Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add "Using EPSS in SSVC" How-To docs #933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 8, 2025
Merged

Add "Using EPSS in SSVC" How-To docs #933

merged 4 commits into from
Sep 8, 2025

Conversation

@ahouseholder
Copy link
Contributor

@ahouseholder ahouseholder commented Aug 29, 2025

This PR adds two How To docs demonstrating how to use the probability and percentile based decision points in #930 to incorporate EPSS scoring into SSVC decision models. Two approaches are shown:

  1. Using EPSS probabilties alongside KEV and CVSS Exploit Maturity to choose an SSVC Exploitation value
  2. Using EPSS percentiles to amplify the output of the SSVC Deployer Decision Model

Some incidental code in support of the tutorials is also added.

Screenshots of the three pages are given below, along with print-to-PDF renderings of the pages. Note that the PDFs expand all collapsed admonition boxes in the page so they appear quite a bit longer than they do when rendered on screen. (All the JSON notation boxes are collapsed on-screen, for example.)

Screenshot PDF
Screenshot 2025-08-29 at 4 22 31 PM EPSS → SSVC Intro - SSVC_ Stakeholder-Specific Vulnerability Categorization.pdf
Screenshot 2025-08-29 at 4 22 19 PM EPSS Probability as input to Exploitation - SSVC_ Stakeholder-Specific Vulnerability Categorization.pdf
Screenshot 2025-08-29 at 4 22 10 PM EPSS Percentiles as an Amplifier - SSVC_ Stakeholder-Specific Vulnerability Categorization.pdf

Copilot Summary

This pull request introduces new documentation and code improvements to support using EPSS (Exploit Prediction Scoring System) data with SSVC (Stakeholder-Specific Vulnerability Categorization). The main changes include the addition of comprehensive how-to guides for integrating EPSS scores and percentiles into SSVC decision models, updates to the navigation structure, and enhancements to the codebase to make available various probability and quantile-based decision points.

Documentation enhancements:

  • Added an introductory guide and two detailed how-to guides on using EPSS probability scores and percentiles within SSVC decision models, including practical examples and decision table diagrams. [1] [2] [3]
  • Updated the navigation (mkdocs.yml) to include the new EPSS documentation section and its subpages.

Decision point code improvements:

  • Added DECISION_POINTS dictionaries to both probability and quantiles modules, making it easier to access and enumerate available decision points in code and documentation. [1] [2]
  • Updated the definition of the "Probability Scale in 5 weighted levels, ascending" decision point to reference its NIST source for clarity and traceability. [1] [2]

Example module additions:

  • Introduced a new example decision point module and a base class for example decision points, laying the groundwork for illustrating custom or sample decision logic. [1] [2]

@ahouseholder ahouseholder self-assigned this Aug 29, 2025
@ahouseholder ahouseholder added content/semantic Changes to the semantic content of the SSVC documentation tech/backend Back-end tools, code, infrastructure labels Aug 29, 2025
@ahouseholder ahouseholder added this to the 2025-09 milestone Aug 29, 2025
@ahouseholder ahouseholder changed the title Add EPSS → SSVC How-To docs Add Using EPSS in SSVC How-To docs Aug 29, 2025
@ahouseholder ahouseholder changed the title Add Using EPSS in SSVC How-To docs Add "Using EPSS in SSVC" How-To docs Aug 29, 2025
sei-vsarvepalli
sei-vsarvepalli reviewed Aug 29, 2025
View reviewed changes
Base automatically changed from probability to main September 2, 2025 14:51
sei-vsarvepalli
sei-vsarvepalli approved these changes Sep 8, 2025
View reviewed changes
Copy link
Contributor

@sei-vsarvepalli sei-vsarvepalli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all good!

@ahouseholder ahouseholder merged commit 286a81b into main Sep 8, 2025
5 checks passed
@ahouseholder ahouseholder deleted the epss_howto branch September 8, 2025 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sei-vsarvepalli sei-vsarvepalli sei-vsarvepalli approved these changes

@cgyarbrough cgyarbrough Awaiting requested review from cgyarbrough cgyarbrough is a code owner

@j--- j--- Awaiting requested review from j--- j--- is a code owner

Assignees

@ahouseholder ahouseholder

Labels

content/semantic Changes to the semantic content of the SSVC documentation tech/backend Back-end tools, code, infrastructure

Projects

None yet

Milestone

2025-09

Development

Successfully merging this pull request may close these issues.

3 participants

@ahouseholder @sei-vsarvepalli