Learning SSVC
SSVC stands for Stakeholder-Specific Vulnerability Categorization. It is a methodology for prioritizing vulnerabilities based on the needs of the stakeholders involved in the vulnerability management process. SSVC is designed to be used by any stakeholder in the vulnerability management process, including patch suppliers, patch deployers, coordinators, and others. One of SSVC's key features is that it is intended to be customized to the needs of the organization using it. In the HowTo section, we provide a set of decision models that can be used as a starting point, but we expect that organizations will need to modify these models to fit their specific needs. An introduction to how we think about SSVC can be found in the Understanding SSVC section. For technical reference, including a list of decision points, see Reference.
SSVC in a Nutshell
SSVC is built around the concept of a Decision Model that takes a set of input Decision Points and applies a Policy to produce a set of output Outcomes. The Decision Points are the factors that influence the decision, and the Outcomes are the possible results of the decision. Both Decision Points and Outcomes are defined as ordered sets of enumerated values. The Policy is a mapping from each combination of decision point values to the set of outcome values. One of SSVC's goals is to provide a methodology to develop risk-informed guidance at a human scale, while enabling data-driven decision-making.
SSVC Calculator
We've created a simple SSVC Calculator to help you understand how SSVC decision models work. The decisions modeled in the calculator are based on the Supplier, Deployer, and Coordinator decision models.
SSVC can be used in conjunction with other tools and methodologies to help prioritize vulnerability response.
CVSS and SSVC
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of software security vulnerabilities. CVSS assigns technical severity scores to vulnerabilities, and many organizations use this score to inform their vulnerability management process. In SSVC, we took a different approach with our stakeholder-specific model, although the information contained in a CVSS vector can be applied to SSVC decision models. For example, the Technical Impact decision point in the Supplier decision model can be informed by the CVSS vector.
EPSS and SSVC
The Exploit Prediction Scoring System (EPSS) provides information regarding the likelihood of a vulnerability being exploited in the wild. This information can be used to inform the Exploitation decision point in the Supplier, Deployer, and Coordinator Publication decision models.
Videos
Provided below are videos that provide an overview of SSVC and the implementation of decision models.
| Source | Video |
|---|---|
| SEI Podcast Series | A Stakeholder-Specific Approach to Vulnerability Management |
| CISA | SSVC On-Demand Training |
| Nucleus Security | SSVC and Decision Trees |
| Nucleus Security | Panel Discussion: Using Decision Trees for Vulnerability Prioritization with SSVC |
| Nucleus Security | What is SSVC? |
| ICS Cybersecurity Academy | Create your own SSVC decision tree for ICS patching |
| ICS Cybersecurity Academy | SSVC: A great replacement for CVSS in ICS? |
| Waterfall Security Solutions | Industrial Security Podcast Eps. 102: Stakeholder-Specific Vulnerability Categorization (SSVC) |
Other Content
We've collected a list of articles and blog posts that provide additional information about SSVC.
Have a link to something we missed? Let us know in an issue.