Skip to content

Learning SSVC

SSVC stands for Stakeholder-Specific Vulnerability Categorization. It is a methodology for prioritizing vulnerabilities based on the needs of the stakeholders involved in the vulnerability management process. SSVC is designed to be used by any stakeholder in the vulnerability management process, including patch suppliers, patch deployers, coordinators, and others. One of SSVC's key features is that it is intended to be customized to the needs of the organization using it. In the HowTo section, we provide a set of decision models that can be used as a starting point, but we expect that organizations will need to modify these models to fit their specific needs. An introduction to how we think about SSVC can be found in the Understanding SSVC section. For technical reference, including a list of decision points, see Reference.

SSVC in a Nutshell

SSVC is built around the concept of a Decision Model that takes a set of input Decision Points and applies a Policy to produce a set of output Outcomes. The Decision Points are the factors that influence the decision, and the Outcomes are the possible results of the decision. Both Decision Points and Outcomes are defined as ordered sets of enumerated values. The Policy is a mapping from each combination of decision point values to the set of outcome values. One of SSVC's goals is to provide a methodology to develop risk-informed guidance at a human scale, while enabling data-driven decision-making.

SSVC Calculator

We've created a simple SSVC Calculator to help you understand how SSVC decision models work. The decisions modeled in the calculator are based on the Supplier, Deployer, and Coordinator decision models.

SSVC can be used in conjunction with other tools and methodologies to help prioritize vulnerability response.


The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of software security vulnerabilities. CVSS assigns technical severity scores to vulnerabilities, and many organizations use this score to inform their vulnerability management process. In SSVC, we took a different approach with our stakeholder-specific model, although the information contained in a CVSS vector can be applied to SSVC decision models. For example, the Technical Impact decision point in the Supplier decision model can be informed by the CVSS vector.


The Exploit Prediction Scoring System (EPSS) provides information regarding the likelihood of a vulnerability being exploited in the wild. This information can be used to inform the Exploitation decision point in the Supplier, Deployer, and Coordinator Publication decision models.


Provided below are videos that provide an overview of SSVC and the implementation of decision models.

Source Video
SEI Podcast Series A Stakeholder-Specific Approach to Vulnerability Management
CISA SSVC On-Demand Training
Nucleus Security SSVC and Decision Trees
Nucleus Security Panel Discussion: Using Decision Trees for Vulnerability Prioritization with SSVC
Nucleus Security What is SSVC?
ICS Cybersecurity Academy Create your own SSVC decision tree for ICS patching
ICS Cybersecurity Academy SSVC: A great replacement for CVSS in ICS?
Waterfall Security Solutions Industrial Security Podcast Eps. 102: Stakeholder-Specific Vulnerability Categorization (SSVC)

Other Content

We've collected a list of articles and blog posts that provide additional information about SSVC.

Source Link
SEI Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization
CISA Stakeholder-Specific Vulnerability Categorization (SSVC)
Qualys Effective Vulnerability Management with Stakeholder Specific Vulnerability Categorization (SSVC) and Qualys TruRisk
Vulcan Cyber The SSVC risk prioritization method: what it is, when to use it, and alternatives

Have a link to something we missed? Let us know in an issue.