Gathering Information About Value Density
Value Density (ssvc:VD:1.0.0)
The concentration of value in the target
| Value | Key | Definition |
|---|---|---|
| Diffuse | D | The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small. |
| Concentrated | C | The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users. |
Value Density (ssvc:VD:1.0.0) JSON Example
{
"namespace": "ssvc",
"key": "VD",
"version": "1.0.0",
"name": "Value Density",
"definition": "The concentration of value in the target",
"schemaVersion": "2.0.0",
"values": [
{
"key": "D",
"name": "Diffuse",
"definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
},
{
"key": "C",
"name": "Concentrated",
"definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
}
]
}
The heuristics presented in the Value Density definitions involve whether the system is usually maintained by a dedicated professional, although we have noted some exceptions (such as encrypted mobile messaging applications).
Have an idea for something we missed?
If you have suggestions for further heuristics, or potential counterexamples to these, please describe the example and reasoning in an issue on the SSVC GitHub.
An analyst might use market research reports or Internet telemetry data to assess an unfamiliar product. Organizations such as Gartner produce research on the market position and product comparisons for a large variety of systems. These generally identify how a product is deployed, used, and maintained. An organization's own marketing materials are a less reliable indicator of how a product is used, or at least how the organization expects it to be used.
Network telemetry can inform how many instances of a software system are connected to a network. Such telemetry is most reliable for the supplier of the software, especially if software licenses are purchased and checked. Measuring how many instances of a system are in operation is useful, but having more instances does not mean that the software is a densely valuable target. However, market penetration greater than approximately 75% generally means that the product uniquely serves a particular market segment or purpose. This line of reasoning is what supports a determination that an ubiquitous encrypted mobile messaging application should be considered to have a concentrated Value Density.