search menu icon-carat-right cmu-wordmark

Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization

December 2019 White Paper
Jonathan Spring, Eric Hatleback, Allen D. Householder, Art Manion, Deana Shick

This paper presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).

Publisher:

Software Engineering Institute

Abstract

Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This paper—the second part of a research agenda about prioritizing actions during vulnerability management—presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some problems with the CVSS. SSVC takes the form of decision trees for different vulnerability management communities.