Update Changelog for v2.1 (CERTCC#269)

* add 2.1 section to 09_changelog.md

* link typo fix

* links to headers use - not _

* fix phone number delimiter typo in 17_contact_us.md

* Update 09_changelog.md

* Add recent changes to 09_changelog.md

doc/md_src_files/09_changelog.md

@@ -1,5 +1,30 @@
+# Changelog
 
-# Version 2 Changelog
+## Version 2.1 Changelog
+This section summarizes the changes between SSVC 2.1 and [SSVC version 2.0](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=653459).
+The details of what changes were made can be viewed on the SSVC Github under the [SSVC v2.1](https://github.com/CERTCC/SSVC/milestone/2) milestone.
+
+- Introduced a demo [SSVC Calc App](https://certcc.github.io/SSVC/ssvc-calc/) which became the basis for CISA's [SSVC Calculator](https://www.cisa.gov/ssvc-calculator)
+- Updated Deployer tree to use [*Automatable*](#automatable) instead of [*Utility*](#utility), which reduced the size from 108 leaf nodes to 72.
+- Adjusted Deployer tree decisions based on stakeholder feedback
+- Adjusted Supplier tree decisions based on stakeholder feedback
+- Added section on [Sharing Trees With Others](#sharing-trees-with-others) including a discussion of decision point scope and decision tree scope.
+- Improved clarity of time-sensitivity of some decision points in [Representing Information for Decisions About Vulnerabilities](#representing-information-for-decisions-about-vulnerabilities)
+- Improved description of [*Mission Impact*](#mission-impact)
+- Improved consistency of [*Public Safety Impact*](#public-safety-impact) usage throughout the document and tooling
+- Improved consistency of [*Human Impact*](#human-impact) usage throughout the document
+- Clarified that known default passwords are an example of [*Exploitation*](#exploitation):PoC
+- Clarified that unreachable code (as in unused library features) are [_System Exposure_](#system-exposure):small
+- Mention DoD MEF definition in [_Mission Impact_](#mission-impact)
+- Updated references to [EPSS](https://www.first.org/epss/) to reflect recent publications
+- Refactored markdown files to better track chapter and section numbering, improving findability when editing
+- Automated HTML and PDF generation into a [Github Workflow](https://github.com/CERTCC/SSVC/actions/workflows/pandoc_html_pdf.yaml)
+- Updated python tools to maintain sync with current SSVC decision models
+- Consolidated the SSVC document style guide into a single file in the repository
+- Miscellaneous typo fixes and readability improvements (e.g., headings, bulleted lists)
+
+
+## Version 2 Changelog
 
 This section summarizes the changes between SSVC version 2 and [SSVC version 1.1](https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final6.pdf) as published at the Workshop on the Ecnomics of Information Security (WEIS 2020).
 The details of what changes were made can be viewed on the SSVC GitHub [issues](https://github.com/CERTCC/SSVC/issues?q=is%3Aissue+is%3Aclosed+project%3ACERTCC%2FSSVC%2F1) closed under the `SSVC v2 Development` project.
@@ -9,14 +34,14 @@ About 20 issues improved documentation of tools or improved the clarity of docum
 The remaining 30 issues were focused on enhancing SSVC based on feedback received on version 1, though several of the bug fixes and documentation improvements also provided improvements.
 This section focuses on changes that provided enhancements.
 
-## Coordinator stakeholder
+### Coordinator stakeholder
 
 Version 1 only considered two stakeholders: those who make software, and those who use information systems.
 Version 2 introduces a coordinator stakeholder and two distinct decisions for that stakeholder group: vulnerability intake triage and publication about a vulnerability.
 These decisions use some existing decision points, but also introduce six new decision points to support coordinators in making these decisions.
 The coordinator stakeholder is based on CERT/CC's experience coordinating vulnerabilities.
 
-## Terminology changes
+### Terminology changes
 
 Some terms have been adjusted to better align with other usage in the field or based on feedback.
 Therefore, “patch developer” became **supplier** and “patch applier” became **deployer**.
@@ -34,7 +59,7 @@ We also differentiated between vulnerability risk, or that risk arising from an
 SSVC version 2 focuses on assessing and managing vulnerability risk, not change risk.
 This stance was not explicit in SSVC version 1.
 
-## Improvements to decision points
+### Improvements to decision points
 
 Version 1 had a decision point for well-being impact that was shared between **supplier** and **deployer** stakeholders.
 Since these types of stakeholder have access to different information about safety and well-being, Version 2 splits this concept into [*Public Safety Impact*](#public-safety-impact) and [*Situated Safety Impact*](#situated-safety-impact).
@@ -48,7 +73,7 @@ On the other hand, a low [*Utility*](#utility) or [*System Exposure*](#system-ex
 So the Version 2 recommended tree is more usable than the Version 1 tree, thanks to these changes.
 
 
-## Tree management and communication tools
+### Tree management and communication tools
 
 The section [Tree Construction and Customization Guidance](#tree-construction-and-customization-guidance) is largely new or revised.
 We produced new [software tools](https://github.com/CERTCC/SSVC/tree/main/src) for interacting with SSVC, which are documented in that section.

doc/md_src_files/17_contact_us.md

@@ -4,6 +4,6 @@
 Software Engineering Institute  
 4500 Fifth Avenue, Pittsburgh, PA 15213-2612
 
-**Phone**: 412/268.5800 | 888.201.4479  
+**Phone**: 412.268.5800 | 888.201.4479  
 **Web**: [www.sei.cmu.edu](http://www.sei.cmu.edu)  
 **Email**: [email protected]