Using SSVC

Prerequisites

The Using SSVC section assumes that you have

• An interest in using SSVC in a vulnerability management process
• Basic familiarity with SSVC

If you are unfamiliar with SSVC, we suggest you start with the Learning SSVC section. Understanding SSVC provides necessary background detail. For technical reference, see Reference.

SSVC is a methodology for prioritizing vulnerability response based on the needs of various stakeholders. At its core are the concepts of:

• Stakeholder Roles: Different participants in the vulnerability response process have different needs and priorities. Roles can include patch suppliers, deployers, coordinators, and others.
• Decisions: Each stakeholder role has a set of decisions to make about how to respond to vulnerabilities. For a supplier, the decision might be about how to prioritize the creation of patches. For a deployer, the decision might be about how to prioritize the deployment of patches. Coordinators usually need to decide whether to coordinate a response, and whether to publish information about a vulnerability they've coordinated.
• Decision Points: Each decision is made based on a set of inputs, or decision points. These are the factors that influence the decision. For example, a decision about whether to deploy a patch might be influenced by the severity of the vulnerability, the availability of an exploit, and the impact of the vulnerability on the system.
• Outcomes: Each decision has a set of possible outcomes. These are the possible results of the decision. For example, a decision about whether to deploy a patch might have outcomes like "immediate", "scheduled", "deferred", and "out-of-cycle".

Given these concepts, we can combine them into decision models to help stakeholders make decisions about the priority with which to act. The definition of choices can take a logical form, such as:

• IF

  • (Exploitation IS Public PoC) AND
  • (System Exposure IS controlled) AND
  • (Automatable IS no) AND
  • (Human Impact IS medium)

• THEN priority is scheduled.

This example logical statement is captured in row 34 of the deployer .csv file.

There are different formats for capturing these prioritization decisions depending on how and where they are going to be used. In this documentation, we primarily represent a full set of guidance on how one stakeholder will make a decision as a decision tree.

This section presents example decision models for various stakeholders, followed by guidance on how to adapt and customize SSVC to fit your organization's needs.

• Getting Started with SSVC
• Supplier Decision Model
• Deployer Decision Model
• Coordinator Decision Models
• Customizing SSVC
• Acuity Ramp