SSVC v2.1

[ahouseholder]

The Stakeholder-specific Vulnerability Categorization (SSVC) is a system for prioritizing actions during vulnerability management. SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.

Version 2.1 makes the following improvements on SSVC version 2.0:

• Introduced a demo SSVC Calc App which became the basis for CISA's SSVC Calculator
• Updated Deployer tree to use Automatable instead of Utility, which reduced the size from 108 leaf nodes to 72.
• Adjusted Deployer tree decisions based on stakeholder feedback
• Adjusted Supplier tree decisions based on stakeholder feedback
• Added section on Sharing Trees With Others including a discussion of decision point scope and decision tree scope.
• Improved clarity of time-sensitivity of some decision points in Representing Information for Decisions About Vulnerabilities
• Improved description of Mission Impact
• Improved consistency of Public Safety Impact usage throughout the document and tooling
• Improved consistency of Human Impact usage throughout the document
• Clarified that known default passwords are an example of Exploitation:PoC
• Clarified that unreachable code (as in unused library features) are System Exposure:small
• Mention DoD MEF definition in Mission Impact
• Updated references to EPSS to reflect recent publications
• Refactored markdown files to better track chapter and section numbering, improving findability when editing
• Automated HTML and PDF generation into a Github Workflow
• Updated python tools to maintain sync with current SSVC decision models
• Consolidated the SSVC document style guide into a single file in the repository
• Miscellaneous typo fixes and readability improvements (e.g., headings, bulleted lists)

What's Changed

• Add SSVC v2 PDF to pdfs dir by @ahouseholder in Add SSVC v2 PDF to pdfs dir #145
• fixed typos by @brianadeloye in fixed typos #146
• All Schema v2.02 updates. Simplifying the code by @sei-vsarvepalli in All Schema v2.02 updates. Simplifying the code #152
• Somehow missed these schema files from last PR by @sei-vsarvepalli in Somehow missed these schema files from last PR #153
• Examples of schema is missing. by @sei-vsarvepalli in Examples of schema is missing. #154
• changed virulence to automatable by @j--- in changed virulence to automatable #156
• Removing hard-coded final keyword and final outcome by @sei-vsarvepalli in Removing hard-coded final keyword and final outcome #157
• recreated CSV files and added a folder for them with readme; updated generation scripts by @j--- in recreated CSV files and added a folder for them with readme; updated generation scripts #161
• Multiple updates 160,163 by @sei-vsarvepalli in Multiple updates 160,163 #165
• propagate change in markdown to deployer image; prepare CSVs for sub-trees by @j--- in propagate change in markdown to deployer image; prepare CSVs for sub-trees #170
• Update CISA-Coordinator-v2.0.3.json by @fruehaufm in Update CISA-Coordinator-v2.0.3.json #172
• Update CISA-Coordinator-v2.0.3.json by @fruehaufm in Update CISA-Coordinator-v2.0.3.json #173
• Tree updates and code update to fulfill request and recent issues by @sei-vsarvepalli in Tree updates and code update to fulfill request and recent issues #174
• add scripts for coordinator stakeholder. Fix typo in triage graphic by @j--- in add scripts for coordinator stakeholder. Fix typo in triage graphic #176
• Update 060_decision-trees.md by @fruehaufm in Update 060_decision-trees.md #179
• fixed a typo by @fruehaufm in fixed a typo #182
• Pdf update by @j--- in Pdf update #180
• Fixed a typo by @fruehaufm in Fixed a typo #193
• decided on semver scheme for PDF generation script by @j--- in decided on semver scheme for PDF generation script #194
• Bugfix for Space in values of decision by @sei-vsarvepalli in Bugfix for Space in values of decision #192
• Typo (stray text) in bullet by @j--- in Typo (stray text) in bullet #196
• Updated the Mission Impact values by @fruehaufm in Updated the Mission Impact values #197
• Fixed redundant option for Mission Impact by @fruehaufm in Fixed redundant option for Mission Impact #187
• Updates to Dryad SSVC Calcultor to use radio buttons in Analyst mode by @sei-vsarvepalli in Updates to Dryad SSVC Calcultor to use radio buttons in Analyst mode #201
• Fix bug in svgzoom by @fneur in Fix bug in svgzoom #204
• make the ssvc_v2.py file work with current CSV file names and columns by @ahouseholder in make the ssvc_v2.py file work with current CSV file names and columns #207
• fixed a typo by @2shiori17 in fixed a typo #205
• add github workflow to generate html and pdf artifacts by @ahouseholder in add github workflow to generate html and pdf artifacts  #231
• reasona-bly typo by @zmanion in reasona-bly typo #232
• Updates to Abbreviated format GH Issue Abbreviated format may need an update #177 by @sei-vsarvepalli in Updates to Abbreviated format GH Issue #177 #233
• Updating text to conform to Human Impact change by @jeroenh in Updating text to conform to Human Impact change #236
• Address time-sensitivity of some decision points by @ahouseholder in Address time-sensitivity of some decision points #241
• Add detail about customization, tree sharing, and decision point scope by @ahouseholder in Add detail about customization, tree sharing, and decision point scope #242
• Replace Utility with Automatable in Deployer tree by @ahouseholder in Replace Utility with Automatable in Deployer tree #248
• Two small typo fixes by @jeroenh in Two small typo fixes #253
• Improve Mission Impact description by @j--- in Improve Mission Impact description #250
• add subsubsection header for tree versioning by @ahouseholder in add subsubsection header for tree versioning #256
• Remove version strings from file names by @ahouseholder in Remove version strings from file names #247
• Adjust deployer tree decisions by @ahouseholder in Adjust deployer tree decisions #262
• Rename markdown files to match current chapter and section names by @ahouseholder in Rename markdown files to match current chapter and section names #263
• mention publicly known default passwords as example of Exploitation:PoC by @ahouseholder in mention publicly known default passwords as example of Exploitation:PoC #265
• Replace κ with k to avoid pandoc font errors in build process by @ahouseholder in Replace κ with *k* to avoid pandoc font errors in build process #264
• Change default tree to Deployer.json by @ahouseholder in Change default tree to Deployer.json #258
• Make Public Safety Impact values consistent throughout by @ahouseholder in Make Public Safety Impact values consistent throughout #267
• Update analyze_csv.py to reflect csv column name changes by @ahouseholder in Update analyze_csv.py to reflect csv column name changes #270
• EPSS changes by @laurie-tyz in EPSS changes #271
• Update README docs to make finding recent pdf easier by @ahouseholder in Update README docs to make finding recent pdf easier #277
• Adjust Supplier Tree decisions by @ahouseholder in Adjust Supplier Tree decisions #276
• Update style guide and acks by @ahouseholder in Update style guide and acks #279
• Mention DoD 3020.26 MEF definition in Mission Impact by @cgyarbrough in Mention DoD 3020.26 MEF definition in Mission Impact #281
• Unreachable code -> System Exposure: Small by @cgyarbrough in Unreachable code -> System Exposure: Small #282
• Update Changelog for v2.1 by @ahouseholder in Update Changelog for v2.1 #269
• update pdf and html drafts by @ahouseholder in update pdf and html drafts #283

New Contributors

• @brianadeloye made their first contribution in fixed typos #146
• @fruehaufm made their first contribution in Update CISA-Coordinator-v2.0.3.json #172
• @fneur made their first contribution in Fix bug in svgzoom #204
• @2shiori17 made their first contribution in fixed a typo #205
• @zmanion made their first contribution in reasona-bly typo #232
• @jeroenh made their first contribution in Updating text to conform to Human Impact change #236
• @cgyarbrough made their first contribution in Mention DoD 3020.26 MEF definition in Mission Impact #281

Full Changelog: v2.0...v2.1

---

This discussion was created from the release SSVC v2.1.

[j---]

Excellent work everyone!
Big thanks to @ahouseholder for all your help and leadership here!