Update description of Exploitation:PoC

[ahouseholder]

Regarding

SSVC/src/ssvc/decision_points/exploitation.py

Lines 16 to 22 in 798ff57

	POC = SsvcDecisionPointValue(
	name="PoC",
	key="P",
	description="One of the following cases is true: (1) private evidence of exploitation is attested but not shared; "
	"(2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit"
	" or ExploitDB; or (4) the vulnerability has a well-known method of exploitation.",
	)

@j--- wrote:

Do we actually think (1) and (2) are operationalizable?
CISA's SSVC version of State of Exploitation removes them https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf
Maybe we should move for consistency between instances of the decision point?

Originally posted by @j--- in #328 (comment)

Quoting the CISA doc referenced above:

(State of) Exploitation
Evidence of Active Exploitation of a Vulnerability
This measure determines the present state of exploitation of the vulnerability. It does not predict future exploitation or
measure feasibility or ease of adversary development of future exploit code; rather, it acknowledges available
information at time of analysis. As the current state of exploitation often changes over time, answers should be timestamped. Sources that can provide public reporting of active exploitation include the vendor’s vulnerability
notification, the National Vulnerability Database (NVD) and links therein, bulletins from relevant information sharing
and analysis centers (ISACs), and reliable threat reports that list either the CVE-ID or common name of the
vulnerability.
Table 2: Exploitation Decision Values
Value Definition
None There is no evidence of active exploitation and no public proof of concept (PoC)
of how to exploit the vulnerability.
Public PoC One of the following is true: (1) Typical public PoC exists in sources such as
Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known
method of exploitation. Some examples of condition (2) are open-source web
proxies that serve as the PoC code for how to exploit any vulnerability in the vein
of improper validation of Transport Layer Security (TLS) certificates, and
Wireshark serving as a PoC for packet replay attacks on ethernet or Wi-Fi
networks.
Active Shared, observable, and reliable evidence that cyber threat actors have used the
exploit in the wild; the public reporting is from a credible source.

[ahouseholder]

Note to future resolver (probably me, but you never know): If you're resolving this one and #352 remains unresolved, you should probably go ahead and pick that one up too.

[ahouseholder]

Relevant side discussion that might affect this issue:

• Is the distinction between "public exploit" and "private exploit" significant to anyone's decision process? #363

[ccullen-cert]

Here is the pull request for this issue: #442