Bootstrapping an SSVC Process from Scratch
Using SSVC to prioritize vulnerability response requires a few steps. The steps are:
Bootstrapping SSVC Overview
flowchart
start([Start])
prep[Prepare to use SSVC]
dataops[Data Operations]
runtime[Use SSVC]
r[Vulnerability Response]
start --> prep
prep --> dataops
dataops --> runtime
runtime --> r
r --> dataops| Step | Description |
|---|---|
| Prepare | Define the decision you want to make, the outcomes you care about, the decision points you will use to make the decision, the decision policy, the data you need to inform the decision points, and the process for maintaining your decision model. |
| Collect | Collect the data you need to make informed decisions. |
| Use SSVC | Use SSVC to make decisions about how to respond to vulnerabilities. |
| Respond | Respond to vulnerabilities according to the prioritization. |
We cover each of these in the following sections, starting with Prepare to Use SSVC. If you want to skip ahead to the full process, see Bootstrapping SSVC Summary.