SSVC (Stakeholder-Specific Vulnerability Categorization)
SSVC is a decision-tree framework developed by CISA and Carnegie Mellon for prioritizing vulnerability response based on exploitation status, automatable exploitation, and mission impact. It complements CVSS by focusing on actionability rather than technical severity alone.
Frequently Asked Questions
What is SSVC (Stakeholder-Specific Vulnerability Categorization)?
SSVC is a decision-tree framework developed by CISA and Carnegie Mellon for prioritizing vulnerability response based on exploitation status, automatable exploitation, and mission impact. It complements CVSS by focusing on actionability rather than technical severity alone.
How is SSVC (Stakeholder-Specific Vulnerability Categorization) related to CVSS (Common Vulnerability Scoring System)?
SSVC (Stakeholder-Specific Vulnerability Categorization) and CVSS (Common Vulnerability Scoring System) are both key concepts in threat intelligence. CVSS is an open framework for communicating the severity of software vulnerabilities. A CVSS v3 base score from 0 to 10 reflects factors like attack vector, complexity, privileges required, and impact on confidentiality, integrity, and availability. Scores ≥ 9.0 are Critical; ≥ 7.0 are High.