None: There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.
(Proof of Concept)One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. Some examples of condition (4) are open-source web proxies serve as the PoC code for how to exploit any vulnerability in the vein of improper validation of TLS certificates. As another example, Wireshark serves as a PoC for packet replay attacks on ethernet or WiFi networks.
Active: Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting.
Slow: Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. Example reasons for why a step may not be reliably automatable include (1) the vulnerable component is not searchable or enumerable on the network, (2) weaponization may require human direction for each target, (3) delivery may require channels that widely deployed network security configurations block, and (4) exploitation may be frustrated by adequate exploit-prevention techniques enabled by default; ASLR is an example of an exploit-prevention tool.
Rapid: Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows unauthenticated remote code execution (RCE) or command injection, the response is likely rapid.
Partial: The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. In this context, “low” means that the attacker cannot reasonably make enough attempts to overcome the low chance of each attempt not working. Denial of service is a form of limited control over the behavior of the vulnerable component.
Total: The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.
Mission Prevelance choices
Minimal: Neither support nor essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component nor does it support (enough) mission essential functions.
Support: The operation of the vulnerable component merely supports mission essential functions for two or more entities.
EssentialThe vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity, and failure may (but need not) lead to overall mission failure.
Vulnerability Scoring Decisions
Track The vulnerability does not require attention outside of Vulnerability Management (VM) at this time. Continue to track the situation and reassess the severity of vulnerability if necessary.
Track * Track these closely, especially if mitigation is unavailable or difficult. Recommended that analyst discuss with other ana-lysts and get a second opinion.
Attend The vulnerability requires to be attended to by stakeholders outside VM. The action is a request to others for assistance / information / details, as well as a potential publication about the issue.
Act The vulnerability requires immediate action by the relevant leadership. The action is a high-priority meeting among the relevant supervisors to decide how to respond.
Determining Mission & Well-being impact value
Public Well-Being Impact
Public Well-being Impact Decision Values
Type of Harm
The effect is below the threshold for all aspects described in material.
Material (Any one or more of these conditions hold.)
Physical distress and injuries for users (not operators) of the system.
If the operator is expected to be able to keep the cyber-physical system safely operating (that is, prevents one of the other types of harm), then select this option if one of these three apply: system operator must react to exploitation of the vulnerability to maintain safe system state but operator actions would be within their capabilities; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
Cyber-physical system’s safety margin effectively eliminated but no actual harm; OR failure of cyber-physical system functional capabilities that support safe operation.
Major externalities (property damage, environmental damage, etc.) imposed on other parties.
Financial losses that likely lead to bankruptcy of multiple persons.
Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people.
Irreversible (Any one or more of these conditions hold.)
Multiple fatalities likely.
Operator is incapacitated, where operator usually maintains safe cyber-physical system operations, and so other harms at this level are likely.
Total loss of whole cyber-physical system of which the software is a part.
Extreme or serious externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse.
Our proposed SSVC approach for vulnerability prioritization takes the form of decision trees. This decision tree can be adapted for different vulnerability management stakeholders such as patch developers and patch appliers. In this instance of SSVC app, SSVC is being prototyped for CISA in their unique role as advisors to be able to provide decision support to various stakeholders and influence their prioritization of vulnerabilities. Note: the current actions defined as "Track", "Track*", "Critical" and "High" are likely to be updated.
Decision Tree Usage:
Click on the button to see
the complete decision tree at a glance. Each circle
represents a decision point or
stage/fork in the decision tree. You can move your mouse over each circle
to get a glimpse at the definition of the choices you can make after that stage/fork.
The path (branch) leading to the next stage fork is labeled
also as it leads you to the next stage/fork represented by a circle.
When using for a new SSVC calculation with
You can move your mouse over circle
or on the text
that represents a stage/fork in the decision tree
to get information
on choices you can make for
your next stage/fork of the tree.
You will see each branch will also be be labeled
that leads you to the next stage/fork.
You can make the appropriate choice by clicking on the text "partial" or on the
circle where your chosen path ends or terminates. Follow these steps on the decision tree.
When prompted for more complex decision making like
Mission & Well-Being Impact, you will be presented with more choices,
you can click on
? to get more help in
understanding and making the right choices.