Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Split safety impact into supplier / deployer safety impacts #1

Closed
ahouseholder opened this issue Sep 9, 2020 · 2 comments · Fixed by #51
Closed

Split safety impact into supplier / deployer safety impacts #1

ahouseholder opened this issue Sep 9, 2020 · 2 comments · Fixed by #51
Assignees
Labels
enhancement New feature or request
Milestone

Comments

@ahouseholder
Copy link
Contributor

ahouseholder commented Sep 9, 2020

(This was actually from @j--- I think, I just copied & pasted the text into the issue, so be careful when dereferencing the pronoun "I" in the below)
"Safety Impact" probably needs to be split up into one for the vendor and one for the applier. I think the vendor one could be re-used by a coordinator. I'd call it "public safety impact" or some such. The Applier one would be "situated safety impact" or some such.

@j---
Copy link
Collaborator

j--- commented Oct 8, 2020

This is also related to feedback from https://blog.secursive.com/posts/critical-look-stakeholder-specific-vulnerability-categorization-ssvc/
Basically that "safety impact" as written in v1 is too complicated / fine grained for the supplier to provide accurately.

@ahouseholder ahouseholder changed the title Split safety impact into vendor / applier safety impacts Split safety impact into supplier / deployer safety impacts Oct 16, 2020
@ahouseholder
Copy link
Contributor Author

ahouseholder commented Oct 16, 2020

Updated plan based on recent discussions:

  • Combine none/minor categories into one, leaving 4 levels
  • Split safety into separate decisions for supplier / deployer
  • Supplier is focused on public_safety
  • Supplier maps those 4 levels to 2 (maybe 3) public_safety_impact categories (L/H or L/M/H)
  • Deployer is focused on situated_safety
  • Deployer version integrated with Mission Impact Merge situated safety impact and mission impact into a unified factor #7 in a ~4x4 table that maps both dimensions impact into a combined 3 safety&mission_impact categories (L/M/H)

End result for Deployers will be that safety & mission will go from 5x5=25 possibilities to 4x4 -> 3 categories which should reduce the complexity of the deployer tree considerably.

ahouseholder referenced this issue in ahouseholder/SSVC Oct 26, 2020
Squashed commits:
[07497bd] compress SafetyImpact into PublicSafetyImpact
[6b9c932] ignore a helper xlsx file
[576f968] reset inadvertent change
[419349d] remove index on supplier csv (+1 squashed commit)
Squashed commits:
[6486a57] add full supplier csv
[6918107] remove index on simplified csv (+1 squashed commit)
Squashed commits:
[1845f90] add simplified csv
[7d07685] add combined safety/mission impact column
[52dd62a] remove duplicates after collapsing from 5-4. Keep highest outcome
[898a082] collapse two lowest mission and safety impacts into one level each and remove duplicates
[b344dea] remove row indices (make future diffs cleaner)
[420559c] copy csv files for version 2
[d07e953] fix some straggling Applier / Developers (+2 squashed commits)
Squashed commits:
[878a91d] wip commit (+1 squashed commit)
Squashed commits:
[59637d6] fix applier/deployer sub

wip commit
[80dd092] revert unintended change
zmanion added a commit that referenced this issue Oct 29, 2020
Compress safety and mission impacts fix for #1 (+11 squashed commits)
laurie-tyz added a commit that referenced this issue Oct 30, 2020
getting a fresh copy of the repository
j--- pushed a commit that referenced this issue Nov 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment