search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

  1. SEI
  2. Publications
  3. Digital Library
  4. Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization

Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization

December 2019 White Paper
Jonathan Spring, Eric Hatleback, Allen D. Householder, Art Manion, Deana Shick

This paper presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).

Publisher:

Software Engineering Institute
Subjects

Abstract

Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This paper—the second part of a research agenda about prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with the CVSS. SSVC takes the form of decision trees for different vulnerability management communities.

An updated version of SSVC is now available: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=653459.