Prioritizing Patch Creation
Here we describe an example decision model for a Supplier deciding the priority of creating a patch for a vulnerability in their software.
Supplier Patch Creation Priority
As noted in Enumerating Decisions, the root of a decision model's identity is the combination of the stakeholder and the decision being modeled. In this case, the stakeholder is the Supplier and the decision is the priority of creating a patch.
Supplier Units of Work
On the input side of the Supplier process, Suppliers typically receive reports of vulnerabilities in one or more versions of their product. Part of the Supplier's task on initial report intake is to resolve the initial report into a set of products and versions that are affected by the reported vulnerability.
Supplier Unit of Work
For the purposes of SSVC, we consider the unit of work for a Supplier to be combination of the vulnerability with each affected product.
Our working assumption is that for SSVC purposes, the supplier's unit of work is the combination of the vulnerability with each affected product. This implies the need for Suppliers to be able to resolve whatever they receive to that level of granularity in order to make best use of SSVC.
Products will often need to be addressed individually because they may have diverse development processes or usage scenarios. There are a variety of ways a Supplier might need to resolve the set of affected products. For example, they might
Independently Fixable Vulnerabilities
Without belaboring the point, these methods are similar to how CVE Numbering Authorities discern “independently fixable vulnerabilities”.
We also note that Software Bill of Materials (SBOM) seems well-placed to aid in that resolution process for the third-party library scenarios.
- recognize, on further investigation of the initial report, that additional versions of the product are affected
- discover that other products are affected due to code sharing or programmer error consistent across products
- receive reports of vulnerabilities in third party libraries they utilize in one or more of their products
- receive fix bundles for third party libraries used in one or more of their products (where a fix bundle might resolve multiple vulnerabilities or add new features)
In the end, Suppliers provide remediations and/or mitigations for affected products. A supplier-provided remediation is usually a software update which contains fixes for multiple vulnerabilities and, often, new or improved features. Supplier output is relevant because it will become input to Deployers. SSVC focuses only on the remediation in this case; a set of remediations for multiple vulnerabilities is a fix bundle. Suppliers may also produce mitigations, such as recommended configuration changes, to limit the impact of a vulnerability.
Supplier Decision Outcomes
At a basic level, the decision at a software development organization is whether to issue a work order and what resources to expend to remediate a vulnerability in the organization’s software. Prioritization is required because, at least in the current history of software engineering, the effort to patch all known vulnerabilities will exceed available resources. The organization considers several other factors to build the patch; refactoring a large portion of the code base may be necessary for some patches, while others require relatively small changes. We focus only on the priority of building the patch, and we consider four categories of priority, as outlined in the table below.
Defer, Scheduled, Out-of-Cycle, Immediate (ssvc:DSOI:1.0.0)
The original SSVC outcome group.
Value | Definition |
---|---|
Defer (D) | Defer |
Scheduled (S) | Scheduled |
Out-of-Cycle (O) | Out-of-Cycle |
Immediate (I) | Immediate |
Defer, Scheduled, Out-of-Cycle, Immediate (ssvc:DSOI:1.0.0) JSON Example
{
"namespace": "ssvc",
"key": "DSOI",
"version": "1.0.0",
"name": "Defer, Scheduled, Out-of-Cycle, Immediate",
"description": "The original SSVC outcome group.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Defer",
"description": "Defer"
},
{
"key": "S",
"name": "Scheduled",
"description": "Scheduled"
},
{
"key": "O",
"name": "Out-of-Cycle",
"description": "Out-of-Cycle"
},
{
"key": "I",
"name": "Immediate",
"description": "Immediate"
}
]
}
A more specific interpretation for the priority levels for suppliers is as follows:
Supplier Priority | Description |
---|---|
Defer | Do not work on the patch at present. |
Scheduled | Develop a fix within regularly scheduled maintenance using supplier resources as normal. |
Out-of-Cycle | Develop mitigation or remediation out-of-cycle, taking resources away from other projects and releasing the fix as a security patch when it is ready. |
Immediate | Develop and release a fix as quickly as possible, drawing on all available resources, potentially including drawing on or coordinating resources from other parts of the organization. |
Supplier Decision Points
The decision to create a patch is based on the following decision points:
- Exploitation - A vulnerabilty with known exploitation is more likely to be given a higher priority.
- Utility - The more useful a vulnerability is to an attacker, the more likely it is to be given a higher priority.
- Technical Impact - The more severe the technical impact of a vulnerability, the more likely it is to be given a higher priority.
- Public Safety Impact - The more severe the public safety impact of a vulnerability, the more likely it is to be given a higher priority.
More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
Exploitation (ssvc:E:1.1.0)
The present state of exploitation of the vulnerability.
Value | Definition |
---|---|
None (N) | There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability. |
Public PoC (P) | One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation. |
Active (A) | Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting. |
Exploitation (ssvc:E:1.1.0) JSON Example
{
"namespace": "ssvc",
"key": "E",
"version": "1.1.0",
"name": "Exploitation",
"description": "The present state of exploitation of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
"name": "None",
"description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
},
{
"key": "P",
"name": "Public PoC",
"description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
},
{
"key": "A",
"name": "Active",
"description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
}
]
}
Utility (ssvc:U:1.0.1)
The Usefulness of the Exploit to the Adversary
Value | Definition |
---|---|
Laborious (L) | Automatable:No AND Value Density:Diffuse |
Efficient (E) | (Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated) |
Super Effective (S) | Automatable:Yes AND Value Density:Concentrated |
Utility (ssvc:U:1.0.1) JSON Example
{
"namespace": "ssvc",
"key": "U",
"version": "1.0.1",
"name": "Utility",
"description": "The Usefulness of the Exploit to the Adversary",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Laborious",
"description": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
"description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
"description": "Automatable:Yes AND Value Density:Concentrated"
}
]
}
Technical Impact (ssvc:TI:1.0.0)
The technical impact of the vulnerability.
Value | Definition |
---|---|
Partial (P) | The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. |
Total (T) | The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability. |
Technical Impact (ssvc:TI:1.0.0) JSON Example
{
"namespace": "ssvc",
"key": "TI",
"version": "1.0.0",
"name": "Technical Impact",
"description": "The technical impact of the vulnerability.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "P",
"name": "Partial",
"description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
},
{
"key": "T",
"name": "Total",
"description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
}
]
}
Public Safety Impact (ssvc:PSI:2.0.1)
A coarse-grained representation of impact to public safety.
Value | Definition |
---|---|
Minimal (M) | Safety Impact:Negligible |
Significant (S) | Safety Impact:(Marginal OR Critical OR Catastrophic) |
Public Safety Impact (ssvc:PSI:2.0.1) JSON Example
{
"namespace": "ssvc",
"key": "PSI",
"version": "2.0.1",
"name": "Public Safety Impact",
"description": "A coarse-grained representation of impact to public safety.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "M",
"name": "Minimal",
"description": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
"description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
}
Public Safety Impact is a notational convenience
The Public Safety Impact decision point is a simplification of the more detailed Safety Impact decision point.
Supplier Decision Model
The example supplier decision model below shows a prioritization policy for the supplier. We display the decision model as a decision tree, which provides a compact representation of the policy, showing the relative priority of different situations.
---
title: Supplier Patch Development Priority Decision Table (ssvc:DT_SP:1.0.0)
---
graph LR
n1(( ))
subgraph s1["ssvc:E:1.1.0"]
N_L0([N])
P_L0([P])
A_L0([A])
end
subgraph s2["ssvc:U:1.0.1"]
N_L_L1([L])
N_E_L1([E])
N_S_L1([S])
P_L_L1([L])
P_E_L1([E])
P_S_L1([S])
A_L_L1([L])
A_E_L1([E])
A_S_L1([S])
end
subgraph s3["ssvc:TI:1.0.0"]
N_L_P_L2([P])
N_L_T_L2([T])
N_E_P_L2([P])
N_E_T_L2([T])
N_S_P_L2([P])
N_S_T_L2([T])
P_L_P_L2([P])
P_L_T_L2([T])
P_E_P_L2([P])
P_E_T_L2([T])
P_S_P_L2([P])
P_S_T_L2([T])
A_L_P_L2([P])
A_L_T_L2([T])
A_E_P_L2([P])
A_E_T_L2([T])
A_S_P_L2([P])
A_S_T_L2([T])
end
subgraph s4["ssvc:PSI:2.0.1"]
N_L_P_M_L3([M])
N_L_P_S_L3([S])
N_L_T_M_L3([M])
N_L_T_S_L3([S])
N_E_P_M_L3([M])
N_E_P_S_L3([S])
N_E_T_M_L3([M])
N_E_T_S_L3([S])
N_S_P_M_L3([M])
N_S_P_S_L3([S])
N_S_T_M_L3([M])
N_S_T_S_L3([S])
P_L_P_M_L3([M])
P_L_P_S_L3([S])
P_L_T_M_L3([M])
P_L_T_S_L3([S])
P_E_P_M_L3([M])
P_E_P_S_L3([S])
P_E_T_M_L3([M])
P_E_T_S_L3([S])
P_S_P_M_L3([M])
P_S_P_S_L3([S])
P_S_T_M_L3([M])
P_S_T_S_L3([S])
A_L_P_M_L3([M])
A_L_P_S_L3([S])
A_L_T_M_L3([M])
A_L_T_S_L3([S])
A_E_P_M_L3([M])
A_E_P_S_L3([S])
A_E_T_M_L3([M])
A_E_T_S_L3([S])
A_S_P_M_L3([M])
A_S_P_S_L3([S])
A_S_T_M_L3([M])
A_S_T_S_L3([S])
end
subgraph s5["ssvc:DSOI:1.0.0"]
N_L_P_M_D_L4([D])
N_L_P_S_S_L4([S])
N_L_T_M_S_L4([S])
N_L_T_S_O_L4([O])
N_E_P_M_S_L4([S])
N_E_P_S_O_L4([O])
N_E_T_M_S_L4([S])
N_E_T_S_O_L4([O])
N_S_P_M_S_L4([S])
N_S_P_S_O_L4([O])
N_S_T_M_O_L4([O])
N_S_T_S_O_L4([O])
P_L_P_M_S_L4([S])
P_L_P_S_O_L4([O])
P_L_T_M_S_L4([S])
P_L_T_S_I_L4([I])
P_E_P_M_S_L4([S])
P_E_P_S_I_L4([I])
P_E_T_M_O_L4([O])
P_E_T_S_I_L4([I])
P_S_P_M_O_L4([O])
P_S_P_S_I_L4([I])
P_S_T_M_O_L4([O])
P_S_T_S_I_L4([I])
A_L_P_M_O_L4([O])
A_L_P_S_I_L4([I])
A_L_T_M_O_L4([O])
A_L_T_S_I_L4([I])
A_E_P_M_O_L4([O])
A_E_P_S_I_L4([I])
A_E_T_M_O_L4([O])
A_E_T_S_I_L4([I])
A_S_P_M_I_L4([I])
A_S_P_S_I_L4([I])
A_S_T_M_I_L4([I])
A_S_T_S_I_L4([I])
end
n1 --- N_L0
n1 --- P_L0
n1 --- A_L0
N_L0 --- N_L_L1
N_L_L1 --- N_L_P_L2
N_L_P_L2 --- N_L_P_M_L3
N_L_P_M_L3 --- N_L_P_M_D_L4
N_L_P_L2 --- N_L_P_S_L3
N_L_P_S_L3 --- N_L_P_S_S_L4
N_L_L1 --- N_L_T_L2
N_L_T_L2 --- N_L_T_M_L3
N_L_T_M_L3 --- N_L_T_M_S_L4
N_L_T_L2 --- N_L_T_S_L3
N_L_T_S_L3 --- N_L_T_S_O_L4
N_L0 --- N_E_L1
N_E_L1 --- N_E_P_L2
N_E_P_L2 --- N_E_P_M_L3
N_E_P_M_L3 --- N_E_P_M_S_L4
N_E_P_L2 --- N_E_P_S_L3
N_E_P_S_L3 --- N_E_P_S_O_L4
N_E_L1 --- N_E_T_L2
N_E_T_L2 --- N_E_T_M_L3
N_E_T_M_L3 --- N_E_T_M_S_L4
N_E_T_L2 --- N_E_T_S_L3
N_E_T_S_L3 --- N_E_T_S_O_L4
N_L0 --- N_S_L1
N_S_L1 --- N_S_P_L2
N_S_P_L2 --- N_S_P_M_L3
N_S_P_M_L3 --- N_S_P_M_S_L4
N_S_P_L2 --- N_S_P_S_L3
N_S_P_S_L3 --- N_S_P_S_O_L4
N_S_L1 --- N_S_T_L2
N_S_T_L2 --- N_S_T_M_L3
N_S_T_M_L3 --- N_S_T_M_O_L4
N_S_T_L2 --- N_S_T_S_L3
N_S_T_S_L3 --- N_S_T_S_O_L4
P_L0 --- P_L_L1
P_L_L1 --- P_L_P_L2
P_L_P_L2 --- P_L_P_M_L3
P_L_P_M_L3 --- P_L_P_M_S_L4
P_L_P_L2 --- P_L_P_S_L3
P_L_P_S_L3 --- P_L_P_S_O_L4
P_L_L1 --- P_L_T_L2
P_L_T_L2 --- P_L_T_M_L3
P_L_T_M_L3 --- P_L_T_M_S_L4
P_L_T_L2 --- P_L_T_S_L3
P_L_T_S_L3 --- P_L_T_S_I_L4
P_L0 --- P_E_L1
P_E_L1 --- P_E_P_L2
P_E_P_L2 --- P_E_P_M_L3
P_E_P_M_L3 --- P_E_P_M_S_L4
P_E_P_L2 --- P_E_P_S_L3
P_E_P_S_L3 --- P_E_P_S_I_L4
P_E_L1 --- P_E_T_L2
P_E_T_L2 --- P_E_T_M_L3
P_E_T_M_L3 --- P_E_T_M_O_L4
P_E_T_L2 --- P_E_T_S_L3
P_E_T_S_L3 --- P_E_T_S_I_L4
P_L0 --- P_S_L1
P_S_L1 --- P_S_P_L2
P_S_P_L2 --- P_S_P_M_L3
P_S_P_M_L3 --- P_S_P_M_O_L4
P_S_P_L2 --- P_S_P_S_L3
P_S_P_S_L3 --- P_S_P_S_I_L4
P_S_L1 --- P_S_T_L2
P_S_T_L2 --- P_S_T_M_L3
P_S_T_M_L3 --- P_S_T_M_O_L4
P_S_T_L2 --- P_S_T_S_L3
P_S_T_S_L3 --- P_S_T_S_I_L4
A_L0 --- A_L_L1
A_L_L1 --- A_L_P_L2
A_L_P_L2 --- A_L_P_M_L3
A_L_P_M_L3 --- A_L_P_M_O_L4
A_L_P_L2 --- A_L_P_S_L3
A_L_P_S_L3 --- A_L_P_S_I_L4
A_L_L1 --- A_L_T_L2
A_L_T_L2 --- A_L_T_M_L3
A_L_T_M_L3 --- A_L_T_M_O_L4
A_L_T_L2 --- A_L_T_S_L3
A_L_T_S_L3 --- A_L_T_S_I_L4
A_L0 --- A_E_L1
A_E_L1 --- A_E_P_L2
A_E_P_L2 --- A_E_P_M_L3
A_E_P_M_L3 --- A_E_P_M_O_L4
A_E_P_L2 --- A_E_P_S_L3
A_E_P_S_L3 --- A_E_P_S_I_L4
A_E_L1 --- A_E_T_L2
A_E_T_L2 --- A_E_T_M_L3
A_E_T_M_L3 --- A_E_T_M_O_L4
A_E_T_L2 --- A_E_T_S_L3
A_E_T_S_L3 --- A_E_T_S_I_L4
A_L0 --- A_S_L1
A_S_L1 --- A_S_P_L2
A_S_P_L2 --- A_S_P_M_L3
A_S_P_M_L3 --- A_S_P_M_I_L4
A_S_P_L2 --- A_S_P_S_L3
A_S_P_S_L3 --- A_S_P_S_I_L4
A_S_L1 --- A_S_T_L2
A_S_T_L2 --- A_S_T_M_L3
A_S_T_M_L3 --- A_S_T_M_I_L4
A_S_T_L2 --- A_S_T_S_L3
A_S_T_S_L3 --- A_S_T_S_I_L4
Table of Values
The table below shows the values for the decision model. Each row of the table corresponds to a path through the decision model diagram above.
% include-markdown "../_includes/_scrollable_table.md" heading-offset=1 %}
Row | Exploitation v1.1.0 | Utility v1.0.1 | Technical Impact v1.0.0 | Public Safety Impact v2.0.1 | Defer, Scheduled, Out-of-Cycle, Immediate v1.0.0 |
---|---|---|---|---|---|
0 | none | laborious | partial | minimal | defer |
1 | none | laborious | partial | significant | scheduled |
2 | none | laborious | total | minimal | scheduled |
3 | none | laborious | total | significant | out-of-cycle |
4 | none | efficient | partial | minimal | scheduled |
5 | none | efficient | partial | significant | out-of-cycle |
6 | none | efficient | total | minimal | scheduled |
7 | none | efficient | total | significant | out-of-cycle |
8 | none | super effective | partial | minimal | scheduled |
9 | none | super effective | partial | significant | out-of-cycle |
10 | none | super effective | total | minimal | out-of-cycle |
11 | none | super effective | total | significant | out-of-cycle |
12 | public poc | laborious | partial | minimal | scheduled |
13 | public poc | laborious | partial | significant | out-of-cycle |
14 | public poc | laborious | total | minimal | scheduled |
15 | public poc | laborious | total | significant | immediate |
16 | public poc | efficient | partial | minimal | scheduled |
17 | public poc | efficient | partial | significant | immediate |
18 | public poc | efficient | total | minimal | out-of-cycle |
19 | public poc | efficient | total | significant | immediate |
20 | public poc | super effective | partial | minimal | out-of-cycle |
21 | public poc | super effective | partial | significant | immediate |
22 | public poc | super effective | total | minimal | out-of-cycle |
23 | public poc | super effective | total | significant | immediate |
24 | active | laborious | partial | minimal | out-of-cycle |
25 | active | laborious | partial | significant | immediate |
26 | active | laborious | total | minimal | out-of-cycle |
27 | active | laborious | total | significant | immediate |
28 | active | efficient | partial | minimal | out-of-cycle |
29 | active | efficient | partial | significant | immediate |
30 | active | efficient | total | minimal | out-of-cycle |
31 | active | efficient | total | significant | immediate |
32 | active | super effective | partial | minimal | immediate |
33 | active | super effective | partial | significant | immediate |
34 | active | super effective | total | minimal | immediate |
35 | active | super effective | total | significant | immediate |