Skip to main content

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC is a decision-tree methodology from CMU SEI and CISA that prioritizes vulnerabilities by contextual facts — exploitation status, automatability, and mission impact — rather than a single severity number.

Stakeholder-Specific Vulnerability Categorization (SSVC) is a vulnerability prioritization methodology created by Carnegie Mellon University's Software Engineering Institute and adopted by CISA. Instead of reducing a vulnerability to one universal severity number, SSVC walks a decision tree whose branches are contextual facts.

How It Works

An SSVC decision considers questions like: is the vulnerability being exploited? Is the attack automatable? What is the technical impact, and how mission-critical or exposed is the affected asset? The answers lead to a decision — such as track, attend, or act — tuned to the stakeholder's role. Different organizations can legitimately reach different priorities for the same CVE, because their exposure differs.

Why It Matters

The same vulnerability is not the same risk in a public-facing payment service and an isolated sandbox. SSVC gives structure to that context: it lets situational facts raise or lower priority without letting them manufacture exploitation evidence that is not there. Context-aware scoring models apply SSVC-style factors as multipliers on top of evidence-based likelihood and severity inputs.

Related Terms

SSVC complements CVSS severity and exploitation signals like KEV and EPSS; evidence-weighted models like RiskScore use SSVC-style context as a multiplier.