm in #187
Updates to Dryad SSVC Calcultor to use radio buttons in Analyst mode by @sei-vsarvepalli in #201
Fix bug in svgzoom by @fneur in #204
make the ssvc_v2.py file work with current CSV file names and columns by @ahouseholder in #207
fixed a typo by @2shiori17 in #205
add github workflow to generate html and pdf artifacts by @ahouseholder in #231
reasona-bly typo by @zmanion in #232
Updates to Abbreviated format GH Issue #177 by @sei-vsarvepalli in #233
Updating text to conform to Human Impact change by @jeroenh in #236
Address time-sensitivity of some decision points by @ahouseholder in #241
Add detail about customization, tree sharing, and decision point scope by @ahouseholder in #242
Replace Utility with Automatable in Deployer tree by @ahouseholder in #248
Two small typo fixes by @jeroenh in #253
Improve Mission Impact description by @j--- in #250
add subsubsection header for tree versioning by @ahouseholder in #256
Remove version strings from file names by @ahouseholder in #247
Adjust deployer tree decisions by @ahouseholder in #262
Rename markdown files to match current chapter and section names by @ahouseholder in #263
mention publicly known default passwords as example of Exploitation:PoC by @ahouseholder in #265
Replace κ with k to avoid pandoc font errors in build process by @ahouseholder in #264
Change default tree to Deployer.json by @ahouseholder in #258
Make Public Safety Impact values consistent throughout by @ahouseholder in #267
Update analyze_csv.py to reflect csv column name changes by @ahouseholder in #270
EPSS changes by @laurie-tyz in #271
Update README docs to make finding recent pdf easier by @ahouseholder in #277
Adjust Supplier Tree decisions by @ahouseholder in #276
Update style guide and acks by @ahouseholder in #279
Mention DoD 3020.26 MEF definition in Mission Impact by @cgyarbrough in #281
Unreachable code -> System Exposure: Small by @cgyarbrough in #282
Update Changelog for v2.1 by @ahouseholder in #269
update pdf and html drafts by @ahouseholder in #283