Add SSVC doc explaining "human-scale bottleneck" idea#1087
Open
ahouseholder wants to merge 8 commits intomainfrom
Open
Add SSVC doc explaining "human-scale bottleneck" idea#1087ahouseholder wants to merge 8 commits intomainfrom
ahouseholder wants to merge 8 commits intomainfrom
Conversation
ahouseholder
requested review from
cgyarbrough,
j--- and
sei-vsarvepalli
as code owners
ahouseholder
added
the
content/semantic
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new How-To documentation page explaining SSVC’s role as a “human-scale bottleneck” between large-scale automated vulnerability data collection/analysis and large-scale operational response, emphasizing policy governance and accountability.
Changes:
- Added a new documentation page describing SSVC decision points as a compact, human-governable interface in automated workflows.
- Documented design characteristics (ordinal/orthogonal/chunky) and how decision tables encode organizational policy and governance refinement.
You can also share your feedback on Copilot code review. Take the survey.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
sei-renae
reviewed
Mar 18, 2026
| @@ -0,0 +1,116 @@ | |||
| # **SSVC: The Human-Scale Bottleneck in Automated Vulnerability Response** | |||
|
|
|||
| As vulnerability response processes become increasingly saturated with automation—from AI-driven data collection to sophisticated analysis—the **Stakeholder-Specific Vulnerability Categorization (SSVC)** model is intentionally designed to serve as a crucial, human-scale bottleneck. This approach ensures that while the process is efficient and automated, the core decision-making remains transparent, accountable, and aligned with organizational risk appetite, providing a necessary bridge between technical data and business policy. | |||
Contributor
There was a problem hiding this comment.
Can you be more precise and less "big ideas without backing"
Contributor
|
Some high level notes:
|
sei-renae
reviewed
Mar 18, 2026
| gov -->|refines| dc | ||
| ``` | ||
|
|
||
| On the input side, [Data Mapping](bootstrap/collect.md) funnels large-scale |
Contributor
There was a problem hiding this comment.
Suggest making it explicit that "Decision Model" and SSVC are analogous here whereas Data Mapping and Use & Respond are related but technically out of scope. Or at least, that's how this reads, if I were to click the hyperlinks and read more.
sei-renae
reviewed
Mar 18, 2026
|
|
||
| ## **Condensing Complexity into Human-Scale Decisions** | ||
|
|
||
| The initial stages of vulnerability response—[data collection and mapping](bootstrap/collect.md)—often involve vast amounts of information, advanced data sharing formats, and powerful analytical tools, increasingly including AI agents and Large Language Models (LLMs). SSVC's core function is to condense this extensive, complex dataset into a small, manageable set of **decision points**. |
Contributor
There was a problem hiding this comment.
Suggest hyperlinking decision points and being more specific about "advanced data sharing formats" and "powerful analytical tools."
sei-renae
reviewed
Mar 18, 2026
|
|
||
| ## **The Decision Table: Policy as Code** | ||
|
|
||
| By defining a set of orthogonal, ordered decision points, SSVC induces a **partial order** on the entire input space (the Cartesian product of all decision point values). The resulting ordered set of input combinations is then mapped, via a **decision table**, onto a predefined **outcome set** of ordered outcomes. |
Contributor
There was a problem hiding this comment.
Suggest hyperlinking decision table and outcome set
Suggest italicizing instead of bolding "partial order", or linking to its wikipedia page. I don't think we can expect newbies to be familiar with granularities of order theory.
sei-renae
reviewed
Mar 18, 2026
| | **Chunky Values** | Limiting values per input (2-5) prevents exponential growth of the table size ($3 \times 3 \times 3 = 27$ rows; $4 \times 3 \times 3 \times 3 = 108$ rows). | | ||
| | **Understandability** | Decision points must be understandable to non-technical risk owners, focusing on business impact rather than technical specifics (e.g., "Criticality of Affected System" instead of "Buffer Overflow vs. SQL Injection"). | | ||
|
|
||
| ## **The Role of the Human in a Machine-Driven World** |
Contributor
There was a problem hiding this comment.
This should be the beginning of the document.
sei-renae
reviewed
Mar 18, 2026
| The concept of SSVC as a human-scale bottleneck means that the complexity of the automated threat landscape is filtered through a framework **designed by humans, for humans, and understood by humans**. | ||
|
|
||
| **1\. Accountability and Risk Alignment:** | ||
| The decision table provides an explicit, unambiguous link between technical vulnerability characteristics and organizational risk appetite. This structure facilitates crucial conversations between technical implementers (responsible for patching) and risk owners (CISO, IT management, senior management), transferring responsibility from technical staff making proxy judgments to risk owners defining explicit policy. |
Contributor
There was a problem hiding this comment.
Suggest: disambiguate "technical staff" and "risk owners"
sei-renae
reviewed
Mar 18, 2026
| - **With SSVC:** Decisions are explained using comprehensible terms: "We are responding immediately because this has **High Technical Impact** and affects a **Critical Central Server**. This aligns with our established policy." The risk owner can also explain this policy up to their management. | ||
|
|
||
| **2\. Governance and Policy Refinement:** | ||
| The SSVC model is designed for straightforward modification, enabling policy owners to easily adapt their response posture when needed. Changes are typically managed through predictable steps. This process ensures that when a risk owner desires a change, the modification to the policy (the decision table) can be clearly executed and understood. |
Contributor
There was a problem hiding this comment.
This seems like a lot of words to say "transparency"
sei-renae
reviewed
Mar 18, 2026
| **2\. Governance and Policy Refinement:** | ||
| The SSVC model is designed for straightforward modification, enabling policy owners to easily adapt their response posture when needed. Changes are typically managed through predictable steps. This process ensures that when a risk owner desires a change, the modification to the policy (the decision table) can be clearly executed and understood. | ||
|
|
||
| The SSVC governance loop—described in detail in the [Prepare](bootstrap/prepare.md#establish-governance) step of the Getting Started guide—is what makes this refinement practical. Because the decision table is small and explicit, conversations about policy changes stay grounded: |
Contributor
There was a problem hiding this comment.
To me, "loop" implies a circuit, and the linked diagram is not a circuit.
sei-renae
reviewed
Mar 18, 2026
| - Does the **decision table** still reflect how the organization wants to make decisions? | ||
| - Have there been cases where the table led to a decision that was later regretted? | ||
| - Are there new constraints or requirements not yet captured? | ||
| - Is the **[data mapping](bootstrap/collect.md)** still appropriate—are the right data sources being used to assign values to decision points? |
Contributor
There was a problem hiding this comment.
Suggest changing this from bootstrap/collect.md to bootstrap/prepare.md
sei-renae
reviewed
Mar 18, 2026
| - Are there new constraints or requirements not yet captured? | ||
| - Is the **[data mapping](bootstrap/collect.md)** still appropriate—are the right data sources being used to assign values to decision points? | ||
|
|
||
| Depending on the review, adjustments can be made to any layer of the model. The impact of those adjustments is predictable: |
Contributor
There was a problem hiding this comment.
This is the first mention of model "layer"
sei-renae
reviewed
Mar 18, 2026
| | **Adding/Reducing Values** | Small, measurable change. Adding a value increases the table size additively (e.g., $3 \times 3 \times 3 = 27$ to $4 \times 3 \times 3 = 36$). | | ||
| | **Adding a Decision Point** | Multiplicative increase in table size (e.g., $3 \times 3 \times 3 = 27$ to $3 \times 3 \times 3 \times 3 = 81$). Requires a more involved policy review. | | ||
|
|
||
| Crucially, governance should involve the right stakeholders. Risk owners must be involved in reviewing and adjusting the decision table itself, while vulnerability management and IT security teams are best positioned to review the data mapping and decision point definitions. Operational feedback from [Use & Respond](bootstrap/use.md) provides the empirical basis for identifying where the model needs refinement. |
Contributor
There was a problem hiding this comment.
This is contradictory to my understanding of "Use & Respond" per documentation
sei-renae
reviewed
Mar 18, 2026
|
|
||
| Crucially, governance should involve the right stakeholders. Risk owners must be involved in reviewing and adjusting the decision table itself, while vulnerability management and IT security teams are best positioned to review the data mapping and decision point definitions. Operational feedback from [Use & Respond](bootstrap/use.md) provides the empirical basis for identifying where the model needs refinement. | ||
|
|
||
| ## **SSVC is Not a Process Bottleneck** |
Contributor
There was a problem hiding this comment.
This should also go at the beginning of the document.
sei-renae
reviewed
Mar 18, 2026
|
|
||
| Automation can exist throughout the entire response workflow: | ||
|
|
||
| - **Input Automation:** AI or LLMs can perform the "reading comprehension test" of analyzing raw vulnerability data and mechanically selecting the correct values for the SSVC decision points. See [Data Mapping](bootstrap/collect.md) for how to connect data sources to decision point values. |
Contributor
There was a problem hiding this comment.
Suggest revising:
"AI, such as an LLM, ..."
sei-renae
reviewed
Mar 18, 2026
|
|
||
| Automation can exist throughout the entire response workflow: | ||
|
|
||
| - **Input Automation:** AI or LLMs can perform the "reading comprehension test" of analyzing raw vulnerability data and mechanically selecting the correct values for the SSVC decision points. See [Data Mapping](bootstrap/collect.md) for how to connect data sources to decision point values. |
Contributor
There was a problem hiding this comment.
Again, this should hyperlink to howto/prepare.md
sei-renae
reviewed
Mar 18, 2026
| - **Input Automation:** AI or LLMs can perform the "reading comprehension test" of analyzing raw vulnerability data and mechanically selecting the correct values for the SSVC decision points. See [Data Mapping](bootstrap/collect.md) for how to connect data sources to decision point values. | ||
| - **Output Automation:** The prioritized outcome from the SSVC table (e.g., "Immediate") can feed directly into automated patching, ticketing, or software fix development systems. See [Use & Respond](bootstrap/use.md) for how to operationalize SSVC outcomes at scale. | ||
|
|
||
| SSVC acts as a fixed, unambiguous interface. The "human scale" element is in the **design and governance** of this interface, ensuring human accountability and understanding of the decision-making logic. The table's fixed structure means there is no ambiguity from a human's understanding standpoint—you know what the output will be based on the defined inputs and policy. It is the locus where technical reality meets organizational policy. The human is in the loop defining the decision space, not necessarily every single decision. |
Contributor
There was a problem hiding this comment.
"understanding standpoint" reads weird
sei-renae
requested changes
Mar 18, 2026
Contributor
sei-renae
left a comment
sei-renae
left a comment
There was a problem hiding this comment.
See comments in-line and in the Conversation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
resolves #1033
This pull request adds a new documentation file explaining the role of SSVC (Stakeholder-Specific Vulnerability Categorization) as a human-scale bottleneck in automated vulnerability response processes. The document clarifies how SSVC condenses complex, automated data into manageable decision points, and emphasizes the importance of human oversight in policy definition and governance.
Key additions to documentation: