Skip to content

Value Density (SSVC)

Value Density (ssvc:VD:1.0.0)

The concentration of value in the target

Value Key Definition
Diffuse D The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small.
Concentrated C The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users.
Value Density (ssvc:VD:1.0.0) JSON Example
{
  "namespace": "ssvc",
  "key": "VD",
  "version": "1.0.0",
  "name": "Value Density",
  "definition": "The concentration of value in the target",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "D",
      "name": "Diffuse",
      "definition": "The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small."
    },
    {
      "key": "C",
      "name": "Concentrated",
      "definition": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
    }
  ]
}

Gathering Information about Value Density

See this HowTo for advice on gathering information about the Value Density decision point.

See also

Value Density combines with Automatability to inform Utility.

CVSS:Value Density vs SSVC:Value Density

The CVSS Value Density vector element was developed alongside the identically named Value Density decision point in SSVC. We intend for these two decision points to be interchangeable. The main difference is that the CVSS Value Density accomodates an explicit Not Defined value, whereas the SSVC Value Density does not.

User vs. System Operator

A “user” is anyone whose professional task is something other than the maintenance of the system or component. As with Safety Impact, a “system operator” is anyone who is professionally responsible for the proper operation or maintenance of a system.

Diffuse

Examples of systems with diffuse value are email accounts, most consumer online banking accounts, common cell phones, and most personal computing resources owned and maintained by users.

Concentrated

Examples of concentrated value are database systems, Kerberos servers, web servers hosting login pages, and cloud service providers. However, usefulness and uniqueness of the resources on the vulnerable system also inform value density. For example, encrypted mobile messaging platforms may have concentrated value, not because each phone’s messaging history has a particularly large amount of data, but because it is uniquely valuable to law enforcement.