I’ve been analyzing the official CVE JSON format as part of a project on automating vulnerability testing (PoCs, reproducible environments, etc.), and I ran into two structural issues that seem to limit automation:

SSVC is buried inside metrics.other, which makes it harder to parse and doesn’t really reflect its importance in decision-making. A dedicated SSVC section could make the data much cleaner.

There’s no proper place for PoCs or reproducible environments. Those links are mixed inside general references, making it difficult to programmatically pull PoCs or docker-compose setups.

I wrote a small proposal explaining the idea and suggesting a structured way to improve this:
https://hackmd.io/@eOEOV3VYQC64eezoG2cl9A/HkYcOlwWbl

I’d love to hear from people who work with CVEs, automation, vuln pipelines, or standardization:
- Have you run into the same issues?
- Is this something the community would benefit from?
- Anything I might have missed on the CVE Program side?

Thanks for any feedback!

#CVE #Infosec #Security #SSVC #Automation #VulnerabilityManagement #Fediverse

Continue getting ready for the new year with part two of our two part series on “Patch Prioritization.”.

Here we go into #EPSS, #SSVC, #KEV, and other tools and frameworks.

https://news.sophos.com/en-us/2024/12/30/prioritizing-patching-a-deep-dive-into-frameworks-and-tools-part-2-alternative-frameworks

#sophosxops #threatintelligence #patching #patchprioritization

How do you assess IT vulnerabilities, and which ones should you mitigate first? CISA has developed the #SSVC system to help companies make effective decisions and reduce the risks associated with exploiting vulnerabilities.

https://www.tarlogic.com/blog/ssvc/

#SSVC （Stakeholder-Specific Vulnerability Categorization）についてのブログ。

実は筆者は僕で、CTOと協力しながら導入した仕組みなのだけど、実のところSSVCがどうこうより、本当にやりたかったことは「SSVCを使った脆弱性対応意思決定の目標」に表現している。 「簡単な手順でできる」「できるだけ『ありもの』を使う」「判断が属人化しにくく、誰でも明確にできる」「記録できる」「説明できる」 これを入れたことは、多少なりとも自分が経営視点を持っているか、ということの振り返りに使えた。
https://www.conoris.jp/blog/ssvc

I'm excited to share a draft guide on automating vulnerability prioritization using decision trees aligned with Stakeholder-Specific Vulnerability Categorization (SSVC) and I’m interested in your feedback.

https://nucleussec.com/wp-content/uploads/SSVC-Decision-Tree-Example-1.pdf

#riskmanagement #infosec #cybersecurity #ssvc

„Carnegie Mellon University's Software Engineering Institute (SEI), in collaboration with CISA, created the Stakeholder-Specific Vulnerability Categorization (SSVC) system in 2019 to provide the cyber community a vulnerability analysis methodology that accounts for a vulnerability's exploitation status, impacts to safety, and prevalence of the affected product in a singular system.“
Last week, a rating guide on how to use the #SSVC was published by CISA.

SSVC: https://www.cisa.gov/ssvc
Guide: https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf