SSVC#
This section explains the concept of SSVC and the background behind its emergence.
For the specifications of SSVC as implemented in FutureVuls, see the "Manual".
What Is SSVC#
SSVC (Stakeholder-Specific Vulnerability Categorization) is a state-of-the-art vulnerability response framework devised by the Software Engineering Institute at Carnegie Mellon University in the United States to solve the challenges of the conventional CVSS score-based approach to vulnerability response. In 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommended risk-based vulnerability response like SSVC.
In its "September 2022 release", FutureVuls became the world's first commercial service to support SSVC (press release).
The SSVC engine built into FutureVuls automatically derives the priority of detected vulnerabilities based on their actual risk. It can even automate the response instructions given to operators. For daily operations using SSVC in FutureVuls, see "Vulnerability Management Operation Flow".
The Emergence of SSVC#
To solve the challenges of CVSS, Carnegie Mellon University proposed the framework "SSVC (Stakeholder-Specific Vulnerability Categorization)". SSVC evaluates vulnerability risk from multiple perspectives and automatically determines the response priority according to the risk.
Basic Structure of SSVC#
SSVC analyzes risk based on the following four pieces of information.
| Item | Description |
|---|---|
| Exposure | Whether the system is accessible from the outside |
| Human Impact | The magnitude of the business impact if attacked |
| Exploitation | Whether an attack has actually been observed |
| Automatable | To what extent the vulnerability can be used in automated attacks |
The Four Priority Levels Derived Automatically#
| SSVC Priority | Description |
|---|---|
| Immediate | Respond with top priority. Halt normal operations to address it if necessary. |
| Out-of-Cycle | Respond promptly, outside of regular work. |
| Scheduled | Address during regular maintenance. |
| Defer | Do not address at this time; accept the risk. |

Learn More About SSVC#
The pages below explain the details of SSVC and how it is incorporated into FutureVuls.
| Type | URL | Notes |
|---|---|---|
| Manual | SSVC | |
| Blog | Introduction to SSVC | An article explaining the usefulness and application of SSVC |
| Blog | In-Depth Guide to SSVC v2.1 | An explanation of SSVC v2.1 and its changes |
| Blog | Vuls Matsuri #10 SSVC Demo | Introduces a demo useful for real-world operations |
| Blog | SSVC DeepDive Vulnerability Matsuri | Learn about SSVC in detail with a video |
| Blog | Example of How to Determine Human Impact in SSVC | Explains examples of configuring business impact (Human Impact) |
| Blog | Guide to Automatically Identifying Internet-Exposed Servers and Configuring SSVC Exposure | Explains examples of configuring Automatable |
| Blog | Appeared on the YouTube channel of the virtual IT admin "Sudo Admin" to explain vulnerability management in general and SSVC | Watch a concrete explanation in a video |
| Video | Overview of SSVC, the Latest Vulnerability Triage Framework, and Its Implementation in FutureVuls (Vuls Matsuri #6) | A YouTube video on the theme of SSVC |
| Pamphlet | FutureVuls Pamphlet |
Trying Out the SSVC Decision Tree#
FutureVuls' default SSVC decision tree has the same structure as the "CERT/CC Deployer Tree". You can check the details of the decision tree on the site using the following steps.
- Select Mode: Graphic > SSVC Calc App: Deployer.
- Specify Show Full Tree.