This release renames the Policy Explorer tool to SSVC Explorer, consolidates our change log into our SSVC Release Notes on GitHub, and makes a few dependency updates.

What's Changed

• Publish SSVC v2025.9.1 by @sei-vsarvepalli in #985
• Update Dependabot config to use uv by @ahouseholder in #986
• Relax version pins in pyproject.toml by @ahouseholder in #987
• bump mkdocs-include-markdown-plugin version to 7.1.8 by @ahouseholder in #988
• Integrate javascript by @sei-vsarvepalli in #992
• Update change log page to point to GitHub releases by @sei-renae in #994

Full Changelog: v2025.9.1...v2025.9.2

This release cleans up some regular expression details with the namespace pattern.

What's Changed

• Publish SSVC v2025.9 by @sei-vsarvepalli in #958
• Use NS_PATTERN_STR instead of compiled regex by @ahouseholder in #979
• fix src/ssvc/utils/patterns.py regexp by @bernhardreiter in #984

Full Changelog: v2025.9...v2025.9.1

In this release, we’ve introduced major new capabilities, refined core concepts, and added supporting tools and documentation.

Significant Changes

Decision Tables as a First-Class Object

• Added a DecisionTable Python object and corresponding JSON schema to represent a complete SSVC decision model.
  • A DecisionTable contains a set of DecisionPoints, designates one as the outcome, and provides a mapping that fully enumerates input combinations and assigns each combination to a specific outcome value.
  • The Python implementation includes validation to ensure mappings are logically consistent with the partial order formed by ordered decision point values.
• Terminology change: what we previously called a Decision Tree or Decision Policy is now standardized as a Decision Table.
  • Rationale:
    1. Avoid confusion between the operations research use of "decision tree" and the machine learning sense.
    2. The word policy has overloaded meanings beyond our intended usage.
    3. Decision Table is an established term that better conveys our intent.
  • See issue #698 for discussion.
• Added DecisionTable objects for specific use cases: Deployer, CISA Coordinator, CVSS v4 equivalence sets, coordinator triage models, and qualitative severity ratings.

Formalizing Decision Point Value Selections

• Added a SelectionList Python object and corresponding JSON schema to represent shareable decision point value selections in data exchange formats.
• Integration with the OASIS CSAF working group: the SSVC SelectionList format is being incorporated into a forthcoming revision of the CSAF specification.
• Extended support for probability- and quantile-bin–based decision points.

First Steps Toward an SSVC API

• Introduced a FastAPI-based Registry API with a Registry object that manages DecisionPoint and DecisionTable instances.
• API endpoints are versioned (/v1/) to allow for future compatibility.
• Packaged for containerized deployment via docker-compose.

Namespace Improvements

• Refined namespace specification and implementation to support:
  • Reverse-domain formats
  • Fragments (e.g., ssvc#example)
  • Language tags
  • Extensions
• Aligned namespace patterns with a formal ABNF grammar.
• Updated documentation: Namespaces Reference.

Tooling Enhancements

• SSVC Calculator updated to support new schema and decision tables.
• New SSVC Policy Explorer tool.
• Docker configurations for test, docs, and api containers, all buildable with docker-compose.
  • Documentation: Container HowTo.

New How-To Articles

• Using EPSS with SSVC
  • Combining EPSS with other Exploitation-Related Decision Points
  • EPSS Quantile Binning as an SSVC Amplifier
• How to use Docker for local SSVC development
• How to implement CVSS v4 Equivalence Sets in SSVC

Documentation Improvements

• Python-driven rendering of SSVC objects (DecisionPoints and DecisionTables) for more consistent examples.
• Decision tables can now be rendered as both mermaid diagrams and tables.
• New reference pages:
  • Decision Points
  • Decision Tables
• Automated generation of CSV examples in documentation.
• ADR added: Use of Calendar Versioning (CalVer) for SSVC releases.

Highlights from merged PRs include:

• Introduction of DecisionTable and related objects (#795, #843, #856, #863, #868, #871, #887).
• Namespace improvements and ABNF pattern formalization (#791, #824, #882, #898, #921, #925, #934, #938).
• Selection object and schema improvements (#821, #897, #940, #971).
• Registry API and Docker integration (#893, #917, #952).
• EPSS integration and new decision points (#931, #933, #949).
• Documentation and tooling refinements (#900, #929, #885, #886, #954, #970).
• ADR on Calendar Versioning (#956).
• Bug fixes and cleanup (#822, #870, #945, #953, #928).

See the full PR list below.

Dependency Updates

Routine bumps to mkdocs, pandas, jsonschema, and GitHub Actions tooling.

What's Changed

• Attempt to resolve #764 into Publish branch for updates. by @sei-vsarvepalli in #767
• Publish v2025.3.3 by @ahouseholder in #772
• Publish v2025.6 by @ahouseholder in #793
• Refactor namespaces by @ahouseholder in #791
• Bump mkdocs-bibtex from 4.2.5 to 4.2.10 in the mkdocs group by @dependabot[bot] in #794
• Bump mkdocs-bibtex from 4.2.10 to 4.3.0 in the mkdocs group by @dependabot[bot] in #804
• Bump markdown-exec from 1.10.3 to 1.11.0 by @dependabot[bot] in #805
• Bump the mkdocs group with 2 updates by @dependabot[bot] in #811
• Bump pandas from 2.3.0 to 2.3.1 by @dependabot[bot] in #819
• Fix for Bug paging issue #818 by @sei-vsarvepalli in #822
• Bump jsonschema from 4.24.0 to 4.25.0 by @dependabot[bot] in #827
• Improve namespace implementation by @ahouseholder in #824
• Minimalist Selection Object by @ahouseholder in #821
• Bump the mkdocs group with 2 updates by @dependabot[bot] in #837
• Bump mkdocs-print-site-plugin from 2.7.3 to 2.8 in the mkdocs group by @dependabot[bot] in #840
• Initial Decision Table object by @ahouseholder in #795
• Add DecisionTable objects for Deployer and CISA Coordinator by @sei-vsarvepalli in #843
• Refactor registry construction by @ahouseholder in #844
• Fix CISA Decision Tree extra text remove by @sei-vsarvepalli in #854
• Add Coordinator Publish DecisionTable by @ahouseholder in #856
• Fix imports in `doctools.py by @ahouseholder in #857
• Add DecisionTable objects for CVSS v4 Equivalence Sets by @ahouseholder in #863
• Move a file to be consistent in data/json/decision_points folder by @sei-vsarvepalli in #866
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #864
• SSVC Cacluator to accept new schema by @sei-vsarvepalli in #867
• Create DecisionTable representation of coordinator triage decision model by @ahouseholder in #868
• Fix a few bugs around Human Impact decision point and decision table by @ahouseholder in #870
• Add CVSS v4 MacroVector to Quality Severity Rating DecisionTable by @sei-vsarvepalli in #871
• fix broken f-strings by @bernhardreiter in #881
• Add CVSS v4 DecisionTable docs for EQ1-6, Qualitative Severity Rating by @ahouseholder in #887
• DecisionTable to mermaid by @ahouseholder in #886
• Apply black and markdownlint --fix by @ahouseholder in #885
• Distinguish resource from references in Selections #833 by @sei-vsarvepalli in #897
• Namespacepattern updates from #882 by @sei-vsarvepalli in #898
• implement new namespace patterns based on ABNF by @bernhardreiter in #882
• Add Documentation for DecisionTable objects by @ahouseholder in #900
• Bump actions/upload-pages-artifact from 3 to 4 by @dependabot[bot] in #913
• Bump jsonschema from 4.25.0 to 4.25.1 by @dependabot[bot] in #912
• Bump the mkdocs group with 2 updates by @dependabot[bot] in #911
• Bump pandas from 2.3.1 to 2.3.2 by @dependabot[bot] in #910
• Update CVE items to be unique and update tests see #905 by @sei-vsarvepalli in #914
• Add FastAPI for SsvcObjectRegistry, including docker container. Also convert package management to uv by @ahouseholder in #893
• change "policy" to "decision table" in relevant docs by @ahouseholder in #906
• fix namespace ABNF and resulting pattern by @bernhardreiter in #921
• Remove default volume mount in docker-compose config by @ahouseholder in https://github.com/CERTCC/SSVC/...

What's Changed

• Add an 'Explanation' Overview document by @sei-renae in #716
• Simplify Makefile / Dockerfile interactions using docker-compose.yml by @ahouseholder in #785

Dependency Updates

• Bump pydantic from 2.11.1 to 2.11.3 by @dependabot in #776
• Bump tj-actions/changed-files from 46.0.3 to 46.0.5 by @dependabot in #777
• Bump pydantic from 2.11.1 to 2.11.4 by @dependabot in #778
• Bump the mkdocs group across 1 directory with 4 updates by @dependabot in #779
• Bump DavidAnson/markdownlint-cli2-action from 19 to 20 by @dependabot in #781
• Bump pydantic from 2.11.4 to 2.11.5 by @dependabot in #782
• Bump the mkdocs group with 2 updates by @dependabot in #783
• Bump jsonschema from 4.23.0 to 4.24.0 by @dependabot in #784
• Bump mkdocstrings-python from 1.16.11 to 1.16.12 in the mkdocs group by @dependabot in #787
• Bump pandas from 2.2.3 to 2.3.0 by @dependabot in #786
• Bump mkdocs-include-markdown-plugin from 7.1.5 to 7.1.6 in the mkdocs group by @dependabot in #789
• Bump pydantic from 2.11.5 to 2.11.7 by @dependabot in #790

Full Changelog: v2025.3.3...v2025.6

Maintenance release to update site design template and dependencies

What's Changed

• Bump pydantic from 2.10.6 to 2.11.1 by @dependabot in #768
• Bump the mkdocs group with 3 updates by @dependabot in #769
• Bump markdown-exec from 1.10.2 to 1.10.3 by @dependabot in #770
• Update site design template by @sei-renae in #771

Full Changelog: v2025.3.2...v2025.3.3

What's Changed

• Change docs copyright page to reflect new LICENSE wording by @sei-renae in #763
• Update namespace to ensure sufficient limits are established by @sei-vsarvepalli in #765

Full Changelog: v2025.3.1...v2025.3.2

What's Changed

• Update copyright & licensing statements by @sei-renae in #758
• Bump site deployment environment to python 3.12

Full Changelog: v2025.3...v2025.3.1

SSVC v2025.3 updates the json format examples and adds some formality around our use of namespaces in the data object representations of SSVC objects. It also improves the presentation of the CWE list in the Exploitation decision point.

What's Changed

• Update json examples in repository by @ahouseholder in #727
• Fix deployment workflow by @ahouseholder in #732
• Convert cwes list to markdown with fewer rows and columns by @sei-renae in #737
• Add markdownlint make target by @ahouseholder in #744
• Add NameSpace Enum by @ahouseholder in #749
• Refactor SsvcDecisionPoint base class mixins by @ahouseholder in #743

Dependency updates

• Bump the mkdocs group with 2 updates by @dependabot in #730
• Bump markdown-exec from 1.10.0 to 1.10.1 by @dependabot in #746
• Bump the mkdocs group with 6 updates by @dependabot in #747
• Pin tj-actions/changed-files action to a specific sha1 by @ahouseholder in #750
• Bump tj-actions/changed-files from 46.0.1 to 46.0.3 by @dependabot in #757
• Bump markdown-exec from 1.10.1 to 1.10.2 by @dependabot in #756
• Bump mkdocstrings-python from 1.16.5 to 1.16.8 in the mkdocs group by @dependabot in #755

Full Changelog: v2025.2...v2025.3

This release

• Updates the json schemas
• Adds documentation for CVSS vector element based SSVC decision points
• Improves some back-end python to set up future development
• Adds a dockerized container for documentation development
• Fixes a few content bugs (broken links, etc.)
• Update dependencies

What's Changed

• fix unit test by @ahouseholder in #669
• Reformat python with black by @ahouseholder in #671
• Add versioned outcomes schema by @sei-vsarvepalli in #672
• Replace python dataclasses with pydantic dataclasses by @ahouseholder in #674
• Resolve Issue 678 by @sei-renae in #679
• Convert site to use inline python instead of relying on manual script to generate decision point examples by @ahouseholder in #683
• Fix json schema example by @sei-renae in #684
• Split CVSS equivalence sets by @ahouseholder in #685
• Update to schema_examples directory by @sei-vsarvepalli in #688
• Update FEMA Federal continuity directive link by @sei-renae in #692
• Add PR template by @ahouseholder in #694
• Add markdownlint workflow by @ahouseholder in #693
• Add semantic versioning validator to _Versioned mixin by @ahouseholder in #696
• Add CVSS vector elements as decision point docs by @ahouseholder in #691
• Updated mission_impact.md by @sei-bkoo in #706
• Add CVSS Qualitative Severity Rating Scale decision point by @ahouseholder in #712
• Dockerize the mkdocs dev server by @ahouseholder in #695
• Update schema JSON to use cross-referencing and force more validations by @sei-vsarvepalli in #704

Dependency Updates

• Bump mkdocs-bibtex from 2.16.2 to 3.0.0 by @dependabot in #668
• Bump mkdocs-material from 9.5.49 to 9.5.50 in the mkdocs group by @dependabot in #667
• Bump copyright by @ahouseholder in #670
• Bump mkdocs-bibtex from 3.0.0 to 4.1.0 by @dependabot in #675
• Bump pydantic from 2.10.3 to 2.10.6 by @dependabot in #676
• Bump the mkdocs group with 2 updates by @dependabot in #677
• Bump the mkdocs group with 3 updates by @dependabot in #680
• Bump the mkdocs group with 4 updates by @dependabot in #682
• Bump semver from 3.0.2 to 3.0.4 by @dependabot in #719
• Bump tj-actions/changed-files from 44 to 45 by @dependabot in #720
• Bump DavidAnson/markdownlint-cli2-action from 16 to 19 by @dependabot in #721
• Bump the mkdocs group across 1 directory with 3 updates by @dependabot in #722

New Contributors

• @sei-renae made their first contribution in #679

Full Changelog: v2024.3.9...v2025.2

This release converges feedback from the CSAF and CVE projects on the SSVC json schema. Also various dependency updates.

What's Changed

• Merge #627 into publish by @ahouseholder in #628
• Schema fix by @ahouseholder in #634
• Publish changes from #635 by @ahouseholder in #636
• Publish JSON schema base change to 2020-12 by @ahouseholder in #643
• Publish fix for decision point reference doc spacing by @ahouseholder in #646
• Bump mkdocs-material from 9.5.42 to 9.5.43 in the mkdocs group by @dependabot in #647
• Bump the mkdocs group with 2 updates by @dependabot in #648
• Bump mkdocs-include-markdown-plugin from 7.0.0 to 7.0.1 in the mkdocs group by @dependabot in #651
• Bump the mkdocs group with 2 updates by @dependabot in #653
• SSVC JSON Schema 2020-12 by @tschmidtb51 in #654
• Bump mkdocs-material from 9.5.46 to 9.5.48 in the mkdocs group by @dependabot in #656
• Bump the mkdocs group across 1 directory with 2 updates by @dependabot in #660
• Bump scikit-learn from 1.5.2 to 1.6.0 by @dependabot in #658
• Bump scikit-learn from 1.6.0 to 1.6.1 by @dependabot in #661
• Spelling error fix in Decision Point Value Selection cvvs to cvss by @sei-vsarvepalli in #664

New Contributors

• @tschmidtb51 made their first contribution in #654

Full Changelog: v2024.3.8...v2024.3.9