CERTCC · ahouseholder · Feb 20, 2025 · Feb 17, 2025 · Feb 17, 2025 · Feb 17, 2025
@@ -0,0 +1,8 @@
+!!! tip "CVSS:Automatable vs SSVC:Automatable"
+
+    The [CVSS Automatable](../reference/decision_points/cvss/automatable.md) 
+    vector element was developed alongside the identically named
+    [Automatable](../reference/decision_points/automatable.md) decision point in
+    SSVC. We intend for these two decision points to be interchangeable.
+    The main difference is that the CVSS Automatable accomodates an explicit
+    _Not Defined_ value, whereas the SSVC Automatable does not.
@@ -0,0 +1,15 @@
+!!! tip "CVSS:Safety vs SSVC:Public Safety Impact vs SSVC:Safety Impact"
+
+    The [CVSS Safety](../reference/decision_points/cvss/safety.md) vector element
+    is semantically interchangeable with the
+    [SSVC Public Safety Impact](../reference/decision_points/public_safety_impact.md)
+    decision point.
+    The main difference is that the [CVSS Safety](../reference/decision_points/cvss/safety.md)
+    vector element accomodates an explicit _Not Defined_ value, whereas the
+    [SSVC Public Safety Impact](../reference/decision_points/public_safety_impact.md)
+    does not.
+
+    The [SSVC Safety Impact](../reference/decision_points/safety_impact.md) decision point provides a higher-resolution view of the safety impact.
+    The [SSVC Public Safety Impact](../reference/decision_points/public_safety_impact.md) and
+    [CVSS Safety](../reference/decision_points/cvss/safety.md) decision points are
+    lower-resolution views of the safety impact.
@@ -0,0 +1,8 @@
+!!! tip "CVSS:Value Density vs SSVC:Value Density"
+
+    The [CVSS Value Density](../reference/decision_points/cvss/value_density.md)
+    vector element was developed alongside the identically named
+    [Value Density](../reference/decision_points/value_density.md) decision 
+    point in SSVC. We intend for these two decision points to be interchangeable.
+    The main difference is that the CVSS Value Density accomodates an explicit
+    _Not Defined_ value, whereas the SSVC Value Density does not.
@@ -1,4 +1,4 @@
-# Automatable
+# Automatable (SSVC)
 
 ```python exec="true" idprefix=""
 from ssvc.decision_points.automatable import LATEST
@@ -12,6 +12,8 @@ print(example_block(LATEST))
     Automatable combines with [Value Density](./value_density.md) to inform 
     [Utility](./utility.md)
 
+{% include-markdown "../../_includes/automatable_cvss_ssvc.md" %}
+
 *Automatable* captures the answer to the question “Can an attacker reliably automate creating exploitation events for this vulnerability?”
 
 !!! question "What are Steps 1-4 of the Kill Chain?"

@@ -0,0 +1,21 @@
+# Attack Complexity
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.attack_complexity import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.attack_complexity import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+```
@@ -0,0 +1,8 @@
+# Attack Requirements
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.attack_requirements import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
@@ -0,0 +1,22 @@
+# Attack Vector
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.attack_vector import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.attack_vector import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
@@ -0,0 +1,22 @@
+# Authentication
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.authentication import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.authentication import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
@@ -0,0 +1,10 @@
+# Automatable (CVSS)
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.supplemental.automatable import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+{% include-markdown "../../../_includes/automatable_cvss_ssvc.md" %}
@@ -0,0 +1,22 @@
+# Availability Impact to the Vulnerable System
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.availability_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.availability_impact import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
@@ -0,0 +1,22 @@
+# Availability Requirement
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.availability_requirement import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.availability_requirement import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
@@ -0,0 +1,22 @@
+# Collateral Damage Potential
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.collateral_damage_potential import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.collateral_damage_potential import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
@@ -0,0 +1,22 @@
+# Confidentiality Impact to the Vulnerable System
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.confidentiality_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.confidentiality_impact import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
@@ -0,0 +1,22 @@
+# Confidentiality Requirement
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.confidentiality_requirement import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.confidentiality_requirement import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
@@ -0,0 +1,22 @@
+# Exploit Maturity
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.exploit_maturity import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.exploit_maturity import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
@@ -0,0 +1,8 @@
+# Impact Bias
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.impact_bias import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
@@ -0,0 +1,77 @@
+# CVSS Decision Points
+
+!!! tip inline end "For more information"
+
+    For more information on the CVSS specification, please refer to the
+    [CVSS Specifications](https://www.first.org/cvss/).
+
+For convenience, we have provide a list of decision points that are based
+on the CVSS specification. These decision points can be used to model various
+decisions based on CVSS vector elements.
+
+## Decision Points
+
+The following list of CVSS vector elements have been modeled as SSVC decision
+points for use in vulnerability response and security decision modeling.
+We have organized them into groups according to where they belong in the
+[CVSS v4.0 specification document](https://www.first.org/cvss/v4.0/specification-document).
+
+!!! info "About CVSS Decision Point Versions"
+
+    We have modeled our CVSS-based decision points using the SSVC versioning scheme.
+    Therefore, some decision points may have multiple versions as the concepts have
+    been refined over different versions of the CVSS specification. These versions
+    do _not_ correspond the CVSS specification versions (2.0, 3.0, 3.1, 4.0 etc.).
+
+### Base Metrics
+
+<div class="grid cards" markdown>
+- [Attack Vector](attack_vector.md)
+- [Attack Complexity](attack_complexity.md)
+- [Attack Requirements](attack_requirements.md)
+- [Privileges Required](privileges_required.md)
+- [User Interaction](user_interaction.md)
+- [Confidentiality Impact](confidentiality_impact.md)
+- [Subsequent Confidentiality Impact](subsequent_confidentiality_impact.md)
+- [Integrity Impact](integrity_impact.md)
+- [Subsequent Integrity Impact](subsequent_integrity_impact.md)
+- [Availability Impact](availability_impact.md)
+- [Subsequent Availability Impact](subsequent_availability_impact.md)
+</div>
+
+### Threat Metrics
+
+<div class="grid cards" markdown>
+- [Exploit Maturity](exploit_maturity.md)
+</div>
+
+### Environmental Metrics
+
+<div class="grid cards" markdown>
+- [Confidentiality Requirement](confidentiality_requirement.md)
+- [Integrity Requirement](integrity_requirement.md)
+- [Availability Requirement](availability_requirement.md)
+</div>
+
+### Supplemental Metrics
+
+<div class="grid cards" markdown>
+- [Safety](safety.md)
+- [Automatable](automatable.md)
+- [Provider Urgency](provider_urgency.md)
+- [Recovery](recovery.md)
+- [Value Density](value_density.md)
+- [Vulnerability Response Effort](vulnerability_response_effort.md)
+</div>
+
+### Older Metrics
+
+<div class="grid cards" markdown>
+- [Authentication](authentication.md)
+- [Collateral Damage Potential](collateral_damage_potential.md)
+- [Impact Bias](impact_bias.md)
+- [Remediation Level](remediation_level.md)
+- [Report Confidence](report_confidence.md)
+- [Scope](scope.md)
+- [Target Distribution](target_distribution.md)
+</div>
@@ -0,0 +1,22 @@
+# Integrity Impact to the Vulnerable System
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.integrity_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.integrity_impact import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```