Include support for SSVC #803
Comments
|
Reasoning: As referenced in the following blog post from former Executive Assistant Director for Cybersecurity, Eric Goldstein: "Transforming the Vulnerability Management Landscape", CISA believes the integration of Stakeholder-Specific Vulnerability Categorization (SSVC) is crucial for advancing vulnerability management practices across organizations. SSVC enables organizations to prioritize their remediation efforts effectively by assessing various attributes of vulnerabilities, including exploitation status and technical impact. We have recently added support for SSVC to our IT advisories seen at CISA's public CSAF repository: https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white/2024 |
|
I completely agree. CSAF should provide support for SSVC. We should also eventually support EPSS. |
|
I support this effort as well and would like to see SSVC representation available in CSAF. By the way we also have an updated SSVC schema that addresses a number of concerns raised by analysts. The official SSVC schema that we would like to support is here: https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json An example CVE record with this representation of an SVC evaluation is provided here |
|
@sei-vsarvepalli Is it possible to update the JSON Schema that to Draft 2020-12? |
|
Connecting some dots here:
|
tschmidtb51
added
motion_passed
|
A motion was moved by Omar to include the changes suggested in this pull request, during the CSAF TC monthly meeting on 2024-10-30. The motion was seconded by Michael. The motion passed. |
We should include support for SSVC, as discussed in #462 and during July TC meeting.
The text was updated successfully, but these errors were encountered: