SSVC v2024.3.2

• Make json schemas available from /data/schema/ folder on site
• Update Mission Impact in .json and .csv representations
• Minor i18n improvements
• Update links to CERT Guide to CVD to new site
• Other link fixes
• Project infrastructure improvements
• Update Dependencies

What's Changed

• Publish certcc.github.io/SSVC by @ahouseholder in #534
• Updates dependencies & adds changelog by @ahouseholder in #554
• Bump pandas from 2.2.1 to 2.2.2 by @dependabot in #557
• Bump scikit-learn from 1.4.1.post1 to 1.4.2 by @dependabot in #556
• Bump mkdocs-print-site-plugin from 2.3.6 to 2.4.0 in the mkdocs group by @dependabot in #555
• Updated Mission-Impact in Deployer.json and in csvs/child_trees to ma… by @sei-vsarvepalli in #559
• i18n improvement to Deployer.json by @sei-vsarvepalli in #560
• Bump the mkdocs group with 3 updates by @dependabot in #563
• Replace vuls.cert.org CVD guide links with certcc.github.io links by @ahouseholder in #562
• Bump dataclasses-json from 0.6.4 to 0.6.5 by @dependabot in #566
• Bump the mkdocs group across 1 directory with 5 updates by @dependabot in #567
• Bump jsonschema from 4.21.1 to 4.22.0 by @dependabot in #568
• Bump dataclasses-json from 0.6.5 to 0.6.6 by @dependabot in #572
• Bump the mkdocs group with 3 updates by @dependabot in #571
• Add requirements.txt trigger to link_checker.yml by @ahouseholder in #569
• Bump the mkdocs group with 3 updates by @dependabot in #573
• Bump scikit-learn from 1.4.2 to 1.5.0 by @dependabot in #575
• Bump the mkdocs group with 2 updates by @dependabot in #574
• Bump the mkdocs group with 3 updates by @dependabot in #577
• Fixed URL in README.md by @patrickmgarrity in #578
• Bump dataclasses-json from 0.6.6 to 0.6.7 by @dependabot in #580
• Bump the mkdocs group with 2 updates by @dependabot in #579
• Bump mkdocs-material from 9.5.26 to 9.5.27 in the mkdocs group by @dependabot in #583
• Bump the mkdocs group with 2 updates by @dependabot in #585
• Make schema available via data/ folder for certcc.github.io by @sei-vsarvepalli in #586
• Dockerize unit tests by @ahouseholder in #581

New Contributors

• @patrickmgarrity made their first contribution in #578

Full Changelog: v2024.3.1...v2024.3.2

SSVC v2024.3.1

• Update dependencies
• Add 2024.3 release notes
• Integrate site navigation with certcc.github.io home page

What's Changed

• Bump the mkdocs group with 1 update by @dependabot in #541
• Configure sitemap.xml to be populated by @ahouseholder in #543
• Bump the mkdocs group with 2 updates by @dependabot in #544
• Bump the mkdocs group with 3 updates by @dependabot in #545
• Bump actions/configure-pages from 4 to 5 by @dependabot in #548
• Bump the mkdocs group with 2 updates by @dependabot in #547
• Bump the mkdocs group with 4 updates by @dependabot in #551
• Bump networkx from 3.2.1 to 3.3 by @dependabot in #552
• Add link to certcc.github.io home page by @ahouseholder in #553
• Update changelog by @ahouseholder in #549

Full Changelog: v2024.3...v2024.3.1

SSVC v2024.3

The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management. SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.
In the 2024.3 release of the Stakeholder-Specific Vulnerability Classification (SSVC) system, we've made a number of significant changes:

New Web Site

This release debuts the certcc.github.io/SSVC web site to serve as the front-door for all things SSVC.

• Diátaxis Framework - We adopted the Diátaxis Framework as a document organization framework for SSVC documentation. High level content categories are: tutorials, how-to, topics, and reference. What used to be a linear paper format is now sectioned off into more digestible pieces.
• More call-outs and examples - With our adoption of Material for MkDocs as the underlying toolkit to construct our web site, we were able to better highlight examples, tips, and sidebar topics through the use of call-out boxes throughout the site.

New and Revised Content

• Expanded Content - We've included more examples of Decision Points and the like directly inline where they're mentioned so readers don't need to keep flipping back and forth to their definitions for reference.
• Bootstrapping advice - Added a Getting Started with SSVC process to help organizations go from being potential SSVC users to being actual SSVC users. This process is based on both our own experience helping organizations adopt SSVC as well as a few field reports of SSVC adoption from the community.
• Putting the Pieces Together - Added a Putting the Pieces Together page explaining some of our philosophy regarding how to use SSVC to model decisions. SSVC provides you with the pieces and some instructions on how to assemble them, but you can customize it however you like.
• Acuity Ramp - Added an Acuity Ramp explainer to show how an organization can grow into a decision model over time.
• Community Engagement - Included in the new web site are a number of suggested ways for the community to interact with and contribute to the SSVC project on Github.

Versioned Objects

• Semantic Versioning for Decision Points and Decision Point Groups - Introduced Semantic Versioning (SemVer) for Decision Points and Decision Point Groups to improve communication around decision points and decision models
• Calendar Versioning for SSVC as a whole - With the introduction of SemVer for Decision Points and Decision Point Groups, it started to make less sense for us to talk in terms of "SSVC v2.2", especially as we were simultaneously moving away from a PDF document-focused development model towards a more flexible web-based documentation model. Beginning with this version, we anticipate that future tagged releases will use Calendar Versioning (CalVer) instead of SemVer.

Experimental & Emerging Features

There are a few improvements we've begun but have not yet fully finished, and that are largely undocumented. Most of these in the current release are python-centric. Here's a brief overview for those who want to poke around at code.

• SSVC Python module - This release introduces the ssvc python module to allow us to more easily work with Decision Points, Decision Point Groups, Outcomes, and Policies that map from Decision Points to Outcomes. We expect to have more to say about this module in the future, but for now it's geared towards helping us produce the site documentation.
• Policy Generator - We're prototyping a Python tool that can generate a starting policy given any combination of a Decision Point Group and Outcomes. It's not ready for prime-time yet, but folks with a bit of python skill might be in a position to try it out.
• More Decision Points and Outcomes - In the process of exercising our Semantic Versioning rules for decision points and groups, we needed some examples of versioning events for discussion purposes. As a result, the ssvc.decision_points.cvss and ssvc.dp_groups.cvss modules contain python implementations of CVSS vector elements from CVSS v1, v2, v3, v3.1, and v4. We anticipate some of these coming in handy in the future as we look toward modeling other decisions potentially based on CVSS vector elements as well as other decision points from SSVC and elsewhere. We also included decision points and groups from CISA's customized SSVC implementation.

Other project infrastructure improvements

• Shifted from PDF-oriented to web-oriented workflow
• Adopted MkDocs and Material for MkDocs for static site production
• Adopted Markdown Any Decision Records to preserve rationale and record decisions that are of significant impact to the project
• Added documentation to the SSVC project wiki with tips for current and future contributors.
• Began using Github's Dependabot to help maintain dependency versions.

What's Changed

• Convert docs to mkdocs, material, mermaid by @ahouseholder in #301
• Create CODEOWNERS by @ahouseholder in #305
• Fix video links by @ahouseholder in #312
• Fix links by @ahouseholder in #310
• Feature/bootstrapping docs by @ahouseholder in #308
• Move project meta-docs from main repo into Github wiki by @ahouseholder in #320
• add drop column importance by @ahouseholder in #327
• Add print-site plugin to restore all-in-one page feature by @ahouseholder in #338
• Add new json schemas for decision points and dp groups by @ahouseholder in #340
• Add SSVC python module by @ahouseholder in #342
• Begin recording architecture decisions by @ahouseholder in #341
• Add python decision points for critical software and high value assets by @ahouseholder in #346
• add ADR proposals for decision point versioning. by @ahouseholder in #350
• Add Decision Point Group Versioning ADRs by @ahouseholder in #368
• Add build steps to python-app.yml by @ahouseholder in #371
• Add CVSS-based (v1, v2, v3) decision points as python classes by @ahouseholder in #343
• Add CWE-PoC list file by @koscinv in #376
• Policy Generator tool, first pass by @ahouseholder in #365
• Reorganize HowTo section by @ahouseholder in #379
• Tool to auto populate documentation examples for decision point objects by @ahouseholder in #370
• Add sanity checks to policy generator by @ahouseholder in #387
• Add CVSSv4 Decision Points by @ahouseholder in #377
• Add ADR excluding examples from object descriptions by @ahouseholder in #391
• Fix policygenerator slowness by @ahouseholder in #397
• Two small typofixes by @ahouseholder in #396
• Add grid to homepage by @ahouseholder in #399
• Pin versions in requirements.txt by @ahouseholder in #400
• Create dependabot.yml by @ahouseholder in #402
• Bump mkdocs-material from 9.5.4 to 9.5.6 by @dependabot in #410
• Bump jsonschema from 4.19.2 to 4.21.1 by @dependabot in #408
• Bump pandas from 2.1.2 to 2.2.0 by @dependabot in #406
• Bump mkdocs-include-markdown-plugin from 6.0.3 to 6.0.4 by @dependabot in #407
• Bump networkx from 3.1 to 3.2.1 by @dependabot in #409
• Add GH actions to dependabot config by @ahouseholder in #411
• Bump mkdocs-table-reader-plugin from 2.0.3 to 2.1.0 by @dependabot in #413
• Bump thefuzz from 0.20.0 to 0.22.1 by @dependabot in #414
• Bump actions/upload-pages-artifact from 2 to 3 by @dependabot in #421
• Bump actions/deploy-pages from 2 to 4 by @dependabot in #422
• Bump dataclasses-json from 0.6.1 to 0.6.3 by @dependabot in #415
• Bump actions/configure-pages from 3 to 4 by @dependabot in #419
• Bump actions/checkout from 3 to 4 by @dependabot in #420
• Bump actions/setup-python from 3 to 5 by @dependabot in #418
• Bump scikit-learn from 1.3.2 to 1.4.0 by @dependabot in https://github.com/CERTCC/SSVC/...

SSVC v2.1.1 (v2023.9)

What's Changed

• fix typos in json schema descriptions by @aamedina in #286
• consistency fixes by @jeroenh in #293
• update authors, ack previous authors by @ahouseholder in #298
• update draft docs to reflect author updates by @ahouseholder in #300

New Contributors

• @aamedina made their first contribution in #286

Full Changelog: v2.1...v2.1.1

SSVC v2.1 (v2023.7)

The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management. SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.

Version 2.1 makes the following improvements on SSVC version 2.0:

• Introduced a demo SSVC Calc App which became the basis for CISA's SSVC Calculator
• Updated Deployer tree to use Automatable instead of Utility, which reduced the size from 108 leaf nodes to 72.
• Adjusted Deployer tree decisions based on stakeholder feedback
• Adjusted Supplier tree decisions based on stakeholder feedback
• Added section on Sharing Trees With Others including a discussion of decision point scope and decision tree scope.
• Improved clarity of time-sensitivity of some decision points in Representing Information for Decisions About Vulnerabilities
• Improved description of Mission Impact
• Improved consistency of Public Safety Impact usage throughout the document and tooling
• Improved consistency of Human Impact usage throughout the document
• Clarified that known default passwords are an example of Exploitation:PoC
• Clarified that unreachable code (as in unused library features) are System Exposure:small
• Mention DoD MEF definition in Mission Impact
• Updated references to EPSS to reflect recent publications
• Refactored markdown files to better track chapter and section numbering, improving findability when editing
• Automated HTML and PDF generation into a Github Workflow
• Updated python tools to maintain sync with current SSVC decision models
• Consolidated the SSVC document style guide into a single file in the repository
• Miscellaneous typo fixes and readability improvements (e.g., headings, bulleted lists)

What's Changed

• Add SSVC v2 PDF to pdfs dir by @ahouseholder in #145
• fixed typos by @brianadeloye in #146
• All Schema v2.02 updates. Simplifying the code by @sei-vsarvepalli in #152
• Somehow missed these schema files from last PR by @sei-vsarvepalli in #153
• Examples of schema is missing. by @sei-vsarvepalli in #154
• changed virulence to automatable by @j--- in #156
• Removing hard-coded final keyword and final outcome by @sei-vsarvepalli in #157
• recreated CSV files and added a folder for them with readme; updated generation scripts by @j--- in #161
• Multiple updates 160,163 by @sei-vsarvepalli in #165
• propagate change in markdown to deployer image; prepare CSVs for sub-trees by @j--- in #170
• Update CISA-Coordinator-v2.0.3.json by @fruehaufm in #172
• Update CISA-Coordinator-v2.0.3.json by @fruehaufm in #173
• Tree updates and code update to fulfill request and recent issues by @sei-vsarvepalli in #174
• add scripts for coordinator stakeholder. Fix typo in triage graphic by @j--- in #176
• Update 060_decision-trees.md by @fruehaufm in #179
• fixed a typo by @fruehaufm in #182
• Pdf update by @j--- in #180
• Fixed a typo by @fruehaufm in #193
• decided on semver scheme for PDF generation script by @j--- in #194
• Bugfix for Space in values of decision by @sei-vsarvepalli in #192
• Typo (stray text) in bullet by @j--- in #196
• Updated the Mission Impact values by @fruehaufm in #197
• Fixed redundant option for Mission Impact by @fruehaufm in #187
• Updates to Dryad SSVC Calcultor to use radio buttons in Analyst mode by @sei-vsarvepalli in #201
• Fix bug in svgzoom by @fneur in #204
• make the ssvc_v2.py file work with current CSV file names and columns by @ahouseholder in #207
• fixed a typo by @2shiori17 in #205
• add github workflow to generate html and pdf artifacts by @ahouseholder in #231
• reasona-bly typo by @zmanion in #232
• Updates to Abbreviated format GH Issue #177 by @sei-vsarvepalli in #233
• Updating text to conform to Human Impact change by @jeroenh in #236
• Address time-sensitivity of some decision points by @ahouseholder in #241
• Add detail about customization, tree sharing, and decision point scope by @ahouseholder in #242
• Replace Utility with Automatable in Deployer tree by @ahouseholder in #248
• Two small typo fixes by @jeroenh in #253
• Improve Mission Impact description by @j--- in #250
• add subsubsection header for tree versioning by @ahouseholder in #256
• Remove version strings from file names by @ahouseholder in #247
• Adjust deployer tree decisions by @ahouseholder in #262
• Rename markdown files to match current chapter and section names by @ahouseholder in #263
• mention publicly known default passwords as example of Exploitation:PoC by @ahouseholder in #265
• Replace κ with k to avoid pandoc font errors in build process by @ahouseholder in #264
• Change default tree to Deployer.json by @ahouseholder in #258
• Make Public Safety Impact values consistent throughout by @ahouseholder in #267
• Update analyze_csv.py to reflect csv column name changes by @ahouseholder in #270
• EPSS changes by @laurie-tyz in #271
• Update README docs to make finding recent pdf easier by @ahouseholder in #277
• Adjust Supplier Tree decisions by @ahouseholder in #276
• Update style guide and acks by @ahouseholder in #279
• Mention DoD 3020.26 MEF definition in Mission Impact by @cgyarbrough in #281
• Unreachable code -> System Exposure: Small by @cgyarbrough in #282
• Update Changelog for v2.1 by @ahouseholder in #269
• update pdf and html drafts by @ahouseholder in #283

New Contributors

• @brianadeloye made their first contribution in #146
• @fruehaufm made their first contribution in #172
• @fneur made their first contribution in #204
• @2shiori17 made their first contribution in #205
• @zmanion made their first contribution in #232
• @jeroenh made their first contribution in #236
• @cgyarbrough made their first contribution in #281

Full Changelog: v2.0...v2.1

SSVC v2.0 (v2021.5)

The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management. SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.

Version 2 improves on Version 1.1 with the addition of the coordinator stakeholder perspective, improvements to terminology, integration of feedback on decision point definitions, and tools to support practical use.

SSVC v1.1 (v2020.9)

SSVC Version 1.1 includes changes made for the publication at WEIS 2020.

SSVC v1.0 (v2019.12)

Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This paper—the second part of a research agenda about prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with the CVSS. SSVC takes the form of decision trees for different vulnerability management communities.