Skip to content

Gathering Information About Technical Impact

Technical Impact (ssvc:TI:1.0.0)

The technical impact of the vulnerability.

Value Key Definition
Partial P The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control.
Total T The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.
Technical Impact (ssvc:TI:1.0.0) JSON Example 
{
  "namespace": "ssvc",
  "key": "TI",
  "version": "1.0.0",
  "name": "Technical Impact",
  "definition": "The technical impact of the vulnerability.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "P",
      "name": "Partial",
      "definition": "The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control."
    },
    {
      "key": "T",
      "name": "Total",
      "definition": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
    }
  ]
}

Assessing Technical Impact amounts to assessing the degree of control over the vulnerable component the attacker stands to gain by exploiting the vulnerability. One way to approach this analysis is to ask whether the control gained is total or not. If it is not total, it is partial. If an answer to one of the following questions is yes, then control is total. After exploiting the vulnerability,

  • can the attacker install and run arbitrary software?
  • can the attacker trigger all the actions that the vulnerable component can perform?
  • does the attacker get an account with full privileges to the vulnerable component (administrator or root user accounts, for example)?

This list is an evolving set of heuristics.

Have an idea for something we missed?

If you have suggestions for further heuristics, or potential counterexamples to these, please describe the example and reasoning in an issue on the SSVC GitHub.