From 20a85c41ccba3c4769b1bcd3737bc802c469f379 Mon Sep 17 00:00:00 2001 From: Renae Metcalf Date: Fri, 14 Nov 2025 11:34:32 -0500 Subject: [PATCH 01/11] Update acks page --- docs/about/acknowledgements.md | 44 ++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/docs/about/acknowledgements.md b/docs/about/acknowledgements.md index 174ef80c..8fd27249 100644 --- a/docs/about/acknowledgements.md +++ b/docs/about/acknowledgements.md @@ -1,25 +1,55 @@ # Acknowledgements -The authors would first like to acknowledge the valuable contributions of previous authors who have worked on earlier versions -of this report: Art Manion, Madison Oliver, and Deana Shick. +The SSVC team would first like to acknowledge the valuable contributions of +previous authors who have worked on earlier versions of SSVC: Eric Hatleback, +Bon Jin Koo, Art Manion, Madison Oliver, Deana Shick, and Jonathan Spring. -The authors thank the [contributors](https://github.com/CERTCC/SSVC/graphs/contributors) to the -[SSVC project](https://github.com/CERTCC/SSVC) on Github as well as the following individuals for helpful comments on -prior drafts (listed in alphabetical order): +SSVC began as a series of papers before we created this site. Earlier versions +were written by: +[1] J. M. Spring, E. Hatleback, A. D. Householder, A. Manion, and D. Shick, +"Towards Improving CVSS," Software Engineering Institute, Carnegie Mellon +University, Dec. 2018. [Online]. Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/2018_019_001_538372.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/2018_019_001_538372.pdf) +[2] J. M. Spring, E. Hatleback, A. D. Householder, A. Manion, and D. Shick, +"Prioritizing Vulnerability Response: a Stakeholder-Specific Vulnerability +Categorization," Software Engineering Institute, Carnegie Mellon University, +Nov. 2019. [Online]. Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/2019_019_001_636391.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/2019_019_001_636391.pdf) +[3] J. M. Spring, E. Hatleback, A. D. Householder, A. Manion, and D. Shick, +"Prioritizing Vulnerability Response: a Stakeholder-Specific Vulnerability +Categorization (Version 1.1)," Software Engineering Institute, Carnegie Mellon +University, Dec. 2020. [Online]. Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/weis20-final6.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/weis20-final6.pdf) +[4] J. M. Spring, A. D. Householder, E. Hatleback, A. Manion, M. Oliver, +V. Sarvepalli, L. Tyzenhaus, and C. Yarbrough, +"Prioritizing Vulnerability Response: a Stakeholder-Specific Vulnerability +Categorization (Version 2.0)," Software Engineering Institute, Carnegie Mellon +University, Apr. 2021. [Online]. Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/2021_019_001_653461.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/2021_019_001_653461.pdf) +[5] J. M. Spring, E. Hatleback, A. D. Householder, V. Sarvepalli, L. Tyzenhaus, +and C. Yarbrough, "Prioritizing Vulnerability Response: a Stakeholder-Specific +Vulnerability Categorization (SSVC) version 2.1.0-edb6c97," Software +Engineering Institute, Carnegie Mellon University, Sep. 2023. [Online]. +Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/ssvc_2_1_draft.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/ssvc_2_1_draft.pdf) + +The SSVC team thanks the [contributors](https://github.com/CERTCC/SSVC/graphs/contributors) +to the [SSVC project](https://github.com/CERTCC/SSVC) on Github as well as the +following individuals for helpful comments on earlier versions (listed in +alphabetical order): Muhammad Akbar, Will Dormann, Manish Gaur, Ralph Langer, -David Oxley +David Oxley, Dale Peterson, +Bernhard Reiter, +Thomas Schmidt, Jeroen van der Ham, Michel van Eeten, and Sounil Yu. -The authors also thank those others too numerous to name individually who provided comments and feedback, including: +The SSVC team also thanks those others too numerous to name individually who +provided comments and feedback, including: Attendees at S4, Miami FL 2020; Attendees at A Conference on Defense (ACoD), Austin TX 2020; Anonymous WEIS reviewers; Various staff members and analysts at CERT/CC, CISA, McAfee, and VMWare; FIRST CVSS SIG and EPSS SIG members; +OASIS CSAF TC; and others who wish to remain anonymous. From 8854b265ffb6739eefd0bce4e2dee61509575ff2 Mon Sep 17 00:00:00 2001 From: sei-renae Date: Fri, 14 Nov 2025 12:07:26 -0500 Subject: [PATCH 02/11] Update docs/about/acknowledgements.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/about/acknowledgements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/about/acknowledgements.md b/docs/about/acknowledgements.md index 8fd27249..2bffb6af 100644 --- a/docs/about/acknowledgements.md +++ b/docs/about/acknowledgements.md @@ -29,7 +29,7 @@ Engineering Institute, Carnegie Mellon University, Sep. 2023. [Online]. Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/ssvc_2_1_draft.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/ssvc_2_1_draft.pdf) The SSVC team thanks the [contributors](https://github.com/CERTCC/SSVC/graphs/contributors) -to the [SSVC project](https://github.com/CERTCC/SSVC) on Github as well as the +to the [SSVC project](https://github.com/CERTCC/SSVC) on GitHub as well as the following individuals for helpful comments on earlier versions (listed in alphabetical order): Muhammad Akbar, From 116123b9d747d8a7644d2c4d4422f6c7802dae9f Mon Sep 17 00:00:00 2001 From: sei-renae Date: Fri, 14 Nov 2025 12:07:49 -0500 Subject: [PATCH 03/11] Update docs/about/acknowledgements.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/about/acknowledgements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/about/acknowledgements.md b/docs/about/acknowledgements.md index 2bffb6af..fd840598 100644 --- a/docs/about/acknowledgements.md +++ b/docs/about/acknowledgements.md @@ -26,7 +26,7 @@ University, Apr. 2021. [Online]. Available: [https://github.com/CERTCC/SSVC/blob and C. Yarbrough, "Prioritizing Vulnerability Response: a Stakeholder-Specific Vulnerability Categorization (SSVC) version 2.1.0-edb6c97," Software Engineering Institute, Carnegie Mellon University, Sep. 2023. [Online]. -Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/ssvc_2_1_draft.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/ssvc_2_1_draft.pdf) +Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/ssvc_2_1_draft.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/ssvc_2_1_draft.pdf) The SSVC team thanks the [contributors](https://github.com/CERTCC/SSVC/graphs/contributors) to the [SSVC project](https://github.com/CERTCC/SSVC) on GitHub as well as the From 420d7d351999e83ecf1fac8ac28bb9799dce9fa1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Nov 2025 15:11:05 +0000 Subject: [PATCH 04/11] Bump DavidAnson/markdownlint-cli2-action from 20 to 21 Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 20 to 21. - [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases) - [Commits](https://github.com/davidanson/markdownlint-cli2-action/compare/v20...v21) --- updated-dependencies: - dependency-name: DavidAnson/markdownlint-cli2-action dependency-version: '21' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/lint_md_changes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml index a3907f04..99b8f949 100644 --- a/.github/workflows/lint_md_changes.yml +++ b/.github/workflows/lint_md_changes.yml @@ -21,7 +21,7 @@ jobs: with: files: '**/*.md' separator: "," - - uses: DavidAnson/markdownlint-cli2-action@v20 + - uses: DavidAnson/markdownlint-cli2-action@v21 if: steps.changed-files.outputs.any_changed == 'true' with: globs: ${{ steps.changed-files.outputs.all_changed_files }} From 9ecb82cd198f37635de58d0315ca901d3df11226 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Nov 2025 16:00:21 +0000 Subject: [PATCH 05/11] Bump actions/checkout from 5 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/deploy_site.yml | 2 +- .github/workflows/link_checker.yml | 2 +- .github/workflows/lint_md_changes.yml | 2 +- .github/workflows/python-app.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy_site.yml b/.github/workflows/deploy_site.yml index b266e69f..5987edac 100644 --- a/.github/workflows/deploy_site.yml +++ b/.github/workflows/deploy_site.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Set up Python uses: actions/setup-python@v6 diff --git a/.github/workflows/link_checker.yml b/.github/workflows/link_checker.yml index 9c953389..011946bc 100644 --- a/.github/workflows/link_checker.yml +++ b/.github/workflows/link_checker.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Set up Python uses: actions/setup-python@v6 diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml index 99b8f949..8db349e1 100644 --- a/.github/workflows/lint_md_changes.yml +++ b/.github/workflows/lint_md_changes.yml @@ -13,7 +13,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: fetch-depth: 0 - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index 03c2950b..5716424d 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: fetch-tags: true - name: Set up Python 3.12 From 56163d5fdd1b64b960a92bd7fed77e41e3898a7d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 15:09:50 +0000 Subject: [PATCH 06/11] Bump DavidAnson/markdownlint-cli2-action from 21 to 22 Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 21 to 22. - [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases) - [Commits](https://github.com/davidanson/markdownlint-cli2-action/compare/v21...v22) --- updated-dependencies: - dependency-name: DavidAnson/markdownlint-cli2-action dependency-version: '22' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/lint_md_changes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml index 8db349e1..94831bcd 100644 --- a/.github/workflows/lint_md_changes.yml +++ b/.github/workflows/lint_md_changes.yml @@ -21,7 +21,7 @@ jobs: with: files: '**/*.md' separator: "," - - uses: DavidAnson/markdownlint-cli2-action@v21 + - uses: DavidAnson/markdownlint-cli2-action@v22 if: steps.changed-files.outputs.any_changed == 'true' with: globs: ${{ steps.changed-files.outputs.all_changed_files }} From 6fe015dad9b92886e0bc5e37e334f29e8b96557d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 15:09:59 +0000 Subject: [PATCH 07/11] Bump tj-actions/changed-files from 47.0.0 to 47.0.1 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 47.0.0 to 47.0.1. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/24d32ffd492484c1d75e0c0b894501ddb9d30d62...e0021407031f5be11a464abee9a0776171c79891) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-version: 47.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/lint_md_changes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml index 8db349e1..59942658 100644 --- a/.github/workflows/lint_md_changes.yml +++ b/.github/workflows/lint_md_changes.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/checkout@v6 with: fetch-depth: 0 - - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 + - uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 id: changed-files with: files: '**/*.md' From 616a653ade414128e295fdd460148130081072fa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Dec 2025 15:10:02 +0000 Subject: [PATCH 08/11] Bump actions/upload-artifact from 5 to 6 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/python-app.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index 5716424d..c160a6b0 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -37,7 +37,7 @@ jobs: run: | uv build - name: Upload Artifacts - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@v6 with: name: ssvc path: src/dist/ssvc-*.tar.gz From 618931e5213af58b5183e3f276444d4a7bf456f2 Mon Sep 17 00:00:00 2001 From: Vijay Sarvepalli Date: Fri, 9 Jan 2026 15:08:54 -0500 Subject: [PATCH 09/11] Fix for prompting div location failure --- docs/ssvc-explorer/index.md | 3 +-- docs/ssvc-explorer/simple.js | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ssvc-explorer/index.md b/docs/ssvc-explorer/index.md index 642912eb..8a951129 100644 --- a/docs/ssvc-explorer/index.md +++ b/docs/ssvc-explorer/index.md @@ -76,13 +76,12 @@ Language - -

Would you like to proceed?

+
Sample Decision Models: diff --git a/docs/ssvc-explorer/simple.js b/docs/ssvc-explorer/simple.js index 4c815092..83e7650b 100644 --- a/docs/ssvc-explorer/simple.js +++ b/docs/ssvc-explorer/simple.js @@ -2627,6 +2627,7 @@ function fun_execute(w) { return { ssvc_launch: ssvc_launch, decision_trees: decision_trees, + decision_points, decision_points, form: form, loadSSVC: loadSSVC, readFile: readFile, From 40c093f87ad21d73f6a6dbb84448a0547f355642 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 20:26:42 +0000 Subject: [PATCH 10/11] Initial plan From a4c01bf2570fac025ebd09d650546498583991a0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 20:33:39 +0000 Subject: [PATCH 11/11] Fix JavaScript syntax error: change comma to colon in object property Co-authored-by: ahouseholder <2594236+ahouseholder@users.noreply.github.com> --- docs/ssvc-explorer/simple.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ssvc-explorer/simple.js b/docs/ssvc-explorer/simple.js index 83e7650b..43f6845c 100644 --- a/docs/ssvc-explorer/simple.js +++ b/docs/ssvc-explorer/simple.js @@ -2627,7 +2627,7 @@ function fun_execute(w) { return { ssvc_launch: ssvc_launch, decision_trees: decision_trees, - decision_points, decision_points, + decision_points: decision_points, form: form, loadSSVC: loadSSVC, readFile: readFile,