Reassess default suggested supplier tree

[j---]

Based on a discussion with @thomas-proell and @bs37208. However, I have digested their comments, so should not be taken to represent their views directly.

Observation: For suppliers, who are working on patches pre-disclosure especially, state of exploitation is very often None. Suppliers are also hesitant to assess even the paired down Public Safety impact, See https://github.com/CERTCC/SSVC/blob/main/doc/graphics/ssvc_2_supplier.pdf

This leaves Utility and Technical Impact to do most of the work of differentiating work priority for most vuls that a supplier actually processes.

We should reassess the core lines of the recommended prioritization tree with this in mind.

Namely. the odd numbered rows between 1 and 11.

SSVC/data/csvs/supplier-options.csv

Line 2 in 8236331

1,none,laborious,partial,minimal,defer

row,Exploitation,Utility,Technical Impact,Public-Safety Impact,Priority
1,none,laborious,partial,minimal,defer
3,none,laborious,total,minimal,defer
5,none,efficient,partial,minimal,scheduled
7,none,efficient,total,minimal,scheduled
9,none,super effective,partial,minimal,scheduled
11,none,super effective,total,minimal,scheduled

If this is where the majority of vulnerability reports are landing, it probably makes sense to have more variability within these 6 lines. I think it is OK to reserve immediate for situations where there is actually safety impact or active exploitation. Then a developer really should drop other things to get out a patch.

However, I think it might make sense, in light of this feedback, to reassess the outcomes to be more like:

row,Exploitation,Utility,Technical Impact,Public-Safety Impact,Priority
1,none,laborious,partial,minimal,defer
3,none,laborious,total,minimal,scheduled
5,none,efficient,partial,minimal,scheduled
7,none,efficient,total,minimal,scheduled
9,none,super effective,partial,minimal,scheduled
11,none,super effective,total,minimal,out-of-cycle

Thoughts?

Also, opening a separate discussion for maybe "defer" for a supplier needs to mean something different than the current definition.
However, this is also tangled in supply chain complexities about who is a supplier and who is a deployer, and that many orgs are both ( (also a separate discussion).

[ahouseholder]

So if I'm visually diff'ing correctly, you're specifically suggesting two changes:

3,none,laborious,total,minimal,defer

to

3,none,laborious,total,minimal,scheduled

and

11,none,super effective,total,minimal,scheduled

to

11,none,super effective,total,minimal,out-of-cycle

These both seem like reasonable changes to me.

[j---]

Sorry I didn't highlight the diff.
Yes, you're pulling that out correctly.

[ahouseholder]

Recast as issue in #275
Resolved in #276