Skip to content

SSVC#

This section explains the concept of SSVC and the background behind its emergence.

For the specifications of SSVC as implemented in FutureVuls, see the "Manual".

What Is SSVC#

SSVC (Stakeholder-Specific Vulnerability Categorization) is a state-of-the-art vulnerability response framework devised by the Software Engineering Institute at Carnegie Mellon University in the United States to solve the challenges of the conventional CVSS score-based approach to vulnerability response. In 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommended risk-based vulnerability response like SSVC.

In its "September 2022 release", FutureVuls became the world's first commercial service to support SSVC (press release).

The SSVC engine built into FutureVuls automatically derives the priority of detected vulnerabilities based on their actual risk. It can even automate the response instructions given to operators. For daily operations using SSVC in FutureVuls, see "Vulnerability Management Operation Flow".

The Emergence of SSVC#

To solve the challenges of CVSS, Carnegie Mellon University proposed the framework "SSVC (Stakeholder-Specific Vulnerability Categorization)". SSVC evaluates vulnerability risk from multiple perspectives and automatically determines the response priority according to the risk.

Basic Structure of SSVC#

SSVC analyzes risk based on the following four pieces of information.

Item Description
Exposure Whether the system is accessible from the outside
Human Impact The magnitude of the business impact if attacked
Exploitation Whether an attack has actually been observed
Automatable To what extent the vulnerability can be used in automated attacks

The Four Priority Levels Derived Automatically#

SSVC Priority Description
Immediate Respond with top priority. Halt normal operations to address it if necessary.
Out-of-Cycle Respond promptly, outside of regular work.
Scheduled Address during regular maintenance.
Defer Do not address at this time; accept the risk.

ssvc-tree

Learn More About SSVC#

The pages below explain the details of SSVC and how it is incorporated into FutureVuls.

Type URL Notes
Manual SSVC
Blog Introduction to SSVC An article explaining the usefulness and application of SSVC
Blog In-Depth Guide to SSVC v2.1 An explanation of SSVC v2.1 and its changes
Blog Vuls Matsuri #10 SSVC Demo Introduces a demo useful for real-world operations
Blog SSVC DeepDive Vulnerability Matsuri Learn about SSVC in detail with a video
Blog Example of How to Determine Human Impact in SSVC Explains examples of configuring business impact (Human Impact)
Blog Guide to Automatically Identifying Internet-Exposed Servers and Configuring SSVC Exposure Explains examples of configuring Automatable
Blog Appeared on the YouTube channel of the virtual IT admin "Sudo Admin" to explain vulnerability management in general and SSVC Watch a concrete explanation in a video
Video Overview of SSVC, the Latest Vulnerability Triage Framework, and Its Implementation in FutureVuls (Vuls Matsuri #6) A YouTube video on the theme of SSVC
Pamphlet FutureVuls Pamphlet

Trying Out the SSVC Decision Tree#

FutureVuls' default SSVC decision tree has the same structure as the "CERT/CC Deployer Tree". You can check the details of the decision tree on the site using the following steps.

  1. Select Mode: Graphic > SSVC Calc App: Deployer.
  2. Specify Show Full Tree.