SSVC v2025.9

[ahouseholder]

SSVC September 2025 Release (v2025.9)

In this release, we’ve introduced major new capabilities, refined core concepts, and added supporting tools and documentation.

---

Significant Changes

Decision Tables as a First-Class Object

• Added a DecisionTable Python object and corresponding JSON schema to represent a complete SSVC decision model.
  • A DecisionTable contains a set of DecisionPoints, designates one as the outcome, and provides a mapping that fully enumerates input combinations and assigns each combination to a specific outcome value.
  • The Python implementation includes validation to ensure mappings are logically consistent with the partial order formed by ordered decision point values.
• Terminology change: what we previously called a Decision Tree or Decision Policy is now standardized as a Decision Table.
  • Rationale:
    1. Avoid confusion between the operations research use of "decision tree" and the machine learning sense.
    2. The word policy has overloaded meanings beyond our intended usage.
    3. Decision Table is an established term that better conveys our intent.
  • See issue #698 for discussion.
• Added DecisionTable objects for specific use cases: Deployer, CISA Coordinator, CVSS v4 equivalence sets, coordinator triage models, and qualitative severity ratings.

Formalizing Decision Point Value Selections

• Added a SelectionList Python object and corresponding JSON schema to represent shareable decision point value selections in data exchange formats.
• Integration with the OASIS CSAF working group: the SSVC SelectionList format is being incorporated into a forthcoming revision of the CSAF specification.
• Extended support for probability- and quantile-bin–based decision points.

First Steps Toward an SSVC API

• Introduced a FastAPI-based Registry API with a Registry object that manages DecisionPoint and DecisionTable instances.
• API endpoints are versioned (/v1/) to allow for future compatibility.
• Packaged for containerized deployment via docker-compose.

Namespace Improvements

• Refined namespace specification and implementation to support:
  • Reverse-domain formats
  • Fragments (e.g., ssvc#example)
  • Language tags
  • Extensions
• Aligned namespace patterns with a formal ABNF grammar.
• Updated documentation: Namespaces Reference.

Tooling Enhancements

• SSVC Calculator updated to support new schema and decision tables.
• New SSVC Policy Explorer tool.
• Docker configurations for test, docs, and api containers, all buildable with docker-compose.
  • Documentation: Container HowTo.

New How-To Articles

• Using EPSS with SSVC
  • Combining EPSS with other Exploitation-Related Decision Points
  • EPSS Quantile Binning as an SSVC Amplifier
• How to use Docker for local SSVC development
• How to implement CVSS v4 Equivalence Sets in SSVC

Documentation Improvements

• Python-driven rendering of SSVC objects (DecisionPoints and DecisionTables) for more consistent examples.
• Decision tables can now be rendered as both mermaid diagrams and tables.
• New reference pages:
  • Decision Points
  • Decision Tables
• Automated generation of CSV examples in documentation.
• ADR added: Use of Calendar Versioning (CalVer) for SSVC releases.

---

Highlights from merged PRs include:

• Introduction of DecisionTable and related objects (Initial Decision Table object #795, Add DecisionTable objects for Deployer and CISA Coordinator #843, Add Coordinator Publish DecisionTable #856, Add DecisionTable objects for CVSS v4 Equivalence Sets #863, Create DecisionTable representation of coordinator triage decision model #868, Add CVSS v4 MacroVector to Quality Severity Rating DecisionTable #871, Add CVSS v4 DecisionTable docs for EQ1-6, Qualitative Severity Rating #887).
• Namespace improvements and ABNF pattern formalization (Refactor namespaces #791, Improve namespace implementation #824, implement new namespace patterns based on ABNF #882, Namespacepattern updates from #882 #898, fix namespace ABNF and resulting pattern #921, fix JSON schema pattern for namespace #925, Allow base namespaces to have fragments (e.g., ssvc#example) #934, Update namespace documentation #938).
• Selection object and schema improvements (Minimalist Selection Object #821, Distinguish resource from references in Selections #833 #897, Selection scheme error #940, Add minLength to name and definition in SelectionList $defs #971).
• Registry API and Docker integration (Add FastAPI for SsvcObjectRegistry, including docker container. Also convert package management to uv  #893, Remove default volume mount in docker-compose config #917, Prefix all api routes with /v1/ to allow future increments #952).
• EPSS integration and new decision points (Add probability- and quantile-bin based decision points #931, Add "Using EPSS in SSVC" How-To docs #933, Add a few explanatory callouts to EPSS howtos #949).
• Documentation and tooling refinements (Add Documentation for DecisionTable objects #900, Automate CSV example generation with doctools.py #929, Apply black and markdownlint --fix #885, DecisionTable to mermaid #886, Make value key its own column when rendering decision point examples #954, Clean up examples #970).
• ADR on Calendar Versioning (Add ADR about use of CalVer for main project releases #956).
• Bug fixes and cleanup (Fix for Bug paging issue #818 #822, Fix a few bugs around Human Impact decision point and decision table #870, Bugfix 943 #945, Remove HTML from Safety Decision Point value definitions #953, Housekeeping obsolete stuff #928).

See the full PR list below.

---

Dependency Updates

Routine bumps to mkdocs, pandas, jsonschema, and GitHub Actions tooling.

---

What's Changed

• Attempt to resolve Increase namespace restriction from 25 characters to larger at least 50 preferably 100 #764 into Publish branch for updates. by @sei-vsarvepalli in Attempt to resolve #764 into Publish branch for updates. #767
• Publish v2025.3.3 by @ahouseholder in Publish v2025.3.3 #772
• Publish v2025.6 by @ahouseholder in Publish v2025.6 #793
• Refactor namespaces by @ahouseholder in Refactor namespaces #791
• Bump mkdocs-bibtex from 4.2.5 to 4.2.10 in the mkdocs group by @dependabot[bot] in Bump mkdocs-bibtex from 4.2.5 to 4.2.10 in the mkdocs group #794
• Bump mkdocs-bibtex from 4.2.10 to 4.3.0 in the mkdocs group by @dependabot[bot] in Bump mkdocs-bibtex from 4.2.10 to 4.3.0 in the mkdocs group #804
• Bump markdown-exec from 1.10.3 to 1.11.0 by @dependabot[bot] in Bump markdown-exec from 1.10.3 to 1.11.0 #805
• Bump the mkdocs group with 2 updates by @dependabot[bot] in Bump the mkdocs group with 2 updates #811
• Bump pandas from 2.3.0 to 2.3.1 by @dependabot[bot] in Bump pandas from 2.3.0 to 2.3.1 #819
• Fix for Bug paging issue PDF Exports cut off at 1 page #818 by @sei-vsarvepalli in Fix for Bug paging issue #818 #822
• Bump jsonschema from 4.24.0 to 4.25.0 by @dependabot[bot] in Bump jsonschema from 4.24.0 to 4.25.0 #827
• Improve namespace implementation by @ahouseholder in Improve namespace implementation #824
• Minimalist Selection Object by @ahouseholder in Minimalist Selection Object #821
• Bump the mkdocs group with 2 updates by @dependabot[bot] in Bump the mkdocs group with 2 updates #837
• Bump mkdocs-print-site-plugin from 2.7.3 to 2.8 in the mkdocs group by @dependabot[bot] in Bump mkdocs-print-site-plugin from 2.7.3 to 2.8 in the mkdocs group #840
• Initial Decision Table object by @ahouseholder in Initial Decision Table object #795
• Add DecisionTable objects for Deployer and CISA Coordinator by @sei-vsarvepalli in Add DecisionTable objects for Deployer and CISA Coordinator #843
• Refactor registry construction by @ahouseholder in Refactor registry construction #844
• Fix CISA Decision Tree extra text remove by @sei-vsarvepalli in Fix CISA Decision Tree extra text remove #854
• Add Coordinator Publish DecisionTable by @ahouseholder in Add Coordinator Publish DecisionTable #856
• Fix imports in `doctools.py by @ahouseholder in Fix imports in `doctools.py #857
• Add DecisionTable objects for CVSS v4 Equivalence Sets by @ahouseholder in Add DecisionTable objects for CVSS v4 Equivalence Sets #863
• Move a file to be consistent in data/json/decision_points folder by @sei-vsarvepalli in Move a file to be consistent in data/json/decision_points folder #866
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in Bump actions/checkout from 4 to 5 #864
• SSVC Cacluator to accept new schema by @sei-vsarvepalli in SSVC Cacluator to accept new schema #867
• Create DecisionTable representation of coordinator triage decision model by @ahouseholder in Create DecisionTable representation of coordinator triage decision model #868
• Fix a few bugs around Human Impact decision point and decision table by @ahouseholder in Fix a few bugs around Human Impact decision point and decision table #870
• Add CVSS v4 MacroVector to Quality Severity Rating DecisionTable by @sei-vsarvepalli in Add CVSS v4 MacroVector to Quality Severity Rating DecisionTable #871
• fix broken f-strings by @bernhardreiter in fix broken f-strings #881
• Add CVSS v4 DecisionTable docs for EQ1-6, Qualitative Severity Rating by @ahouseholder in Add CVSS v4 DecisionTable docs for EQ1-6, Qualitative Severity Rating #887
• DecisionTable to mermaid by @ahouseholder in DecisionTable to mermaid #886
• Apply black and markdownlint --fix by @ahouseholder in Apply black and markdownlint --fix #885
• Distinguish resource from references in Selections Selection Resources and References descriptions are very similar #833 by @sei-vsarvepalli in Distinguish resource from references in Selections #833 #897
• Namespacepattern updates from implement new namespace patterns based on ABNF #882 by @sei-vsarvepalli in Namespacepattern updates from #882 #898
• implement new namespace patterns based on ABNF by @bernhardreiter in implement new namespace patterns based on ABNF #882
• Add Documentation for DecisionTable objects by @ahouseholder in Add Documentation for DecisionTable objects #900
• Bump actions/upload-pages-artifact from 3 to 4 by @dependabot[bot] in Bump actions/upload-pages-artifact from 3 to 4 #913
• Bump jsonschema from 4.25.0 to 4.25.1 by @dependabot[bot] in Bump jsonschema from 4.25.0 to 4.25.1 #912
• Bump the mkdocs group with 2 updates by @dependabot[bot] in Bump the mkdocs group with 2 updates #911
• Bump pandas from 2.3.1 to 2.3.2 by @dependabot[bot] in Bump pandas from 2.3.1 to 2.3.2 #910
• Update CVE items to be unique and update tests see target_ids should be unique #905 by @sei-vsarvepalli in Update CVE items to be unique and update tests see #905 #914
• Add FastAPI for SsvcObjectRegistry, including docker container. Also convert package management to uv by @ahouseholder in Add FastAPI for SsvcObjectRegistry, including docker container. Also convert package management to uv  #893
• change "policy" to "decision table" in relevant docs by @ahouseholder in change "policy" to "decision table" in relevant docs #906
• fix namespace ABNF and resulting pattern by @bernhardreiter in fix namespace ABNF and resulting pattern #921
• Remove default volume mount in docker-compose config by @ahouseholder in Remove default volume mount in docker-compose config #917
• fix JSON schema pattern for namespace by @bernhardreiter in fix JSON schema pattern for namespace #925
• Rename description attribute to definition by @ahouseholder in Rename description attribute to definition #926
• Mark ssvc.dp_groups.base as deprecated by @ahouseholder in Mark ssvc.dp_groups.base as deprecated #919
• Automate CSV example generation with doctools.py by @ahouseholder in Automate CSV example generation with doctools.py #929
• Housekeeping obsolete stuff by @ahouseholder in Housekeeping obsolete stuff #928
• Add probability- and quantile-bin based decision points by @ahouseholder in Add probability- and quantile-bin based decision points #931
• Bump actions/setup-python from 5 to 6 by @dependabot[bot] in Bump actions/setup-python from 5 to 6 #935
• Add "Using EPSS in SSVC" How-To docs by @ahouseholder in Add "Using EPSS in SSVC" How-To docs #933
• Allow base namespaces to have fragments (e.g., ssvc#example) by @ahouseholder in Allow base namespaces to have fragments (e.g., ssvc#example) #934
• Added SSVC Calculator and fixed uv editable requirements.txt file. by @sei-vsarvepalli in Added SSVC Calculator and fixed uv editable requirements.txt file. #937
• Update namespace documentation by @ahouseholder in Update namespace documentation #938
• Change heading bar height to not be too small when scrolling by @sei-renae in Change heading bar height to not be too small when scrolling #942
• Add hyperlinks to SSVC card titles by @sei-renae in Add hyperlinks to SSVC card titles #941
• Selection scheme error by @sei-vsarvepalli in Selection scheme error #940
• Bugfix 943 by @sei-vsarvepalli in Bugfix 943 #945
• Refactor JSON schema generation for consistency by @ahouseholder in Refactor JSON schema generation for consistency #946
• Improve consistency of uv use in worfklows by @ahouseholder in Improve consistency of uv use in worfklows #948
• Add a few explanatory callouts to EPSS howtos by @ahouseholder in Add a few explanatory callouts to EPSS howtos #949
• Remove HTML from Safety Decision Point value definitions by @ahouseholder in Remove HTML from Safety Decision Point value definitions #953
• Prefix all api routes with /v1/ to allow future increments by @ahouseholder in Prefix all api routes with /v1/ to allow future increments #952
• Make value key its own column when rendering decision point examples by @ahouseholder in Make value key its own column when rendering decision point examples #954
• Bump tj-actions/changed-files from 46.0.5 to 47.0.0 by @dependabot[bot] in Bump tj-actions/changed-files from 46.0.5 to 47.0.0 #955
• Updated files to send to pypi project format with examples by @sei-vsarvepalli in Updated files to send to pypi project format with examples #951
• Add ADR about use of CalVer for main project releases by @ahouseholder in Add ADR about use of CalVer for main project releases #956
• Use pattern string instead of compiled pattern in field_specs.py by @ahouseholder in Use pattern string instead of compiled pattern in field_specs.py #967
• Updates and small fixes, move ascii_tree to helpers by @sei-vsarvepalli in Updates and small fixes, move ascii_tree to helpers #969
• Clean up examples by @ahouseholder in Clean up examples #970
• Add minLength to name and definition in SelectionList $defs by @ahouseholder in Add minLength to name and definition in SelectionList $defs #971
• Minor refactor of Outcome and Overview documentation by @ahouseholder in Minor refactor of Outcome and Overview documentation #972
• Separating how-to guides ('gathering info' sections) from reference documents by @sei-renae in Separating how-to guides ('gathering info' sections) from reference documents #792

New Contributors

• @bernhardreiter made their first contribution in fix broken f-strings #881

Full Changelog: v2025.6...v2025.9