Skip to content

Bootstrapping an SSVC Process from Scratch

Using SSVC to prioritize vulnerability response requires a few steps. The steps are:

Bootstrapping SSVC Overview

    prep[Prepare to use SSVC]
    dataops[Data Operations]
    runtime[Use SSVC]
    r[Vulnerability Response]
    start --> prep
    prep --> dataops
    dataops --> runtime
    runtime --> r
    r --> dataops
Step Description
Prepare Define the decision you want to make, the outcomes you care about, the decision points you will use to make the decision, the decision policy, the data you need to inform the decision points, and the process for maintaining your decision model.
Collect Collect the data you need to make informed decisions.
Use SSVC Use SSVC to make decisions about how to respond to vulnerabilities.
Respond Respond to vulnerabilities according to the prioritization.

We cover each of these in the following sections, starting with Prepare to Use SSVC. If you want to skip ahead to the full process, see Bootstrapping SSVC Summary.