Skip to content

Prioritizing Patch Creation

Here we describe an example decision model for a Supplier deciding the priority of creating a patch for a vulnerability in their software.

Supplier Patch Creation Priority

As noted in Enumerating Decisions, the root of a decision model's identity is the combination of the stakeholder and the decision being modeled. In this case, the stakeholder is the Supplier and the decision is the priority of creating a patch.

Supplier Units of Work

On the input side of the Supplier process, Suppliers typically receive reports of vulnerabilities in one or more versions of their product. Part of the Supplier's task on initial report intake is to resolve the initial report into a set of products and versions that are affected by the reported vulnerability.

Supplier Unit of Work

For the purposes of SSVC, we consider the unit of work for a Supplier to be combination of the vulnerability with each affected product.

Our working assumption is that for SSVC purposes, the supplier's unit of work is the combination of the vulnerability with each affected product. This implies the need for Suppliers to be able to resolve whatever they receive to that level of granularity in order to make best use of SSVC.

Products will often need to be addressed individually because they may have diverse development processes or usage scenarios. There are a variety of ways a Supplier might need to resolve the set of affected products. For example, they might

Independently Fixable Vulnerabilities

Without belaboring the point, these methods are similar to how CVE Numbering Authorities discern “independently fixable vulnerabilities”.

We also note that Software Bill of Materials (SBOM) seems well-placed to aid in that resolution process for the third-party library scenarios.

  • recognize, on further investigation of the initial report, that additional versions of the product are affected
  • discover that other products are affected due to code sharing or programmer error consistent across products
  • receive reports of vulnerabilities in third party libraries they utilize in one or more of their products
  • receive fix bundles for third party libraries used in one or more of their products (where a fix bundle might resolve multiple vulnerabilities or add new features)

In the end, Suppliers provide remediations and/or mitigations for affected products. A supplier-provided remediation is usually a software update which contains fixes for multiple vulnerabilities and, often, new or improved features. Supplier output is relevant because it will become input to Deployers. SSVC focuses only on the remediation in this case; a set of remediations for multiple vulnerabilities is a fix bundle. Suppliers may also produce mitigations, such as recommended configuration changes, to limit the impact of a vulnerability.

Supplier Decision Outcomes

At a basic level, the decision at a software development organization is whether to issue a work order and what resources to expend to remediate a vulnerability in the organization’s software. Prioritization is required because, at least in the current history of software engineering, the effort to patch all known vulnerabilities will exceed available resources. The organization considers several other factors to build the patch; refactoring a large portion of the code base may be necessary for some patches, while others require relatively small changes. We focus only on the priority of building the patch, and we consider four categories of priority, as outlined in the table below.

Defer, Scheduled, Out-of-Cycle, Immediate (ssvc:DSOI:1.0.0)

The original SSVC outcome group.

Value Definition
Defer (D) Defer
Scheduled (S) Scheduled
Out-of-Cycle (O) Out-of-Cycle
Immediate (I) Immediate
Defer, Scheduled, Out-of-Cycle, Immediate (ssvc:DSOI:1.0.0) JSON Example 
{
  "namespace": "ssvc",
  "key": "DSOI",
  "version": "1.0.0",
  "name": "Defer, Scheduled, Out-of-Cycle, Immediate",
  "description": "The original SSVC outcome group.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "D",
      "name": "Defer",
      "description": "Defer"
    },
    {
      "key": "S",
      "name": "Scheduled",
      "description": "Scheduled"
    },
    {
      "key": "O",
      "name": "Out-of-Cycle",
      "description": "Out-of-Cycle"
    },
    {
      "key": "I",
      "name": "Immediate",
      "description": "Immediate"
    }
  ]
}

A more specific interpretation for the priority levels for suppliers is as follows:

Supplier Priority Description
Defer Do not work on the patch at present.
Scheduled Develop a fix within regularly scheduled maintenance using supplier resources as normal.
Out-of-Cycle Develop mitigation or remediation out-of-cycle, taking resources away from other projects and releasing the fix as a security patch when it is ready.
Immediate Develop and release a fix as quickly as possible, drawing on all available resources, potentially including drawing on or coordinating resources from other parts of the organization.

Supplier Decision Points

The decision to create a patch is based on the following decision points:

  • Exploitation - A vulnerabilty with known exploitation is more likely to be given a higher priority.
  • Utility - The more useful a vulnerability is to an attacker, the more likely it is to be given a higher priority.
  • Technical Impact - The more severe the technical impact of a vulnerability, the more likely it is to be given a higher priority.
  • Public Safety Impact - The more severe the public safety impact of a vulnerability, the more likely it is to be given a higher priority.

More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.

Exploitation (ssvc:E:1.1.0)

The present state of exploitation of the vulnerability.

Value Definition
None (N) There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.
Public PoC (P) One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.
Active (A) Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting.
Exploitation (ssvc:E:1.1.0) JSON Example 
{
  "namespace": "ssvc",
  "key": "E",
  "version": "1.1.0",
  "name": "Exploitation",
  "description": "The present state of exploitation of the vulnerability.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "N",
      "name": "None",
      "description": "There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability."
    },
    {
      "key": "P",
      "name": "Public PoC",
      "description": "One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation."
    },
    {
      "key": "A",
      "name": "Active",
      "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
    }
  ]
}

Utility (ssvc:U:1.0.1)

The Usefulness of the Exploit to the Adversary

Value Definition
Laborious (L) Automatable:No AND Value Density:Diffuse
Efficient (E) (Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)
Super Effective (S) Automatable:Yes AND Value Density:Concentrated
Utility (ssvc:U:1.0.1) JSON Example 
{
  "namespace": "ssvc",
  "key": "U",
  "version": "1.0.1",
  "name": "Utility",
  "description": "The Usefulness of the Exploit to the Adversary",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "L",
      "name": "Laborious",
      "description": "Automatable:No AND Value Density:Diffuse"
    },
    {
      "key": "E",
      "name": "Efficient",
      "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
    },
    {
      "key": "S",
      "name": "Super Effective",
      "description": "Automatable:Yes AND Value Density:Concentrated"
    }
  ]
}

Technical Impact (ssvc:TI:1.0.0)

The technical impact of the vulnerability.

Value Definition
Partial (P) The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control.
Total (T) The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.
Technical Impact (ssvc:TI:1.0.0) JSON Example 
{
  "namespace": "ssvc",
  "key": "TI",
  "version": "1.0.0",
  "name": "Technical Impact",
  "description": "The technical impact of the vulnerability.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "P",
      "name": "Partial",
      "description": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
    },
    {
      "key": "T",
      "name": "Total",
      "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
    }
  ]
}

Public Safety Impact (ssvc:PSI:2.0.1)

A coarse-grained representation of impact to public safety.

Value Definition
Minimal (M) Safety Impact:Negligible
Significant (S) Safety Impact:(Marginal OR Critical OR Catastrophic)
Public Safety Impact (ssvc:PSI:2.0.1) JSON Example 
{
  "namespace": "ssvc",
  "key": "PSI",
  "version": "2.0.1",
  "name": "Public Safety Impact",
  "description": "A coarse-grained representation of impact to public safety.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "M",
      "name": "Minimal",
      "description": "Safety Impact:Negligible"
    },
    {
      "key": "S",
      "name": "Significant",
      "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
    }
  ]
}

Public Safety Impact is a notational convenience

The Public Safety Impact decision point is a simplification of the more detailed Safety Impact decision point.

Supplier Decision Model

The example supplier decision model below shows a prioritization policy for the supplier. We display the decision model as a decision tree, which provides a compact representation of the policy, showing the relative priority of different situations.

---
title: Supplier Patch Development Priority Decision Table (ssvc:DT_SP:1.0.0)
---
graph LR
n1(( ))
subgraph s1["ssvc:E:1.1.0"]
N_L0([N])
P_L0([P])
A_L0([A])
end
subgraph s2["ssvc:U:1.0.1"]
N_L_L1([L])
N_E_L1([E])
N_S_L1([S])
P_L_L1([L])
P_E_L1([E])
P_S_L1([S])
A_L_L1([L])
A_E_L1([E])
A_S_L1([S])
end
subgraph s3["ssvc:TI:1.0.0"]
N_L_P_L2([P])
N_L_T_L2([T])
N_E_P_L2([P])
N_E_T_L2([T])
N_S_P_L2([P])
N_S_T_L2([T])
P_L_P_L2([P])
P_L_T_L2([T])
P_E_P_L2([P])
P_E_T_L2([T])
P_S_P_L2([P])
P_S_T_L2([T])
A_L_P_L2([P])
A_L_T_L2([T])
A_E_P_L2([P])
A_E_T_L2([T])
A_S_P_L2([P])
A_S_T_L2([T])
end
subgraph s4["ssvc:PSI:2.0.1"]
N_L_P_M_L3([M])
N_L_P_S_L3([S])
N_L_T_M_L3([M])
N_L_T_S_L3([S])
N_E_P_M_L3([M])
N_E_P_S_L3([S])
N_E_T_M_L3([M])
N_E_T_S_L3([S])
N_S_P_M_L3([M])
N_S_P_S_L3([S])
N_S_T_M_L3([M])
N_S_T_S_L3([S])
P_L_P_M_L3([M])
P_L_P_S_L3([S])
P_L_T_M_L3([M])
P_L_T_S_L3([S])
P_E_P_M_L3([M])
P_E_P_S_L3([S])
P_E_T_M_L3([M])
P_E_T_S_L3([S])
P_S_P_M_L3([M])
P_S_P_S_L3([S])
P_S_T_M_L3([M])
P_S_T_S_L3([S])
A_L_P_M_L3([M])
A_L_P_S_L3([S])
A_L_T_M_L3([M])
A_L_T_S_L3([S])
A_E_P_M_L3([M])
A_E_P_S_L3([S])
A_E_T_M_L3([M])
A_E_T_S_L3([S])
A_S_P_M_L3([M])
A_S_P_S_L3([S])
A_S_T_M_L3([M])
A_S_T_S_L3([S])
end
subgraph s5["ssvc:DSOI:1.0.0"]
N_L_P_M_D_L4([D])
N_L_P_S_S_L4([S])
N_L_T_M_S_L4([S])
N_L_T_S_O_L4([O])
N_E_P_M_S_L4([S])
N_E_P_S_O_L4([O])
N_E_T_M_S_L4([S])
N_E_T_S_O_L4([O])
N_S_P_M_S_L4([S])
N_S_P_S_O_L4([O])
N_S_T_M_O_L4([O])
N_S_T_S_O_L4([O])
P_L_P_M_S_L4([S])
P_L_P_S_O_L4([O])
P_L_T_M_S_L4([S])
P_L_T_S_I_L4([I])
P_E_P_M_S_L4([S])
P_E_P_S_I_L4([I])
P_E_T_M_O_L4([O])
P_E_T_S_I_L4([I])
P_S_P_M_O_L4([O])
P_S_P_S_I_L4([I])
P_S_T_M_O_L4([O])
P_S_T_S_I_L4([I])
A_L_P_M_O_L4([O])
A_L_P_S_I_L4([I])
A_L_T_M_O_L4([O])
A_L_T_S_I_L4([I])
A_E_P_M_O_L4([O])
A_E_P_S_I_L4([I])
A_E_T_M_O_L4([O])
A_E_T_S_I_L4([I])
A_S_P_M_I_L4([I])
A_S_P_S_I_L4([I])
A_S_T_M_I_L4([I])
A_S_T_S_I_L4([I])
end
n1 --- N_L0
n1 --- P_L0
n1 --- A_L0
N_L0 --- N_L_L1
N_L_L1 --- N_L_P_L2
N_L_P_L2 --- N_L_P_M_L3
N_L_P_M_L3 --- N_L_P_M_D_L4
N_L_P_L2 --- N_L_P_S_L3
N_L_P_S_L3 --- N_L_P_S_S_L4
N_L_L1 --- N_L_T_L2
N_L_T_L2 --- N_L_T_M_L3
N_L_T_M_L3 --- N_L_T_M_S_L4
N_L_T_L2 --- N_L_T_S_L3
N_L_T_S_L3 --- N_L_T_S_O_L4
N_L0 --- N_E_L1
N_E_L1 --- N_E_P_L2
N_E_P_L2 --- N_E_P_M_L3
N_E_P_M_L3 --- N_E_P_M_S_L4
N_E_P_L2 --- N_E_P_S_L3
N_E_P_S_L3 --- N_E_P_S_O_L4
N_E_L1 --- N_E_T_L2
N_E_T_L2 --- N_E_T_M_L3
N_E_T_M_L3 --- N_E_T_M_S_L4
N_E_T_L2 --- N_E_T_S_L3
N_E_T_S_L3 --- N_E_T_S_O_L4
N_L0 --- N_S_L1
N_S_L1 --- N_S_P_L2
N_S_P_L2 --- N_S_P_M_L3
N_S_P_M_L3 --- N_S_P_M_S_L4
N_S_P_L2 --- N_S_P_S_L3
N_S_P_S_L3 --- N_S_P_S_O_L4
N_S_L1 --- N_S_T_L2
N_S_T_L2 --- N_S_T_M_L3
N_S_T_M_L3 --- N_S_T_M_O_L4
N_S_T_L2 --- N_S_T_S_L3
N_S_T_S_L3 --- N_S_T_S_O_L4
P_L0 --- P_L_L1
P_L_L1 --- P_L_P_L2
P_L_P_L2 --- P_L_P_M_L3
P_L_P_M_L3 --- P_L_P_M_S_L4
P_L_P_L2 --- P_L_P_S_L3
P_L_P_S_L3 --- P_L_P_S_O_L4
P_L_L1 --- P_L_T_L2
P_L_T_L2 --- P_L_T_M_L3
P_L_T_M_L3 --- P_L_T_M_S_L4
P_L_T_L2 --- P_L_T_S_L3
P_L_T_S_L3 --- P_L_T_S_I_L4
P_L0 --- P_E_L1
P_E_L1 --- P_E_P_L2
P_E_P_L2 --- P_E_P_M_L3
P_E_P_M_L3 --- P_E_P_M_S_L4
P_E_P_L2 --- P_E_P_S_L3
P_E_P_S_L3 --- P_E_P_S_I_L4
P_E_L1 --- P_E_T_L2
P_E_T_L2 --- P_E_T_M_L3
P_E_T_M_L3 --- P_E_T_M_O_L4
P_E_T_L2 --- P_E_T_S_L3
P_E_T_S_L3 --- P_E_T_S_I_L4
P_L0 --- P_S_L1
P_S_L1 --- P_S_P_L2
P_S_P_L2 --- P_S_P_M_L3
P_S_P_M_L3 --- P_S_P_M_O_L4
P_S_P_L2 --- P_S_P_S_L3
P_S_P_S_L3 --- P_S_P_S_I_L4
P_S_L1 --- P_S_T_L2
P_S_T_L2 --- P_S_T_M_L3
P_S_T_M_L3 --- P_S_T_M_O_L4
P_S_T_L2 --- P_S_T_S_L3
P_S_T_S_L3 --- P_S_T_S_I_L4
A_L0 --- A_L_L1
A_L_L1 --- A_L_P_L2
A_L_P_L2 --- A_L_P_M_L3
A_L_P_M_L3 --- A_L_P_M_O_L4
A_L_P_L2 --- A_L_P_S_L3
A_L_P_S_L3 --- A_L_P_S_I_L4
A_L_L1 --- A_L_T_L2
A_L_T_L2 --- A_L_T_M_L3
A_L_T_M_L3 --- A_L_T_M_O_L4
A_L_T_L2 --- A_L_T_S_L3
A_L_T_S_L3 --- A_L_T_S_I_L4
A_L0 --- A_E_L1
A_E_L1 --- A_E_P_L2
A_E_P_L2 --- A_E_P_M_L3
A_E_P_M_L3 --- A_E_P_M_O_L4
A_E_P_L2 --- A_E_P_S_L3
A_E_P_S_L3 --- A_E_P_S_I_L4
A_E_L1 --- A_E_T_L2
A_E_T_L2 --- A_E_T_M_L3
A_E_T_M_L3 --- A_E_T_M_O_L4
A_E_T_L2 --- A_E_T_S_L3
A_E_T_S_L3 --- A_E_T_S_I_L4
A_L0 --- A_S_L1
A_S_L1 --- A_S_P_L2
A_S_P_L2 --- A_S_P_M_L3
A_S_P_M_L3 --- A_S_P_M_I_L4
A_S_P_L2 --- A_S_P_S_L3
A_S_P_S_L3 --- A_S_P_S_I_L4
A_S_L1 --- A_S_T_L2
A_S_T_L2 --- A_S_T_M_L3
A_S_T_M_L3 --- A_S_T_M_I_L4
A_S_T_L2 --- A_S_T_S_L3
A_S_T_S_L3 --- A_S_T_S_I_L4

Table of Values

The table below shows the values for the decision model. Each row of the table corresponds to a path through the decision model diagram above.

% include-markdown "../_includes/_scrollable_table.md" heading-offset=1 %}

Row Exploitation v1.1.0 Utility v1.0.1 Technical Impact v1.0.0 Public Safety Impact v2.0.1 Defer, Scheduled, Out-of-Cycle, Immediate v1.0.0
0 none laborious partial minimal defer
1 none laborious partial significant scheduled
2 none laborious total minimal scheduled
3 none laborious total significant out-of-cycle
4 none efficient partial minimal scheduled
5 none efficient partial significant out-of-cycle
6 none efficient total minimal scheduled
7 none efficient total significant out-of-cycle
8 none super effective partial minimal scheduled
9 none super effective partial significant out-of-cycle
10 none super effective total minimal out-of-cycle
11 none super effective total significant out-of-cycle
12 public poc laborious partial minimal scheduled
13 public poc laborious partial significant out-of-cycle
14 public poc laborious total minimal scheduled
15 public poc laborious total significant immediate
16 public poc efficient partial minimal scheduled
17 public poc efficient partial significant immediate
18 public poc efficient total minimal out-of-cycle
19 public poc efficient total significant immediate
20 public poc super effective partial minimal out-of-cycle
21 public poc super effective partial significant immediate
22 public poc super effective total minimal out-of-cycle
23 public poc super effective total significant immediate
24 active laborious partial minimal out-of-cycle
25 active laborious partial significant immediate
26 active laborious total minimal out-of-cycle
27 active laborious total significant immediate
28 active efficient partial minimal out-of-cycle
29 active efficient partial significant immediate
30 active efficient total minimal out-of-cycle
31 active efficient total significant immediate
32 active super effective partial minimal immediate
33 active super effective partial significant immediate
34 active super effective total minimal immediate
35 active super effective total significant immediate