diff --git a/docs/ssvc-calc/CVSS_v4_as_Tree_json.txt b/docs/ssvc-calc/CVSS_v4_as_Tree_json.txt
new file mode 100644
index 00000000..b4084007
--- /dev/null
+++ b/docs/ssvc-calc/CVSS_v4_as_Tree_json.txt
@@ -0,0 +1,2556 @@
+{
+ "decision_points": [
+ {
+ "decision_type": "simple",
+ "options": [
+ {
+ "label": "High",
+ "description": "High"
+ },
+ {
+ "label": "Medium",
+ "description": "Medium"
+ },
+ {
+ "label": "Low",
+ "description": "Low"
+ }
+ ],
+ "label": "Exploitability"
+ },
+ {
+ "decision_type": "simple",
+ "options": [
+ {
+ "label": "High",
+ "description": "High"
+ },
+ {
+ "label": "Low",
+ "description": "Low"
+ }
+ ],
+ "label": "Complexity"
+ },
+ {
+ "decision_type": "simple",
+ "options": [
+ {
+ "label": "High",
+ "description": "High"
+ },
+ {
+ "label": "Medium",
+ "description": "Medium"
+ },
+ {
+ "label": "Low",
+ "description": "Low"
+ }
+ ],
+ "label": "Vulnerable System"
+ },
+ {
+ "decision_type": "simple",
+ "options": [
+ {
+ "label": "High",
+ "description": "High"
+ },
+ {
+ "label": "Medium",
+ "description": "Medium"
+ },
+ {
+ "label": "Low",
+ "description": "Low"
+ }
+ ],
+ "label": "Subsequent System"
+ },
+ {
+ "decision_type": "simple",
+ "options": [
+ {
+ "label": "High",
+ "description": "High"
+ },
+ {
+ "label": "Medium",
+ "description": "Medium"
+ },
+ {
+ "label": "Low",
+ "description": "Low"
+ }
+ ],
+ "label": "Exploitation"
+ },
+ {
+ "decision_type": "simple",
+ "options": [
+ {
+ "label": "High",
+ "description": "High"
+ },
+ {
+ "label": "Low",
+ "description": "Low"
+ }
+ ],
+ "label": "Security Requirements"
+ },
+ {
+ "decision_type": "final",
+ "options": [
+ {
+ "label": "Critical",
+ "description": "Critical",
+ "color": "#e85600"
+ },
+ {
+ "label": "High",
+ "description": "High",
+ "color": "#e85600"
+ },
+ {
+ "label": "Medium",
+ "description": "Medium",
+ "color": "#ffb700"
+ },
+ {
+ "label": "Low",
+ "description": "Low",
+ "color": "#32b643"
+ }
+ ],
+ "label": "Category"
+ }
+ ],
+ "decisions_table": [
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Critical"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "High"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Medium"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "High",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "High",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "High",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "High",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "High",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "High",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Medium",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Medium",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "High",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Low",
+ "Subsequent System": "Low",
+ "Exploitation": "Medium",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ },
+ {
+ "Exploitability": "Low",
+ "Complexity": "Low",
+ "Vulnerable System": "Medium",
+ "Subsequent System": "Low",
+ "Exploitation": "Low",
+ "Security Requirements": "Low",
+ "Category": "Low"
+ }
+ ],
+ "lang": "en",
+ "version": "4.0",
+ "title": "CVSSv4 as Decision Tree"
+}
diff --git a/docs/ssvc-calc/cisa-coordinator-options.csv b/docs/ssvc-calc/cisa-coordinator-options.csv
new file mode 100644
index 00000000..e4cf18d9
--- /dev/null
+++ b/docs/ssvc-calc/cisa-coordinator-options.csv
@@ -0,0 +1,37 @@
+Exploitation,Automatable,Technical Impact,Mission & Well-being,Decision
+none,no,partial,low,Track
+none,no,partial,medium,Track
+none,no,partial,high,Track
+none,no,total,low,Track
+none,no,total,medium,Track
+none,no,total,high,Watch
+none,yes,partial,low,Track
+none,yes,partial,medium,Track
+none,yes,partial,high,Attend
+none,yes,total,low,Track
+none,yes,total,medium,Track
+none,yes,total,high,Attend
+poc,no,partial,low,Track
+poc,no,partial,medium,Track
+poc,no,partial,high,Watch
+poc,no,total,low,Track
+poc,no,total,medium,Watch
+poc,no,total,high,Attend
+poc,yes,partial,low,Track
+poc,yes,partial,medium,Track
+poc,yes,partial,high,Attend
+poc,yes,total,low,Track
+poc,yes,total,medium,Watch
+poc,yes,total,high,Attend
+active,no,partial,low,Track
+active,no,partial,medium,Track
+active,no,partial,high,Attend
+active,no,total,low,Track
+active,no,total,medium,Attend
+active,no,total,high,Act
+active,yes,partial,low,Attend
+active,yes,partial,medium,Attend
+active,yes,partial,high,Act
+active,yes,total,low,Attend
+active,yes,total,medium,Act
+active,yes,total,high,Act
diff --git a/docs/ssvc-calc/coord-publish-options.csv b/docs/ssvc-calc/coord-publish-options.csv
new file mode 100644
index 00000000..10da468e
--- /dev/null
+++ b/docs/ssvc-calc/coord-publish-options.csv
@@ -0,0 +1,28 @@
+row,Supplier involvement,Exploitation,Value added,Priority
+1,fix ready,none,precedence,publish
+2,fix ready,none,ampliative,don't publish
+3,fix ready,none,limited,don't publish
+4,fix ready,PoC,precedence,publish
+5,fix ready,PoC,ampliative,don't publish
+6,fix ready,PoC,limited,don't publish
+7,fix ready,active,precedence,publish
+8,fix ready,active,ampliative,publish
+9,fix ready,active,limited,don't publish
+10,cooperative,none,precedence,publish
+11,cooperative,none,ampliative,don't publish
+12,cooperative,none,limited,don't publish
+13,cooperative,PoC,precedence,publish
+14,cooperative,PoC,ampliative,don't publish
+15,cooperative,PoC,limited,don't publish
+16,cooperative,active,precedence,publish
+17,cooperative,active,ampliative,publish
+18,cooperative,active,limited,don't publish
+19,uncoop/unresponsive,none,precedence,publish
+20,uncoop/unresponsive,none,ampliative,don't publish
+21,uncoop/unresponsive,none,limited,don't publish
+22,uncoop/unresponsive,PoC,precedence,publish
+23,uncoop/unresponsive,PoC,ampliative,publish
+24,uncoop/unresponsive,PoC,limited,don't publish
+25,uncoop/unresponsive,active,precedence,publish
+26,uncoop/unresponsive,active,ampliative,publish
+27,uncoop/unresponsive,active,limited,publish
diff --git a/docs/ssvc-calc/coord-triage-options.csv b/docs/ssvc-calc/coord-triage-options.csv
new file mode 100644
index 00000000..4f40e1d1
--- /dev/null
+++ b/docs/ssvc-calc/coord-triage-options.csv
@@ -0,0 +1,85 @@
+row,Public,Contacted,Report_Credibility,Cardinality,Engagement,Utility,Public_Safety_Impact,Priority
+1,no,yes,no,one,active,laborious,minimal,decline
+2,no,yes,no,one,active,laborious,significant,decline
+3,no,yes,no,one,active,efficient,minimal,decline
+4,no,yes,no,one,active,efficient,significant,track
+5,no,yes,no,one,active,super effective,minimal,decline
+6,no,yes,no,one,active,super effective,significant,track
+7,no,yes,no,one,unresponsive,laborious,minimal,decline
+8,no,yes,no,one,unresponsive,laborious,significant,decline
+9,no,yes,no,one,unresponsive,efficient,minimal,decline
+10,no,yes,no,one,unresponsive,efficient,significant,track
+11,no,yes,no,one,unresponsive,super effective,minimal,decline
+12,no,yes,no,one,unresponsive,super effective,significant,track
+13,no,yes,no,multiple,active,laborious,minimal,decline
+14,no,yes,no,multiple,active,laborious,significant,track
+15,no,yes,no,multiple,active,efficient,minimal,decline
+16,no,yes,no,multiple,active,efficient,significant,track
+17,no,yes,no,multiple,active,super effective,minimal,track
+18,no,yes,no,multiple,active,super effective,significant,coordinate
+19,no,yes,no,multiple,unresponsive,laborious,minimal,decline
+20,no,yes,no,multiple,unresponsive,laborious,significant,track
+21,no,yes,no,multiple,unresponsive,efficient,minimal,decline
+22,no,yes,no,multiple,unresponsive,efficient,significant,track
+23,no,yes,no,multiple,unresponsive,super effective,minimal,track
+24,no,yes,no,multiple,unresponsive,super effective,significant,coordinate
+25,no,yes,yes,one,active,laborious,minimal,decline
+26,no,yes,yes,one,active,laborious,significant,decline
+27,no,yes,yes,one,active,efficient,minimal,decline
+28,no,yes,yes,one,active,efficient,significant,track
+29,no,yes,yes,one,active,super effective,minimal,decline
+30,no,yes,yes,one,active,super effective,significant,track
+31,no,yes,yes,one,unresponsive,laborious,minimal,track
+32,no,yes,yes,one,unresponsive,laborious,significant,coordinate
+33,no,yes,yes,one,unresponsive,efficient,minimal,coordinate
+34,no,yes,yes,one,unresponsive,efficient,significant,coordinate
+35,no,yes,yes,one,unresponsive,super effective,minimal,coordinate
+36,no,yes,yes,one,unresponsive,super effective,significant,coordinate
+37,no,yes,yes,multiple,active,laborious,minimal,decline
+38,no,yes,yes,multiple,active,laborious,significant,track
+39,no,yes,yes,multiple,active,efficient,minimal,decline
+40,no,yes,yes,multiple,active,efficient,significant,track
+41,no,yes,yes,multiple,active,super effective,minimal,coordinate
+42,no,yes,yes,multiple,active,super effective,significant,coordinate
+43,no,yes,yes,multiple,unresponsive,laborious,minimal,coordinate
+44,no,yes,yes,multiple,unresponsive,laborious,significant,coordinate
+45,no,yes,yes,multiple,unresponsive,efficient,minimal,coordinate
+46,no,yes,yes,multiple,unresponsive,efficient,significant,coordinate
+47,no,yes,yes,multiple,unresponsive,super effective,minimal,coordinate
+48,no,yes,yes,multiple,unresponsive,super effective,significant,coordinate
+49,yes,yes,no,multiple,active,super effective,significant,coordinate
+50,yes,yes,no,multiple,unresponsive,super effective,significant,coordinate
+51,yes,yes,yes,multiple,active,super effective,significant,coordinate
+52,yes,yes,yes,multiple,unresponsive,super effective,significant,coordinate
+53,yes,no,no,multiple,active,super effective,significant,coordinate
+54,yes,no,no,multiple,unresponsive,super effective,significant,coordinate
+55,yes,no,yes,multiple,active,super effective,significant,coordinate
+56,yes,no,yes,multiple,unresponsive,super effective,significant,coordinate
+57,yes,yes,no,one,active,laborious,minimal,decline
+58,yes,yes,no,one,active,efficient,minimal,decline
+59,yes,yes,no,one,unresponsive,laborious,minimal,decline
+60,yes,yes,no,one,unresponsive,efficient,minimal,decline
+61,yes,yes,yes,one,active,laborious,minimal,decline
+62,yes,yes,yes,one,active,efficient,minimal,decline
+63,yes,yes,yes,one,unresponsive,laborious,minimal,decline
+64,yes,yes,yes,one,unresponsive,efficient,minimal,decline
+65,yes,no,no,one,active,laborious,minimal,decline
+66,yes,no,no,one,active,efficient,minimal,decline
+67,yes,no,no,one,unresponsive,laborious,minimal,decline
+68,yes,no,no,one,unresponsive,efficient,minimal,decline
+69,yes,no,yes,one,active,laborious,minimal,decline
+70,yes,no,yes,one,active,efficient,minimal,decline
+71,yes,no,yes,one,unresponsive,laborious,minimal,decline
+72,yes,no,yes,one,unresponsive,efficient,minimal,decline
+73,no,no,no,multiple,active,super effective,significant,coordinate
+74,no,no,no,multiple,unresponsive,super effective,significant,coordinate
+75,no,no,yes,multiple,active,super effective,significant,coordinate
+76,no,no,yes,multiple,unresponsive,super effective,significant,coordinate
+77,no,no,no,one,active,laborious,minimal,decline
+78,no,no,no,one,active,efficient,minimal,decline
+79,no,no,no,one,unresponsive,laborious,minimal,decline
+80,no,no,no,one,unresponsive,efficient,minimal,decline
+81,no,no,yes,one,active,laborious,minimal,decline
+82,no,no,yes,one,active,efficient,minimal,decline
+83,no,no,yes,one,unresponsive,laborious,minimal,decline
+84,no,no,yes,one,unresponsive,efficient,minimal,decline
diff --git a/docs/ssvc-calc/cvss_v4_macrovectors.csv b/docs/ssvc-calc/cvss_v4_macrovectors.csv
new file mode 100644
index 00000000..7f6bbde1
--- /dev/null
+++ b/docs/ssvc-calc/cvss_v4_macrovectors.csv
@@ -0,0 +1,270 @@
+Exploitability (EQ1),Complexity (EQ2),Vulnerable System (EQ3),Subsequent System (EQ4),Exploitation (EQ5),Security Requirements (EQ6),Category
+High,High,High,High,High,High,Critical
+High,High,High,Medium,High,High,Critical
+High,Low,High,High,High,High,Critical
+High,High,High,High,High,Low,Critical
+High,High,High,High,Medium,High,Critical
+High,High,Medium,High,High,High,Critical
+Medium,High,High,High,High,High,Critical
+High,Low,High,High,High,Low,Critical
+High,High,High,Medium,High,Low,Critical
+High,High,High,High,Low,High,Critical
+High,Low,High,High,Medium,High,Critical
+High,High,High,High,Medium,Low,Critical
+High,High,Medium,High,Medium,High,Critical
+High,Low,Medium,High,High,High,Critical
+High,High,Medium,High,High,Low,Critical
+High,Low,High,Medium,High,High,Critical
+Medium,Low,High,High,High,High,Critical
+Medium,High,High,High,High,Low,Critical
+Medium,High,High,High,Medium,High,Critical
+Medium,High,Medium,High,High,High,Critical
+Medium,High,High,Medium,High,High,Critical
+High,Low,Medium,High,High,Low,Critical
+High,High,High,Low,High,High,Critical
+High,High,High,Medium,Medium,High,Critical
+High,High,Medium,Medium,High,High,Critical
+Low,High,High,High,High,High,Critical
+High,Low,High,High,Low,High,Critical
+High,High,High,High,Low,Low,Critical
+High,Low,High,High,Medium,Low,Critical
+High,High,Low,High,High,Low,Critical
+High,Low,Medium,High,Medium,High,Critical
+High,High,Medium,High,Medium,Low,Critical
+High,Low,High,Low,High,High,Critical
+High,Low,Medium,Medium,High,High,Critical
+High,High,Medium,Medium,High,Low,Critical
+High,High,High,Medium,Low,High,Critical
+High,Low,High,Medium,High,Low,Critical
+Medium,High,High,High,Low,High,Critical
+High,High,Medium,High,Low,High,Critical
+High,High,High,Low,High,Low,Critical
+High,Low,High,Medium,Medium,High,Critical
+Medium,Low,High,High,High,Low,Critical
+Medium,Low,High,Medium,High,High,Critical
+High,High,High,Low,Medium,High,High
+High,High,Medium,Medium,Medium,High,High
+Medium,Low,Medium,High,High,High,High
+Medium,High,Medium,High,High,Low,High
+Medium,High,High,Medium,High,Low,High
+High,High,Medium,Low,High,High,High
+Low,Low,High,High,High,High,High
+Medium,Low,High,High,Medium,High,High
+Medium,High,Medium,High,Medium,High,High
+High,High,High,Medium,Medium,Low,High
+Low,High,High,High,High,Low,High
+Medium,High,High,High,Medium,Low,High
+Medium,High,High,Low,High,High,High
+High,Low,Low,High,High,Low,High
+Low,High,High,High,Medium,High,High
+Low,High,High,Medium,High,High,High
+Medium,High,High,Medium,Medium,High,High
+Medium,High,Medium,Medium,High,High,High
+High,Low,High,High,Low,Low,High
+High,Low,Medium,High,Low,High,High
+High,Low,Medium,High,Medium,Low,High
+Low,High,Medium,High,High,High,High
+High,High,Medium,High,Low,Low,High
+High,Low,Medium,Low,High,High,High
+High,Low,High,Medium,Low,High,High
+High,Low,High,Medium,Medium,Low,High
+Medium,High,Low,High,High,Low,High
+High,High,Low,High,Medium,Low,High
+High,Low,High,Low,Medium,High,High
+High,Low,Medium,Medium,High,Low,High
+High,High,High,Low,Low,High,High
+High,Low,High,Low,High,Low,High
+High,High,High,Medium,Low,Low,High
+High,High,Medium,Medium,Low,High,High
+High,High,Medium,Medium,Medium,Low,High
+Medium,High,High,High,Low,Low,High
+High,High,High,Low,Medium,Low,High
+High,High,Medium,Low,High,Low,High
+High,Low,Medium,Medium,Medium,High,High
+High,High,Low,Medium,High,Low,High
+High,High,Medium,Low,Medium,High,High
+Medium,Low,Medium,High,High,Low,High
+Medium,High,Medium,High,Medium,Low,High
+Medium,Low,High,Low,High,High,High
+Medium,High,High,Medium,Low,High,High
+Medium,Low,High,Medium,High,Low,High
+Medium,Low,High,High,Low,High,High
+Medium,Low,High,High,Medium,Low,High
+Medium,High,Medium,High,Low,High,High
+Medium,Low,Medium,High,Medium,High,High
+Medium,High,Medium,Medium,High,Low,High
+High,Low,Low,High,Medium,Low,High
+Low,High,High,High,Low,High,High
+Low,Low,High,High,High,Low,High
+Low,Low,Medium,High,High,High,High
+Low,High,Medium,High,High,Low,High
+Medium,High,High,Low,High,Low,High
+Medium,Low,High,Medium,Medium,High,High
+Low,High,Medium,High,Medium,High,High
+Low,High,High,Medium,Medium,High,High
+Low,High,High,Medium,High,Low,High
+Medium,High,High,Low,Medium,High,High
+Medium,High,High,Medium,Medium,Low,High
+Medium,High,Medium,Medium,Medium,High,High
+Medium,Low,Medium,Medium,High,High,High
+High,Low,Medium,High,Low,Low,High
+Low,Low,High,High,Medium,High,High
+Low,Low,High,Medium,High,High,High
+High,High,Low,High,Low,Low,High
+High,Low,High,Low,Low,High,High
+High,Low,Medium,Medium,Medium,Low,High
+Low,High,High,High,Medium,Low,High
+Low,High,Medium,Medium,High,High,High
+Medium,High,Medium,Low,High,High,High
+High,Low,High,Low,Medium,Low,High
+High,Low,Medium,Low,Medium,High,High
+High,Low,High,Medium,Low,Low,High
+High,Low,Low,Medium,High,Low,High
+Medium,Low,Low,High,High,Low,High
+High,High,Medium,Low,Medium,Low,High
+High,Low,Medium,Low,High,Low,High
+High,Low,Medium,Medium,Low,High,High
+Low,High,High,Low,High,High,High
+Medium,Low,High,High,Low,Low,High
+Medium,High,Low,High,Medium,Low,High
+High,High,Low,Low,High,Low,Medium
+High,High,Medium,Low,Low,High,Medium
+High,High,Low,Medium,Medium,Low,Medium
+High,High,High,Low,Low,Low,Medium
+Medium,Low,High,Low,Medium,High,Medium
+Medium,High,Medium,High,Low,Low,Medium
+Medium,Low,Medium,High,Medium,Low,Medium
+Medium,Low,High,Low,High,Low,Medium
+High,High,Medium,Medium,Low,Low,Medium
+Medium,High,Low,Medium,High,Low,Medium
+Low,High,Low,High,High,Low,Medium
+Medium,High,High,Medium,Low,Low,Medium
+High,Low,Low,Low,High,Low,Medium
+Medium,High,High,Low,Low,High,Medium
+Medium,High,High,Low,Medium,Low,Medium
+Low,High,Medium,High,Low,High,Medium
+Medium,Low,Medium,High,Low,High,Medium
+Medium,Low,High,Medium,Medium,Low,Medium
+Low,High,High,Medium,Medium,Low,Medium
+Low,Low,Medium,Medium,High,High,Medium
+Medium,Low,Medium,Low,High,High,Medium
+Medium,Low,High,Medium,Low,High,Medium
+Low,Low,High,High,Low,High,Medium
+High,Low,Medium,Medium,Low,Low,Medium
+Low,Low,High,Medium,Medium,High,Medium
+Medium,Low,Low,High,Medium,Low,Medium
+Medium,Low,High,Low,Medium,Low,Medium
+Medium,High,Medium,Medium,Low,High,Medium
+Medium,Low,Medium,Medium,High,Low,Medium
+Low,High,High,High,Low,Low,Medium
+Low,Low,Medium,High,Medium,High,Medium
+Medium,Low,Medium,High,Low,Low,Medium
+Medium,High,Low,Medium,Medium,Low,Medium
+Medium,Low,Low,Medium,High,Low,Medium
+Medium,High,Medium,Medium,Medium,Low,Medium
+Low,High,Medium,Medium,High,Low,Medium
+Medium,High,Medium,Low,Medium,High,Medium
+Medium,Low,Medium,Low,Medium,High,Medium
+Medium,High,Medium,Low,High,Low,Medium
+Medium,Low,Medium,Medium,Medium,High,Medium
+Medium,Low,Medium,Medium,Medium,Low,Medium
+Low,High,High,Medium,Low,High,Medium
+High,High,Low,Low,Medium,Low,Medium
+Low,High,Medium,High,Medium,Low,Medium
+Low,Low,Medium,High,High,Low,Medium
+Low,Low,High,Medium,High,Low,Medium
+Low,High,Medium,Medium,Medium,High,Medium
+Low,Low,High,Low,High,High,Medium
+Low,High,High,Low,High,Low,Medium
+Medium,High,Low,High,Low,Low,Medium
+High,Low,High,Low,Low,Low,Medium
+Low,Low,High,High,Medium,Low,Medium
+Low,Low,Low,High,High,Low,Medium
+Low,High,Medium,Low,High,High,Medium
+Medium,High,Low,Low,High,Low,Medium
+Medium,Low,High,Medium,Low,Low,Medium
+High,Low,Low,High,Low,Low,Medium
+High,Low,Medium,Low,Medium,Low,Medium
+High,Low,Low,Medium,Medium,Low,Medium
+Low,High,High,Low,Medium,High,Medium
+Medium,Low,High,Low,Low,High,Medium
+Medium,High,Medium,Low,Low,High,Medium
+Medium,High,Medium,Low,Medium,Low,Medium
+Medium,Low,Medium,Low,High,Low,Medium
+Low,High,Low,High,Medium,Low,Medium
+Low,High,Medium,High,Low,Low,Medium
+Low,Low,Medium,Medium,High,Low,Medium
+High,Low,Medium,Low,Low,High,Medium
+High,High,Low,Medium,Low,Low,Medium
+Low,Low,High,High,Low,Low,Medium
+Medium,High,Medium,Medium,Low,Low,Medium
+Medium,High,High,Low,Low,Low,Medium
+High,High,Medium,Low,Low,Low,Medium
+Low,Low,Medium,Medium,Medium,High,Medium
+Low,High,Low,Medium,High,Low,Medium
+Medium,Low,Medium,Medium,Low,High,Medium
+Low,Low,Medium,Low,High,High,Medium
+Low,High,Medium,Medium,Low,High,Medium
+Low,Low,Medium,High,Medium,Low,Medium
+Low,Low,High,Low,Medium,High,Medium
+Low,Low,High,Low,High,Low,Medium
+Low,Low,High,Medium,Low,High,Medium
+Low,High,Medium,Medium,Medium,Low,Medium
+Low,Low,Medium,High,Low,High,Medium
+Low,High,High,Low,Low,High,Medium
+Low,High,High,Low,Medium,Low,Medium
+Low,Low,High,Medium,Medium,Low,Medium
+Low,High,Medium,Low,High,Low,Low
+Low,High,Medium,Low,Medium,High,Low
+Low,High,High,Medium,Low,Low,Low
+High,Low,Medium,Low,Low,Low,Low
+Medium,Low,Low,High,Low,Low,Low
+Medium,Low,High,Low,Low,Low,Low
+High,Low,Low,Low,Medium,Low,Low
+High,Low,Low,Medium,Low,Low,Low
+Medium,Low,Medium,Low,Medium,Low,Low
+High,High,Low,Low,Low,Low,Low
+Medium,High,Low,Medium,Low,Low,Low
+Medium,Low,Low,Medium,Medium,Low,Low
+Medium,High,Medium,Low,Low,Low,Low
+Low,Low,Low,High,Medium,Low,Low
+Low,High,Low,Low,High,Low,Low
+Low,Low,Low,Medium,High,Low,Low
+Medium,Low,Medium,Low,Low,High,Low
+Medium,Low,Low,Low,High,Low,Low
+Medium,Low,Medium,Medium,Low,Low,Low
+Low,High,High,Low,Low,Low,Low
+Low,Low,High,Low,Medium,Low,Low
+Low,Low,Medium,High,Low,Low,Low
+Low,High,Low,Medium,Medium,Low,Low
+Medium,High,Low,Low,Medium,Low,Low
+Low,High,Low,High,Low,Low,Low
+Low,Low,High,Low,Low,High,Low
+Low,Low,High,Medium,Low,Low,Low
+Low,Low,Medium,Medium,Low,High,Low
+Low,High,Medium,Low,Low,High,Low
+Low,High,Medium,Low,Medium,Low,Low
+Low,High,Medium,Medium,Low,Low,Low
+Low,Low,Medium,Low,High,Low,Low
+Low,Low,Medium,Medium,Medium,Low,Low
+High,Low,Low,Low,Low,Low,Low
+Low,Low,Medium,Low,Medium,High,Low
+Medium,Low,Medium,Low,Low,Low,Low
+Medium,Low,Low,Medium,Low,Low,Low
+Low,Low,Low,High,Low,Low,Low
+Medium,High,Low,Low,Low,Low,Low
+Medium,Low,Low,Low,Medium,Low,Low
+Low,Low,Low,Medium,Medium,Low,Low
+Low,Low,High,Low,Low,Low,Low
+Low,High,Low,Medium,Low,Low,Low
+Low,Low,Low,Low,High,Low,Low
+Low,High,Low,Low,Medium,Low,Low
+Low,Low,Medium,Medium,Low,Low,Low
+Low,Low,Medium,Low,Low,High,Low
+Low,High,Medium,Low,Low,Low,Low
+Low,Low,Medium,Low,Medium,Low,Low
+Medium,Low,Low,Low,Low,Low,Low
+Low,Low,Low,Medium,Low,Low,Low
+Low,High,Low,Low,Low,Low,Low
+Low,Low,Low,Low,Medium,Low,Low
+Low,Low,Medium,Low,Low,Low,Low
diff --git a/docs/ssvc-calc/decision_points/EQ1.json b/docs/ssvc-calc/decision_points/EQ1.json
new file mode 100644
index 00000000..9def2213
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/EQ1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ1", "name": "Exploitability (EQ1)", "description": "AV/PR/UI with 3 levels specified in Table 24", "values": [{"key": "L", "name": "Low", "description": "2: AV:P or not(AV:N or PR:N or UI:N)"}, {"key": "M", "name": "Medium", "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"}, {"key": "H", "name": "High", "description": "0: AV:N and PR:N and UI:N"}]}
diff --git a/docs/ssvc-calc/decision_points/EQ2.json b/docs/ssvc-calc/decision_points/EQ2.json
new file mode 100644
index 00000000..da8841c9
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/EQ2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ2", "name": "Complexity (EQ2)", "description": "AC/AT with 2 levels specified in Table 25", "values": [{"key": "L", "name": "Low", "description": "1: not (AC:L and AT:N)"}, {"key": "H", "name": "High", "description": "0: AC:L and AT:N"}]}
diff --git a/docs/ssvc-calc/decision_points/EQ3.json b/docs/ssvc-calc/decision_points/EQ3.json
new file mode 100644
index 00000000..5b0eb552
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/EQ3.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ3", "name": "Vulnerable System (EQ3)", "description": "VC/VI/VA with 3 levels specified in Table 26", "values": [{"key": "L", "name": "Low", "description": "2: not (VC:H or VI:H or VA:H)"}, {"key": "M", "name": "Medium", "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"}, {"key": "H", "name": "High", "description": "0: VC:H and VI:H"}]}
diff --git a/docs/ssvc-calc/decision_points/EQ4.json b/docs/ssvc-calc/decision_points/EQ4.json
new file mode 100644
index 00000000..f605a12d
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/EQ4.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ4", "name": "Subsequent System (EQ4)", "description": "SC/SI/SA with 3 levels specified in Table 27", "values": [{"key": "L", "name": "Low", "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"}, {"key": "M", "name": "Medium", "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"}, {"key": "H", "name": "High", "description": "0: MSI:S or MSA:S"}]}
diff --git a/docs/ssvc-calc/decision_points/EQ5.json b/docs/ssvc-calc/decision_points/EQ5.json
new file mode 100644
index 00000000..2258de0f
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/EQ5.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ5", "name": "Exploitation (EQ5)", "description": "E with 3 levels specified in Table 28", "values": [{"key": "L", "name": "Low", "description": "2: E:U"}, {"key": "M", "name": "Medium", "description": "1: E:P"}, {"key": "H", "name": "High", "description": "0: E:A"}]}
diff --git a/docs/ssvc-calc/decision_points/EQ6.json b/docs/ssvc-calc/decision_points/EQ6.json
new file mode 100644
index 00000000..7bacc64b
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/EQ6.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "EQ6", "name": "Security Requirements (EQ6)", "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29", "values": [{"key": "L", "name": "Low", "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"}, {"key": "H", "name": "High", "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"}]}
diff --git a/docs/ssvc-calc/decision_points/attack_complexity_3.json b/docs/ssvc-calc/decision_points/attack_complexity_3.json
new file mode 100644
index 00000000..f71772ce
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/attack_complexity_3.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."}, {"key": "H", "name": "High", "description": "A successful attack depends on conditions beyond the attacker's control."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/attack_complexity_3_0_1.json b/docs/ssvc-calc/decision_points/attack_complexity_3_0_1.json
new file mode 100644
index 00000000..bfece6aa
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/attack_complexity_3_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "values": [{"key": "L", "name": "Low", "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "}, {"key": "H", "name": "High", "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/attack_requirements_1.json b/docs/ssvc-calc/decision_points/attack_requirements_1.json
new file mode 100644
index 00000000..77b1e496
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/attack_requirements_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AT", "name": "Attack Requirements", "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "values": [{"key": "N", "name": "None", "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."}, {"key": "P", "name": "Present", "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/attack_vector_3.json b/docs/ssvc-calc/decision_points/attack_vector_3.json
new file mode 100644
index 00000000..4138eb79
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/attack_vector_3.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. ", "values": [{"key": "P", "name": "Physical", "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."}, {"key": "L", "name": "Local", "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."}, {"key": "A", "name": "Adjacent", "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."}, {"key": "N", "name": "Network", "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/attack_vector_3_0_1.json b/docs/ssvc-calc/decision_points/attack_vector_3_0_1.json
new file mode 100644
index 00000000..e8f2fb92
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/attack_vector_3_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "values": [{"key": "P", "name": "Physical", "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."}, {"key": "L", "name": "Local", "description": "The vulnerable system is not bound to the network stack and the attacker\u2019s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."}, {"key": "A", "name": "Adjacent", "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."}, {"key": "N", "name": "Network", "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed \u201cremotely exploitable\u201d and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/authentication_1.json b/docs/ssvc-calc/decision_points/authentication_1.json
new file mode 100644
index 00000000..e125e865
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/authentication_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", "values": [{"key": "N", "name": "Not Required", "description": "Authentication is not required to access or exploit the vulnerability."}, {"key": "R", "name": "Required", "description": "Authentication is required to access and exploit the vulnerability."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/authentication_2.json b/docs/ssvc-calc/decision_points/authentication_2.json
new file mode 100644
index 00000000..325df4fb
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/authentication_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur. The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", "values": [{"key": "M", "name": "Multiple", "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."}, {"key": "S", "name": "Single", "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."}, {"key": "N", "name": "None", "description": "Authentication is not required to exploit the vulnerability."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/automatable_2_0_0.json b/docs/ssvc-calc/decision_points/automatable_2_0_0.json
new file mode 100644
index 00000000..9a0369b2
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/automatable_2_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "2.0.0",
+ "key": "A",
+ "name": "Automatable",
+ "description": "Can an attacker reliably automate creating exploitation events for this vulnerability?",
+ "values": [
+ {
+ "key": "N",
+ "name": "No",
+ "description": "Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation."
+ },
+ {
+ "key": "Y",
+ "name": "Yes",
+ "description": "Attackers can reliably automate steps 1-4 of the kill chain."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/availability_impact_1.json b/docs/ssvc-calc/decision_points/availability_impact_1.json
new file mode 100644
index 00000000..0666e517
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/availability_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on availability."}, {"key": "P", "name": "Partial", "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."}, {"key": "C", "name": "Complete", "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/availability_impact_2.json b/docs/ssvc-calc/decision_points/availability_impact_2.json
new file mode 100644
index 00000000..b582e82d
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/availability_impact_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to the availability of the system."}, {"key": "L", "name": "Low", "description": "There is reduced performance or interruptions in resource availability."}, {"key": "H", "name": "High", "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/availability_impact_2_0_1.json b/docs/ssvc-calc/decision_points/availability_impact_2_0_1.json
new file mode 100644
index 00000000..7c43bca6
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/availability_impact_2_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to availability within the Vulnerable System."}, {"key": "L", "name": "Low", "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."}, {"key": "H", "name": "High", "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/availability_requirement_1.json b/docs/ssvc-calc/decision_points/availability_requirement_1.json
new file mode 100644
index 00000000..bf9732ba
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/availability_requirement_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/availability_requirement_1_1.json b/docs/ssvc-calc/decision_points/availability_requirement_1_1.json
new file mode 100644
index 00000000..73b25c1a
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/availability_requirement_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/availability_requirement_1_1_1.json b/docs/ssvc-calc/decision_points/availability_requirement_1_1_1.json
new file mode 100644
index 00000000..f808db1c
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/availability_requirement_1_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Availability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/collateral_damage_potential_1.json b/docs/ssvc-calc/decision_points/collateral_damage_potential_1.json
new file mode 100644
index 00000000..0b24042d
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/collateral_damage_potential_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CDP", "name": "Collateral Damage Potential", "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", "values": [{"key": "N", "name": "None", "description": "There is no potential for physical or property damage."}, {"key": "L", "name": "Low", "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."}, {"key": "M", "name": "Medium", "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."}, {"key": "H", "name": "High", "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/collateral_damage_potential_2.json b/docs/ssvc-calc/decision_points/collateral_damage_potential_2.json
new file mode 100644
index 00000000..cc97cc2c
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/collateral_damage_potential_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "CDP", "name": "Collateral Damage Potential", "description": "This metric measures the potential for loss of life or physical assets.", "values": [{"key": "N", "name": "None", "description": "There is no potential for loss of life, physical assets, productivity or revenue."}, {"key": "LM", "name": "Low-Medium", "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."}, {"key": "MH", "name": "Medium-High", "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."}, {"key": "H", "name": "High", "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/confidentiality_impact_1.json b/docs/ssvc-calc/decision_points/confidentiality_impact_1.json
new file mode 100644
index 00000000..67e90005
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/confidentiality_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on confidentiality."}, {"key": "P", "name": "Partial", "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."}, {"key": "C", "name": "Complete", "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/confidentiality_impact_2.json b/docs/ssvc-calc/decision_points/confidentiality_impact_2.json
new file mode 100644
index 00000000..13029660
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/confidentiality_impact_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no loss of confidentiality within the impacted component."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."}, {"key": "H", "name": "High", "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/confidentiality_impact_2_0_1.json b/docs/ssvc-calc/decision_points/confidentiality_impact_2_0_1.json
new file mode 100644
index 00000000..683a7830
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/confidentiality_impact_2_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "values": [{"key": "N", "name": "None", "description": "There is no loss of confidentiality within the impacted component."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."}, {"key": "H", "name": "High", "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/confidentiality_requirement_1.json b/docs/ssvc-calc/decision_points/confidentiality_requirement_1.json
new file mode 100644
index 00000000..4470ee41
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/confidentiality_requirement_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/confidentiality_requirement_1_1.json b/docs/ssvc-calc/decision_points/confidentiality_requirement_1_1.json
new file mode 100644
index 00000000..7b909bc1
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/confidentiality_requirement_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/confidentiality_requirement_1_1_1.json b/docs/ssvc-calc/decision_points/confidentiality_requirement_1_1_1.json
new file mode 100644
index 00000000..016d932b
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/confidentiality_requirement_1_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Confidentiality.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/exploitability_1.json b/docs/ssvc-calc/decision_points/exploitability_1.json
new file mode 100644
index 00000000..fdeac3d9
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/exploitability_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "E", "name": "Exploitability", "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "values": [{"key": "U", "name": "Unproven", "description": "No exploit code is yet available or an exploit method is entirely theoretical."}, {"key": "P", "name": "Proof of Concept", "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."}, {"key": "F", "name": "Functional", "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."}, {"key": "H", "name": "High", "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/exploitability_1_1.json b/docs/ssvc-calc/decision_points/exploitability_1_1.json
new file mode 100644
index 00000000..65792b8c
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/exploitability_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "E", "name": "Exploitability", "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "values": [{"key": "U", "name": "Unproven", "description": "No exploit code is yet available or an exploit method is entirely theoretical."}, {"key": "P", "name": "Proof of Concept", "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."}, {"key": "F", "name": "Functional", "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."}, {"key": "H", "name": "High", "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/exploitation_1_0_0.json b/docs/ssvc-calc/decision_points/exploitation_1_0_0.json
new file mode 100644
index 00000000..9f287310
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/exploitation_1_0_0.json
@@ -0,0 +1,24 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "E",
+ "name": "Exploitation",
+ "description": "The present state of exploitation of the vulnerability.",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ },
+ {
+ "key": "P",
+ "name": "PoC",
+ "description": "One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation."
+ },
+ {
+ "key": "A",
+ "name": "Active",
+ "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/exploitation_1_1_0.json b/docs/ssvc-calc/decision_points/exploitation_1_1_0.json
new file mode 100644
index 00000000..bebf78a3
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/exploitation_1_1_0.json
@@ -0,0 +1,24 @@
+{
+ "namespace": "ssvc",
+ "version": "1.1.0",
+ "key": "E",
+ "name": "Exploitation",
+ "description": "The present state of exploitation of the vulnerability.",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
+ },
+ {
+ "key": "P",
+ "name": "Public PoC",
+ "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
+ },
+ {
+ "key": "A",
+ "name": "Active",
+ "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/human_impact_1_0_0.json b/docs/ssvc-calc/decision_points/human_impact_1_0_0.json
new file mode 100644
index 00000000..9d056efa
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/human_impact_1_0_0.json
@@ -0,0 +1,29 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "HI",
+ "name": "Human Impact",
+ "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
+ },
+ {
+ "key": "VH",
+ "name": "Very High",
+ "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/human_impact_2_0_0.json b/docs/ssvc-calc/decision_points/human_impact_2_0_0.json
new file mode 100644
index 00000000..b2e5ab7a
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/human_impact_2_0_0.json
@@ -0,0 +1,29 @@
+{
+ "namespace": "ssvc",
+ "version": "2.0.0",
+ "key": "HI",
+ "name": "Human Impact",
+ "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled)"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "(Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled))"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "(Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure)"
+ },
+ {
+ "key": "VH",
+ "name": "Very High",
+ "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/human_impact_2_0_1.json b/docs/ssvc-calc/decision_points/human_impact_2_0_1.json
new file mode 100644
index 00000000..6c83e47e
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/human_impact_2_0_1.json
@@ -0,0 +1,29 @@
+{
+ "namespace": "ssvc",
+ "version": "2.0.1",
+ "key": "HI",
+ "name": "Human Impact",
+ "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ },
+ {
+ "key": "VH",
+ "name": "Very High",
+ "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/impact_bias_1.json b/docs/ssvc-calc/decision_points/impact_bias_1.json
new file mode 100644
index 00000000..2d6b4f51
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/impact_bias_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "IB", "name": "Impact Bias", "description": "This metric measures the impact bias of the vulnerability.", "values": [{"key": "N", "name": "Normal", "description": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."}, {"key": "C", "name": "Confidentiality", "description": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."}, {"key": "I", "name": "Integrity", "description": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."}, {"key": "A", "name": "Availability", "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/integrity_impact_1.json b/docs/ssvc-calc/decision_points/integrity_impact_1.json
new file mode 100644
index 00000000..daf6d35c
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/integrity_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on integrity."}, {"key": "P", "name": "Partial", "description": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."}, {"key": "C", "name": "Complete", "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/integrity_impact_2.json b/docs/ssvc-calc/decision_points/integrity_impact_2.json
new file mode 100644
index 00000000..58da5c1b
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/integrity_impact_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to the integrity of the system."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/integrity_impact_2_0_1.json b/docs/ssvc-calc/decision_points/integrity_impact_2_0_1.json
new file mode 100644
index 00000000..d689989e
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/integrity_impact_2_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no loss of integrity within the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/integrity_requirement_1.json b/docs/ssvc-calc/decision_points/integrity_requirement_1.json
new file mode 100644
index 00000000..8d24a7e1
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/integrity_requirement_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/integrity_requirement_1_1.json b/docs/ssvc-calc/decision_points/integrity_requirement_1_1.json
new file mode 100644
index 00000000..25dad33b
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/integrity_requirement_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/integrity_requirement_1_1_1.json b/docs/ssvc-calc/decision_points/integrity_requirement_1_1_1.json
new file mode 100644
index 00000000..9e83e2c2
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/integrity_requirement_1_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Confidentiality.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/mission_and_well-being_impact_1_0_0.json b/docs/ssvc-calc/decision_points/mission_and_well-being_impact_1_0_0.json
new file mode 100644
index 00000000..9751bded
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/mission_and_well-being_impact_1_0_0.json
@@ -0,0 +1,24 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "MWI",
+ "name": "Mission and Well-Being Impact",
+ "description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/mission_impact_1_0_0.json b/docs/ssvc-calc/decision_points/mission_impact_1_0_0.json
new file mode 100644
index 00000000..456db1bd
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/mission_impact_1_0_0.json
@@ -0,0 +1,34 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "MI",
+ "name": "Mission Impact",
+ "description": "Impact on Mission Essential Functions of the Organization",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "Little to no impact"
+ },
+ {
+ "key": "NED",
+ "name": "Non-Essential Degraded",
+ "description": "Degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ },
+ {
+ "key": "MSC",
+ "name": "MEF Support Crippled",
+ "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ },
+ {
+ "key": "MEF",
+ "name": "MEF Failure",
+ "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ },
+ {
+ "key": "MF",
+ "name": "Mission Failure",
+ "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/mission_impact_2_0_0.json b/docs/ssvc-calc/decision_points/mission_impact_2_0_0.json
new file mode 100644
index 00000000..9d096ce0
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/mission_impact_2_0_0.json
@@ -0,0 +1,29 @@
+{
+ "namespace": "ssvc",
+ "version": "2.0.0",
+ "key": "MI",
+ "name": "Mission Impact",
+ "description": "Impact on Mission Essential Functions of the Organization",
+ "values": [
+ {
+ "key": "D",
+ "name": "Degraded",
+ "description": "Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions"
+ },
+ {
+ "key": "MSC",
+ "name": "MEF Support Crippled",
+ "description": "Activities that directly support essential functions are crippled; essential functions continue for a time"
+ },
+ {
+ "key": "MEF",
+ "name": "MEF Failure",
+ "description": "Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time"
+ },
+ {
+ "key": "MF",
+ "name": "Mission Failure",
+ "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/privileges_required_1.json b/docs/ssvc-calc/decision_points/privileges_required_1.json
new file mode 100644
index 00000000..cc4dc58e
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/privileges_required_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "PR", "name": "Privileges Required", "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", "values": [{"key": "H", "name": "High", "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."}, {"key": "L", "name": "Low", "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."}, {"key": "N", "name": "None", "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/privileges_required_1_0_1.json b/docs/ssvc-calc/decision_points/privileges_required_1_0_1.json
new file mode 100644
index 00000000..8fcdde86
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/privileges_required_1_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "PR", "name": "Privileges Required", "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", "values": [{"key": "H", "name": "High", "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system\u2019s settings and files."}, {"key": "L", "name": "Low", "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."}, {"key": "N", "name": "None", "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/public_safety_impact_1_0_0.json b/docs/ssvc-calc/decision_points/public_safety_impact_1_0_0.json
new file mode 100644
index 00000000..bc8ec442
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/public_safety_impact_1_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "PSI",
+ "name": "Public Safety Impact",
+ "description": "A coarse-grained representation of impact to public safety.",
+ "values": [
+ {
+ "key": "M",
+ "name": "Minimal",
+ "description": "Safety Impact:(None OR Minor)"
+ },
+ {
+ "key": "S",
+ "name": "Significant",
+ "description": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/public_safety_impact_2_0_0.json b/docs/ssvc-calc/decision_points/public_safety_impact_2_0_0.json
new file mode 100644
index 00000000..81f414d8
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/public_safety_impact_2_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "2.0.0",
+ "key": "PSI",
+ "name": "Public Safety Impact",
+ "description": "A coarse-grained representation of impact to public safety.",
+ "values": [
+ {
+ "key": "M",
+ "name": "Minimal",
+ "description": "Safety Impact:(None OR Minor)"
+ },
+ {
+ "key": "S",
+ "name": "Significant",
+ "description": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/public_safety_impact_2_0_1.json b/docs/ssvc-calc/decision_points/public_safety_impact_2_0_1.json
new file mode 100644
index 00000000..b993b033
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/public_safety_impact_2_0_1.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "2.0.1",
+ "key": "PSI",
+ "name": "Public Safety Impact",
+ "description": "A coarse-grained representation of impact to public safety.",
+ "values": [
+ {
+ "key": "M",
+ "name": "Minimal",
+ "description": "Safety Impact:Negligible"
+ },
+ {
+ "key": "S",
+ "name": "Significant",
+ "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/public_value_added_1_0_0.json b/docs/ssvc-calc/decision_points/public_value_added_1_0_0.json
new file mode 100644
index 00000000..566b80c4
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/public_value_added_1_0_0.json
@@ -0,0 +1,24 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "PVA",
+ "name": "Public Value Added",
+ "description": "How much value would a publication from the coordinator benefit the broader community?",
+ "values": [
+ {
+ "key": "L",
+ "name": "Limited",
+ "description": "Minimal value added to the existing public information because existing information is already high quality and in multiple outlets."
+ },
+ {
+ "key": "A",
+ "name": "Ampliative",
+ "description": "Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc."
+ },
+ {
+ "key": "P",
+ "name": "Precedence",
+ "description": "The publication would be the first publicly available, or be coincident with the first publicly available."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/public_well-being_impact_1_0_0.json b/docs/ssvc-calc/decision_points/public_well-being_impact_1_0_0.json
new file mode 100644
index 00000000..7e6556f4
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/public_well-being_impact_1_0_0.json
@@ -0,0 +1,24 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "PWI",
+ "name": "Public Well-Being Impact",
+ "description": "A coarse-grained representation of impact to public well-being.",
+ "values": [
+ {
+ "key": "M",
+ "name": "Minimal",
+ "description": "The effect is below the threshold for all aspects described in material. "
+ },
+ {
+ "key": "M",
+ "name": "Material",
+ "description": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
+ },
+ {
+ "key": "I",
+ "name": "Irreversible",
+ "description": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed. Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) are imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse. Psychological: N/A "
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/remediation_level_1.json b/docs/ssvc-calc/decision_points/remediation_level_1.json
new file mode 100644
index 00000000..78c08b16
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/remediation_level_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RL", "name": "Remediation Level", "description": "This metric measures the remediation status of a vulnerability.", "values": [{"key": "OF", "name": "Official Fix", "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."}, {"key": "TF", "name": "Temporary Fix", "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."}, {"key": "W", "name": "Workaround", "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."}, {"key": "U", "name": "Unavailable", "description": "There is either no solution available or it is impossible to apply."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/remediation_level_1_1.json b/docs/ssvc-calc/decision_points/remediation_level_1_1.json
new file mode 100644
index 00000000..3354c3a5
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/remediation_level_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "RL", "name": "Remediation Level", "description": "This metric measures the remediation status of a vulnerability.", "values": [{"key": "OF", "name": "Official Fix", "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."}, {"key": "TF", "name": "Temporary Fix", "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."}, {"key": "W", "name": "Workaround", "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."}, {"key": "U", "name": "Unavailable", "description": "There is either no solution available or it is impossible to apply."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/report_confidence_1.json b/docs/ssvc-calc/decision_points/report_confidence_1.json
new file mode 100644
index 00000000..2383385c
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/report_confidence_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "UC", "name": "Unconfirmed", "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."}, {"key": "UR", "name": "Uncorroborated", "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."}, {"key": "C", "name": "Confirmed", "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/report_confidence_1_1.json b/docs/ssvc-calc/decision_points/report_confidence_1_1.json
new file mode 100644
index 00000000..859ae0ae
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/report_confidence_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "UC", "name": "Unconfirmed", "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."}, {"key": "UR", "name": "Uncorroborated", "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."}, {"key": "C", "name": "Confirmed", "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/report_confidence_2.json b/docs/ssvc-calc/decision_points/report_confidence_2.json
new file mode 100644
index 00000000..f35f1bc9
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/report_confidence_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "U", "name": "Unknown", "description": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."}, {"key": "R", "name": "Reasonable", "description": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."}, {"key": "C", "name": "Confirmed", "description": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/report_credibility_1_0_0.json b/docs/ssvc-calc/decision_points/report_credibility_1_0_0.json
new file mode 100644
index 00000000..0b1c910a
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/report_credibility_1_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "RC",
+ "name": "Report Credibility",
+ "description": "Is the report credible?",
+ "values": [
+ {
+ "key": "NC",
+ "name": "Not Credible",
+ "description": "The report is not credible."
+ },
+ {
+ "key": "C",
+ "name": "Credible",
+ "description": "The report is credible."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/report_public_1_0_0.json b/docs/ssvc-calc/decision_points/report_public_1_0_0.json
new file mode 100644
index 00000000..195b8c33
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/report_public_1_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "RP",
+ "name": "Report Public",
+ "description": "Is a viable report of the details of the vulnerability already publicly available?",
+ "values": [
+ {
+ "key": "Y",
+ "name": "Yes",
+ "description": "A public report of the vulnerability exists."
+ },
+ {
+ "key": "N",
+ "name": "No",
+ "description": "No public report of the vulnerability exists."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/safety_impact_1_0_0.json b/docs/ssvc-calc/decision_points/safety_impact_1_0_0.json
new file mode 100644
index 00000000..f76474e1
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/safety_impact_1_0_0.json
@@ -0,0 +1,34 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "SI",
+ "name": "Safety Impact",
+ "description": "The safety impact of the vulnerability.",
+ "values": [
+ {
+ "key": "N",
+ "name": "None",
+ "description": "The effect is below the threshold for all aspects described in Minor."
+ },
+ {
+ "key": "M",
+ "name": "Minor",
+ "description": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ },
+ {
+ "key": "J",
+ "name": "Major",
+ "description": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ },
+ {
+ "key": "H",
+ "name": "Hazardous",
+ "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system\u2019s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+ },
+ {
+ "key": "C",
+ "name": "Catastrophic",
+ "description": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/safety_impact_2_0_0.json b/docs/ssvc-calc/decision_points/safety_impact_2_0_0.json
new file mode 100644
index 00000000..795813bb
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/safety_impact_2_0_0.json
@@ -0,0 +1,29 @@
+{
+ "namespace": "ssvc",
+ "version": "2.0.0",
+ "key": "SI",
+ "name": "Safety Impact",
+ "description": "The safety impact of the vulnerability. (based on IEC 61508)",
+ "values": [
+ {
+ "key": "N",
+ "name": "Negligible",
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ },
+ {
+ "key": "M",
+ "name": "Marginal",
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ },
+ {
+ "key": "R",
+ "name": "Critical",
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system\u2019s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
+ },
+ {
+ "key": "C",
+ "name": "Catastrophic",
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/scope_1.json b/docs/ssvc-calc/decision_points/scope_1.json
new file mode 100644
index 00000000..640ae6da
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/scope_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "S", "name": "Scope", "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", "values": [{"key": "U", "name": "Unchanged", "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."}, {"key": "C", "name": "Changed", "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/subsequent_availability_impact_1.json b/docs/ssvc-calc/decision_points/subsequent_availability_impact_1.json
new file mode 100644
index 00000000..88822ee1
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/subsequent_availability_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SA", "name": "Subsequent Availability Impact", "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "values": [{"key": "N", "name": "None", "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."}, {"key": "H", "name": "High", "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/subsequent_confidentiality_impact_1.json b/docs/ssvc-calc/decision_points/subsequent_confidentiality_impact_1.json
new file mode 100644
index 00000000..4e08a1a0
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/subsequent_confidentiality_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SC", "name": "Confidentiality Impact to the Subsequent System", "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "values": [{"key": "N", "name": "Negligible", "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."}, {"key": "H", "name": "High", "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/subsequent_integrity_impact_1.json b/docs/ssvc-calc/decision_points/subsequent_integrity_impact_1.json
new file mode 100644
index 00000000..59181634
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/subsequent_integrity_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SI", "name": "Integrity Impact to the Subsequent System", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "values": [{"key": "N", "name": "None", "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/supplier_cardinality_1_0_0.json b/docs/ssvc-calc/decision_points/supplier_cardinality_1_0_0.json
new file mode 100644
index 00000000..36088dcc
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/supplier_cardinality_1_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "SC",
+ "name": "Supplier Cardinality",
+ "description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
+ "values": [
+ {
+ "key": "O",
+ "name": "One",
+ "description": "There is only one supplier of the vulnerable component."
+ },
+ {
+ "key": "M",
+ "name": "Multiple",
+ "description": "There are multiple suppliers of the vulnerable component."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/supplier_contacted_1_0_0.json b/docs/ssvc-calc/decision_points/supplier_contacted_1_0_0.json
new file mode 100644
index 00000000..526ef3e0
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/supplier_contacted_1_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "SC",
+ "name": "Supplier Contacted",
+ "description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
+ "values": [
+ {
+ "key": "N",
+ "name": "No",
+ "description": "The supplier has not been contacted."
+ },
+ {
+ "key": "Y",
+ "name": "Yes",
+ "description": "The supplier has been contacted."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/supplier_engagement_1_0_0.json b/docs/ssvc-calc/decision_points/supplier_engagement_1_0_0.json
new file mode 100644
index 00000000..cce9d92a
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/supplier_engagement_1_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "SE",
+ "name": "Supplier Engagement",
+ "description": "Is the supplier responding to the reporter\u2019s contact effort and actively participating in the coordination effort?",
+ "values": [
+ {
+ "key": "A",
+ "name": "Active",
+ "description": "The supplier is responding to the reporter\u2019s contact effort and actively participating in the coordination effort."
+ },
+ {
+ "key": "U",
+ "name": "Unresponsive",
+ "description": "The supplier is not responding to the reporter\u2019s contact effort and not actively participating in the coordination effort."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/supplier_involvement_1_0_0.json b/docs/ssvc-calc/decision_points/supplier_involvement_1_0_0.json
new file mode 100644
index 00000000..0adcf48d
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/supplier_involvement_1_0_0.json
@@ -0,0 +1,24 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "SI",
+ "name": "Supplier Involvement",
+ "description": "What is the state of the supplier\u2019s work on addressing the vulnerability?",
+ "values": [
+ {
+ "key": "FR",
+ "name": "Fix Ready",
+ "description": "The supplier has provided a patch or fix."
+ },
+ {
+ "key": "C",
+ "name": "Cooperative",
+ "description": "The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time."
+ },
+ {
+ "key": "UU",
+ "name": "Uncooperative/Unresponsive",
+ "description": "The supplier has not responded, declined to generate a remediation, or no longer exists."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/system_exposure_1_0_0.json b/docs/ssvc-calc/decision_points/system_exposure_1_0_0.json
new file mode 100644
index 00000000..60b5dc75
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/system_exposure_1_0_0.json
@@ -0,0 +1,24 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "EXP",
+ "name": "System Exposure",
+ "description": "The Accessible Attack Surface of the Affected System or Service",
+ "values": [
+ {
+ "key": "S",
+ "name": "Small",
+ "description": "Local service or program; highly controlled network"
+ },
+ {
+ "key": "C",
+ "name": "Controlled",
+ "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary\u2019s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ },
+ {
+ "key": "U",
+ "name": "Unavoidable",
+ "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/system_exposure_1_0_1.json b/docs/ssvc-calc/decision_points/system_exposure_1_0_1.json
new file mode 100644
index 00000000..f287944d
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/system_exposure_1_0_1.json
@@ -0,0 +1,24 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.1",
+ "key": "EXP",
+ "name": "System Exposure",
+ "description": "The Accessible Attack Surface of the Affected System or Service",
+ "values": [
+ {
+ "key": "S",
+ "name": "Small",
+ "description": "Local service or program; highly controlled network"
+ },
+ {
+ "key": "C",
+ "name": "Controlled",
+ "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary\u2019s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+ },
+ {
+ "key": "O",
+ "name": "Open",
+ "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/target_distribution_1.json b/docs/ssvc-calc/decision_points/target_distribution_1.json
new file mode 100644
index 00000000..40f0b191
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/target_distribution_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "TD", "name": "Target Distribution", "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "values": [{"key": "N", "name": "None", "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."}, {"key": "L", "name": "Low", "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."}, {"key": "M", "name": "Medium", "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."}, {"key": "H", "name": "High", "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/target_distribution_1_1.json b/docs/ssvc-calc/decision_points/target_distribution_1_1.json
new file mode 100644
index 00000000..c61af269
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/target_distribution_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "TD", "name": "Target Distribution", "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "values": [{"key": "N", "name": "None", "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."}, {"key": "L", "name": "Low", "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."}, {"key": "M", "name": "Medium", "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."}, {"key": "H", "name": "High", "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/technical_impact_1_0_0.json b/docs/ssvc-calc/decision_points/technical_impact_1_0_0.json
new file mode 100644
index 00000000..a844a82b
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/technical_impact_1_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "TI",
+ "name": "Technical Impact",
+ "description": "The technical impact of the vulnerability.",
+ "values": [
+ {
+ "key": "P",
+ "name": "Partial",
+ "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
+ },
+ {
+ "key": "T",
+ "name": "Total",
+ "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/user_interaction_1.json b/docs/ssvc-calc/decision_points/user_interaction_1.json
new file mode 100644
index 00000000..afc55331
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/user_interaction_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "UI", "name": "User Interaction", "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", "values": [{"key": "R", "name": "Required", "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."}, {"key": "N", "name": "None", "description": "The vulnerable system can be exploited without interaction from any user."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/user_interaction_2.json b/docs/ssvc-calc/decision_points/user_interaction_2.json
new file mode 100644
index 00000000..0f2f1640
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/user_interaction_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "UI", "name": "User Interaction", "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", "values": [{"key": "A", "name": "Active", "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker\u2019s payload, or the user\u2019s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."}, {"key": "P", "name": "Passive", "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker\u2019s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."}, {"key": "N", "name": "None", "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."}]}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/utility_1_0_0.json b/docs/ssvc-calc/decision_points/utility_1_0_0.json
new file mode 100644
index 00000000..c71273ce
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/utility_1_0_0.json
@@ -0,0 +1,24 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "U",
+ "name": "Utility",
+ "description": "The Usefulness of the Exploit to the Adversary",
+ "values": [
+ {
+ "key": "L",
+ "name": "Laborious",
+ "description": "Virulence:Slow and Value Density:Diffuse"
+ },
+ {
+ "key": "E",
+ "name": "Efficient",
+ "description": "Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated"
+ },
+ {
+ "key": "S",
+ "name": "Super Effective",
+ "description": "Virulence:Rapid and Value Density:Concentrated"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/utility_1_0_1.json b/docs/ssvc-calc/decision_points/utility_1_0_1.json
new file mode 100644
index 00000000..a1b72bce
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/utility_1_0_1.json
@@ -0,0 +1,24 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.1",
+ "key": "U",
+ "name": "Utility",
+ "description": "The Usefulness of the Exploit to the Adversary",
+ "values": [
+ {
+ "key": "L",
+ "name": "Laborious",
+ "description": "Automatable:No AND Value Density:Diffuse"
+ },
+ {
+ "key": "E",
+ "name": "Efficient",
+ "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
+ },
+ {
+ "key": "S",
+ "name": "Super Effective",
+ "description": "Automatable:Yes AND Value Density:Concentrated"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/value_density_1_0_0.json b/docs/ssvc-calc/decision_points/value_density_1_0_0.json
new file mode 100644
index 00000000..2c2db1a4
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/value_density_1_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "VD",
+ "name": "Value Density",
+ "description": "The concentration of value in the target",
+ "values": [
+ {
+ "key": "D",
+ "name": "Diffuse",
+ "description": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
+ },
+ {
+ "key": "C",
+ "name": "Concentrated",
+ "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of \u201csystem operators\u201d rather than users."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/decision_points/virulence_1_0_0.json b/docs/ssvc-calc/decision_points/virulence_1_0_0.json
new file mode 100644
index 00000000..dfa91097
--- /dev/null
+++ b/docs/ssvc-calc/decision_points/virulence_1_0_0.json
@@ -0,0 +1,19 @@
+{
+ "namespace": "ssvc",
+ "version": "1.0.0",
+ "key": "V",
+ "name": "Virulence",
+ "description": "The speed at which the vulnerability can be exploited.",
+ "values": [
+ {
+ "key": "S",
+ "name": "Slow",
+ "description": "Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+ },
+ {
+ "key": "R",
+ "name": "Rapid",
+ "description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
+ }
+ ]
+}
\ No newline at end of file
diff --git a/docs/ssvc-calc/deployer-options-nr.csv b/docs/ssvc-calc/deployer-options-nr.csv
new file mode 100644
index 00000000..b6b63311
--- /dev/null
+++ b/docs/ssvc-calc/deployer-options-nr.csv
@@ -0,0 +1,73 @@
+Exploitation,Exposure,Automatable,Human Impact,Priority
+none,small,no,low,defer
+none,small,no,medium,defer
+none,small,no,high,scheduled
+none,small,no,very high,scheduled
+none,small,yes,low,defer
+none,small,yes,medium,scheduled
+none,small,yes,high,scheduled
+none,small,yes,very high,scheduled
+none,controlled,no,low,defer
+none,controlled,no,medium,scheduled
+none,controlled,no,high,scheduled
+none,controlled,no,very high,scheduled
+none,controlled,yes,low,scheduled
+none,controlled,yes,medium,scheduled
+none,controlled,yes,high,scheduled
+none,controlled,yes,very high,scheduled
+none,open,no,low,defer
+none,open,no,medium,scheduled
+none,open,no,high,scheduled
+none,open,no,very high,scheduled
+none,open,yes,low,scheduled
+none,open,yes,medium,scheduled
+none,open,yes,high,scheduled
+none,open,yes,very high,out-of-cycle
+PoC,small,no,low,defer
+PoC,small,no,medium,scheduled
+PoC,small,no,high,scheduled
+PoC,small,no,very high,scheduled
+PoC,small,yes,low,scheduled
+PoC,small,yes,medium,scheduled
+PoC,small,yes,high,scheduled
+PoC,small,yes,very high,scheduled
+PoC,controlled,no,low,defer
+PoC,controlled,no,medium,scheduled
+PoC,controlled,no,high,scheduled
+PoC,controlled,no,very high,scheduled
+PoC,controlled,yes,low,scheduled
+PoC,controlled,yes,medium,scheduled
+PoC,controlled,yes,high,scheduled
+PoC,controlled,yes,very high,out-of-cycle
+PoC,open,no,low,scheduled
+PoC,open,no,medium,scheduled
+PoC,open,no,high,scheduled
+PoC,open,no,very high,out-of-cycle
+PoC,open,yes,low,scheduled
+PoC,open,yes,medium,scheduled
+PoC,open,yes,high,out-of-cycle
+PoC,open,yes,very high,out-of-cycle
+active,small,no,low,scheduled
+active,small,no,medium,scheduled
+active,small,no,high,out-of-cycle
+active,small,no,very high,out-of-cycle
+active,small,yes,low,scheduled
+active,small,yes,medium,out-of-cycle
+active,small,yes,high,out-of-cycle
+active,small,yes,very high,out-of-cycle
+active,controlled,no,low,scheduled
+active,controlled,no,medium,scheduled
+active,controlled,no,high,out-of-cycle
+active,controlled,no,very high,out-of-cycle
+active,controlled,yes,low,out-of-cycle
+active,controlled,yes,medium,out-of-cycle
+active,controlled,yes,high,out-of-cycle
+active,controlled,yes,very high,out-of-cycle
+active,open,no,low,scheduled
+active,open,no,medium,out-of-cycle
+active,open,no,high,out-of-cycle
+active,open,no,very high,immediate
+active,open,yes,low,out-of-cycle
+active,open,yes,medium,out-of-cycle
+active,open,yes,high,immediate
+active,open,yes,very high,immediate
diff --git a/docs/ssvc-calc/deployer-options.csv b/docs/ssvc-calc/deployer-options.csv
new file mode 100644
index 00000000..6b9a8791
--- /dev/null
+++ b/docs/ssvc-calc/deployer-options.csv
@@ -0,0 +1,73 @@
+row,Exploitation,Exposure,Automatable,Human Impact,Priority
+1,none,small,no,low,defer
+2,none,small,no,medium,defer
+3,none,small,no,high,scheduled
+4,none,small,no,very high,scheduled
+5,none,small,yes,low,defer
+6,none,small,yes,medium,scheduled
+7,none,small,yes,high,scheduled
+8,none,small,yes,very high,scheduled
+9,none,controlled,no,low,defer
+10,none,controlled,no,medium,scheduled
+11,none,controlled,no,high,scheduled
+12,none,controlled,no,very high,scheduled
+13,none,controlled,yes,low,scheduled
+14,none,controlled,yes,medium,scheduled
+15,none,controlled,yes,high,scheduled
+16,none,controlled,yes,very high,scheduled
+17,none,open,no,low,defer
+18,none,open,no,medium,scheduled
+19,none,open,no,high,scheduled
+20,none,open,no,very high,scheduled
+21,none,open,yes,low,scheduled
+22,none,open,yes,medium,scheduled
+23,none,open,yes,high,scheduled
+24,none,open,yes,very high,out-of-cycle
+25,PoC,small,no,low,defer
+26,PoC,small,no,medium,scheduled
+27,PoC,small,no,high,scheduled
+28,PoC,small,no,very high,scheduled
+29,PoC,small,yes,low,scheduled
+30,PoC,small,yes,medium,scheduled
+31,PoC,small,yes,high,scheduled
+32,PoC,small,yes,very high,scheduled
+33,PoC,controlled,no,low,defer
+34,PoC,controlled,no,medium,scheduled
+35,PoC,controlled,no,high,scheduled
+36,PoC,controlled,no,very high,scheduled
+37,PoC,controlled,yes,low,scheduled
+38,PoC,controlled,yes,medium,scheduled
+39,PoC,controlled,yes,high,scheduled
+40,PoC,controlled,yes,very high,out-of-cycle
+41,PoC,open,no,low,scheduled
+42,PoC,open,no,medium,scheduled
+43,PoC,open,no,high,scheduled
+44,PoC,open,no,very high,out-of-cycle
+45,PoC,open,yes,low,scheduled
+46,PoC,open,yes,medium,scheduled
+47,PoC,open,yes,high,out-of-cycle
+48,PoC,open,yes,very high,out-of-cycle
+49,active,small,no,low,scheduled
+50,active,small,no,medium,scheduled
+51,active,small,no,high,out-of-cycle
+52,active,small,no,very high,out-of-cycle
+53,active,small,yes,low,scheduled
+54,active,small,yes,medium,out-of-cycle
+55,active,small,yes,high,out-of-cycle
+56,active,small,yes,very high,out-of-cycle
+57,active,controlled,no,low,scheduled
+58,active,controlled,no,medium,scheduled
+59,active,controlled,no,high,out-of-cycle
+60,active,controlled,no,very high,out-of-cycle
+61,active,controlled,yes,low,out-of-cycle
+62,active,controlled,yes,medium,out-of-cycle
+63,active,controlled,yes,high,out-of-cycle
+64,active,controlled,yes,very high,out-of-cycle
+65,active,open,no,low,scheduled
+66,active,open,no,medium,out-of-cycle
+67,active,open,no,high,out-of-cycle
+68,active,open,no,very high,immediate
+69,active,open,yes,low,out-of-cycle
+70,active,open,yes,medium,out-of-cycle
+71,active,open,yes,high,immediate
+72,active,open,yes,very high,immediate
diff --git a/docs/ssvc-calc/feature_gain.html b/docs/ssvc-calc/feature_gain.html
new file mode 100644
index 00000000..dd31c7b8
--- /dev/null
+++ b/docs/ssvc-calc/feature_gain.html
@@ -0,0 +1,99 @@
+
+
+
+
+ Hello
+
diff --git a/docs/ssvc-calc/index.md b/docs/ssvc-calc/index.md
index b7e98144..75eba96a 100644
--- a/docs/ssvc-calc/index.md
+++ b/docs/ssvc-calc/index.md
@@ -1,170 +1,71 @@
-
-SSVC Lookup Table
-
+
+
+
SSVC Policy Explorer (demo)
+
+
+
+
+
+
+