Skip to content

Technical Impact

Technical Impact (ssvc:TI:1.0.0)

The technical impact of the vulnerability.

Value Key Definition
Partial P The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control.
Total T The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.
Technical Impact (ssvc:TI:1.0.0) JSON Example 
{
  "namespace": "ssvc",
  "key": "TI",
  "version": "1.0.0",
  "name": "Technical Impact",
  "definition": "The technical impact of the vulnerability.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "P",
      "name": "Partial",
      "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
    },
    {
      "key": "T",
      "name": "Total",
      "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
    }
  ]
}

Gathering Information about Technical Impact

See this HowTo for advice on gathering information about the Technical Impact decision point.

When evaluating Technical Impact, recall the scope definition in the Scope Section. Total control is relative to the affected component where the vulnerability resides. If a vulnerability discloses authentication or authorization credentials to the system, this information disclosure should also be scored as “total” if those credentials give an adversary total control of the component.

As mentioned in Current State of Practice, the scope of SSVC is just those situations in which there is a vulnerability. Our definition of vulnerability is based on the determination that some security policy is violated. We consider a security policy violation to be a technical impact—or at least, a security policy violation must have some technical instantiation. Therefore, if there is a vulnerability then there must be some technical impact.