It’s Patch Tuesday.
Your software program scanners gentle up with nearly 70 p.c extra vulnerabilities than final month, and by Friday you’re anticipated to elucidate, clearly and defensibly, which of them matter, which of them wait, and which of them might put the group at actual threat if ignored. Your groups are already stretched, new AI-enabled software program is touchdown quicker than it may be inventoried, and each dashboard insists its prioritization ought to come first.
Even should you handle to get by way of this week, the query stays: how do you make vulnerability prioritization sustainable when quantity retains rising, software program retains altering, and threat tolerance will not be the identical for each system contemplating the varied stakeholders.
This isn’t simply hypothetical, in October 2025, Microsoft launched fixes for 167 vulnerabilities on a single Patch Tuesday. As Tenable famous in a latest weblog publish
- Microsoft alone patched greater than 1,100 vulnerabilities for the second consecutive yr, nearing 2020’s document.
- The yr 2025 noticed two record-breaking month-to-month Patch Tuesdays (January and October)
- The “Vital” vulnerabilities (over 90 p.c) remained the most important class, with “Crucial” patches additionally important, and a notable rise in actively exploited zero-days (41 in 2025).
- Elevation of Privilege (EoP) and Distant Code Execution (RCE) flaws have been dominant.
- The rising scope of Microsoft’s portfolio, together with AI and cloud merchandise, contributes to increased patch counts.
That is the issue the Stakeholder-Particular Vulnerability Categorization (SSVC) framework was created to deal with.
Since its preliminary publication in 2019, SSVC has advanced from a set of ideas and questionnaires right into a sensible choice framework with outlined fashions that organizations can undertake, implement, and operationalize. As adoption has elevated, boundaries to entry have steadily decreased. New tooling, community-driven interfaces, and APIs, mixed with CISA’s Vulnrichment efforts and improved information change codecs, are making SSVC simpler to combine, automate, and scale.
Consequently, extra organizations, together with smaller groups with out devoted threat engineering employees, can now apply SSVC utilizing information already flowing by way of their vulnerability administration processes. This publish traces the milestones that made this shift doable and invitations the group to take part, contribute, and profit from the continued maturation of SSVC.
Transitioning to SSVC
Introducing a brand new framework for prioritizing vulnerability response presents two issues: stakeholders should have the ability to entry framework information, they usually should have the ability to eat it in assist of selections. In 2019, they might do neither. For starters, stakeholders needed to generate their very own information by studying and analyzing vulnerability reviews. Furthermore, the vulnerability ecosystem was geared to assist the extra fashionable Widespread Vulnerability Scoring System (CVSS) scoring and metric values, so adapting to SSVC was an uphill battle that few have been inclined to undertake. Transitioning from CVSS V3.1 to SSVC is a better problem than translation—it’s extra analogous to changing from driving a automobile with an automated transmission to a motorbike with a guide transmission, a problem of spatial consciousness and the way you work together along with your setting. By mid-2024, deployers had some world information, however no approach to combine it. Now, at the beginning of 2026, deployers have the worldwide information and can quickly have the ability to combine the information.
SSVC is now extra broadly accessible, and it continues to realize adoption, significantly by bigger, well-resourced organizations. For instance, CISA makes use of the SSVC framework to prioritize vulnerability response and shield federal networks from energetic cyber threats.
Growing Availability of Vulnerability Knowledge Content material
SSVC adoption has hinged not simply on motivated people and organizations integrating it into their very own decision-making equipment, additionally it is facilitated by the rising availability of consumable information from trusted and dependable sources:
- CISA KEV and Vulnrichment packages present SSVC-ready info.
- CVSS V4 and SSVC share semantic compatibility in some attributes by design.
- Each CVE and CSAF information requirements are or will quickly be incorporating schemas to permit the inclusion of SSVC information.
KEV (since November 2021)
A key query in SSVC is the state of Exploitation for the vulnerability in query. The Identified Exploited Vulnerabilities (KEV) catalog, established by CISA in November 2021, accommodates a “subset of CVEs which have been used to compromise techniques in the actual world.” KEV data are all the time Exploitation: Lively, per SSVC, and this information can accordingly be represented in choice fashions. Exploitation is the primary choice level in each Provider and Deployer choice tables for SSVC, foregrounding its significance in vulnerability administration. The existence of the KEV catalog attests to the significance of the Exploitation query.
CVSS V4 (Since November 2023)
Launched in November 2023, CVSS V4 has two analysis standards (metrics in CVSS terminology), Automatable and Worth Density, which are an identical to the SSVC choice factors of the identical names. CVSS V4 and SSVC developed these standards in tandem, and they’re functionally interchangeable. Automatable asks whether or not an attacker can reliably automate creating exploitation occasions for the vulnerability. Worth Density captures the focus of worth within the potential goal techniques; for instance, a company’s Enterprise Useful resource Planning (ERP) has increased worth density than end-user units.
Moreover, the SSVC Public Security Influence choice level is an identical in definition to the CVSS V4 Security vector. Moreover, CVSS V4 simplified Exploit Maturity (from V3.1) by eradicating an intermediate worth; by doing so, the CVSS V4 Exploit Maturity vector and the SSVC Exploitation choice level converged to semantic equivalence.
An necessary design purpose for SSVC is that the variety of doable inputs and outcomes for a call desk ought to fall inside a human’s degree of comprehension. In distinction, CVSS V4 has greater than 15 million doable enter mixtures which are decreased to 270 macrovectors that cut back to 101 scores which are additional decreased into 4 classes (Low, Medium, Excessive, Crucial). The roughly 100 doable outcomes is troublesome for a human to contemplate. The discount in scale signifies that the better group is converging towards quite a lot of doable outcomes that’s extra readily human-manageable, noting that CVSS’s complexity on the enter facet nonetheless signifies that plenty of evaluation is critical on the entrance finish. Comparatively, the default SSVC deployer choice desk has 72 doable enter mixtures that yield 4 doable outcomes (Defer, Scheduled, Out-of-Cycle, and Quick), numbers throughout the realm of human comprehension. Moreover, the CVSS V4 equivalence units could be modeled as SSVC choice factors, demonstrating how SSVC logic could be utilized to different frameworks.
ADPs (Since Might 2024)
Traditionally, there was a problem of Widespread Vulnerabilities and Exposures (CVE) entry information missing enough helpful info for vulnerability response practitioners. For instance, many CVE data lack details about technical impression, state of exploitation, and whether or not the exploit is automatable. To amend this, since Might 2024, CISA has been enriching CVE entries as an Licensed Knowledge Writer (ADP) to “[augment] the knowledge in a CVE Document.” This Vulnrichment effort contributes SSVC choice factors, KEV catalog information, and different updates for CVE information. Consequently, Technical Influence, Exploitation and Automatable choice level information are available and due to this fact machine-ingestible. In SSVC, these choice factors are stakeholder-agnostic in two necessary methods: their definitions are common and constantly understood throughout roles and contexts, and for a given vulnerability they’re anticipated to be evaluated the identical approach by totally different stakeholder roles, from engineers to auditors and researchers. By publicly offering these stakeholder-agnostic evaluations, Vulnrichment reduces the variety of questions that particular person stakeholders should reply for every vulnerability, making SSVC inherently simpler to undertake.
Bettering Vulnerability Knowledge Format Information
SSVC Model 2025.9 included JavaScript Object Notation (JSON) schema updates in order that SSVC choice factors could be robotically ingested with vulnerability information. (For extra on SSVC versioning see right here.) Past enhancing the JSON schemas, working to make SSVC information machine-readable helped us refine namespaces to raised set up the framework for various shoppers. Bettering the JSON schemas had direct downstream impacts on with the ability to combine SSVC choice factors into vulnerability information change codecs.
CVE data (CVE schema model 6)
The CVE Program is anticipated to launch CVE schema model 6, which is able to introduce SSVC choice level picks, thus enabling standardized, machine-readable SSVC information to be distributed immediately from the CVE.org web site feed. This can assist CVE Numbering Authorities (CNAs) and ADP information suppliers talk SSVC evaluations earlier within the lifecycle and assist a shift-left strategy to vulnerability administration.
CSAF data (Launch 2.1 )
Widespread Safety Advisory Framework (CSAF) data construct on CVE data to supply machine-ingestible information about vulnerabilities. The CSAF 2.1 launch integrates the CERT Coordination Middle’s SSVC choice level values and choice schema in its specification. By including the structured SSVC Choice information into CSAF data, automated vulnerability tooling can now change SSVC information end-to-end, permitting a broader set of stakeholders to operationalize SSVC extra shortly.
Immediately, Deployers Can Readily Undertake SSVC
Within the early days of SSVC, stakeholders needed to mine their very own CVE information in relation to their choice fashions. Now, stakeholders can use CISA-provided Vulnrichment information to use publicly shared SSVC info of their choice fashions in order that stakeholders can enhance consistency and effectivity of their vulnerability responses. Notably, deployers utilizing the default SSVC Deployer Choice Desk have a neater path to adopting SSVC. As choice factors, the states of Exploitation and whether or not an exploit is Automatable are common throughout techniques, making them high-value metrics to speak when exchanging vulnerability information. With these two choice factors supplied, deployers solely want to contemplate the choice factors System Publicity and Human Influence, that are static from one vulnerability to the following as a result of they’re attributes of the system in query. As soon as deployers assess a listing of those two choice factors, they usually can eat information about Exploitation and Automatable choice factors, the deployers have all requisite info to make use of SSVC of their vulnerability administration.
The Way forward for SSVC
As SSVC turns into extra extensively adopted in assist of vulnerability response, we hope that SSVC information will embrace extra vulnerability data and the APIs to eat them. This consists of adoption by information producers of the codecs that embrace SSVC information to the instruments to eat that information. We ask stakeholders to search for SSVC information in codecs that they’re already consuming, comparable to in CVE, NIST, and CSAF data.
SSVC will proceed to pursue extensibility and customization whereas preserving a dependable approach for these sources to be processed and utilized in vulnerability prioritization and past. When you’re nonetheless uncertain about SSVC, attempt our interactive SSVC Calculator, which demonstrates the flexibility to render and current publicly out there CVE information with a call mannequin. One other software in our web site, SSVC Explorer, permits you create your individual coverage or assist customise ready-made coverage on your wants. Lastly, when you have options to assist us enhance SSVC, wish to inform us about your use case, or in any other case present suggestions, please don’t hesitate to make use of our GitHub Discussions as the start line for a dialog.