DefaultVector returns a default definition of SSVC(V2) vector.

GetCVSSScoreAndSeverityByPriority returns CVSS(V3) score and severity by the given priority.

Parse parses Vector from SSVC(V2) vector string.

ParseTree returns a decision tree by the given CSV content.

ShouldParse likes Parse but without error returning.

AutomatableNo means steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason.

AutomatableYes means steps 1-4 of the kill chain can be reliably automated.

ExploitationActive means shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting.

ExploitationNone means there is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.

ExploitationPoC means one of the following cases is true: - (1) private evidence of exploitation is attested but not shared; - (2) widespread hearsay attests to exploitation; - (3) typical public PoC in places such as Metasploit or ExploitDB; - (4) the vulnerability has a well-known method of exploitation.

ExposureControlled means networked service with some access restrictions or mitigations already in place (whether locally or on the network).

ExposureOpen means internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers).

ExposureSmall means local service or program; highly controlled network.

HumanImpactHigh means the combined SituatedSafetyImpact and MissionImpact is "high".

HumanImpactLow means the combined SituatedSafetyImpact and MissionImpact is "low".

HumanImpactMedium means the combined SituatedSafetyImpact and MissionImpact is "medium".

HumanImpactVeryHigh means the combined SituatedSafetyImpact and MissionImpact is "very high".

MissionImpactCrippled means Mission Essential Function (MEF) support is crippled.

MissionImpactDegraded chronic degradation would eventually harm essential functions.

MissionImpactMEFFailure means any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time.

MissionImpactMissionFailure means multiple or all mission essential functions fail; ability to recover those functions degraded; organization's ability to deliver its overall mission fails.

MissionImpactNone means little to no impact up to degradation of non-essential functions.

PriorityDefer means as below, - for StakeholderDeployer, it means do not act at present.

PriorityImmediate means as below, - for StakeholderDeployer, it means that act immediately, focus all resources on applying the fix as quickly as possible, including, if necessary, pausing regular organization operations.

PriorityOutOfCycle means as below, - for StakeholderDeployer, it means that act more quickly than usual to apply the mitigation or remediation out-of-cycle, during the next available opportunity, working overtime if necessary.

PriorityScheduled means as below, - for StakeholderDeployer, it means that act during regularly scheduled maintenance time.

PublicSafetyImpactMinimal means safety impacts of affected system compromise is SafetyImpactNone or SafetyImpactMinor.

PublicSafetyImpactSignificant means safety impacts of affected system compromise is SafetyImpactMajor, SafetyImpactHazardous or SafetyImpactCatastrophic.

SafetyImpactCatastrophic means any one of the following is observed, - "Physical Harm": Multiple immediate fatalities (emergency response probably cannot save the victims.).

SafetyImpactHazardous means any one of the following is observed, - "Physical Harm": Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures OR parts of the cyber-physical system that support safe operation break.

SafetyImpactMajor means any one of the following is observed, - "Physical Harm": Physical distress and injuries for users of the system OR a significant occupational safety hazard OR failure of physical system functional capabilities that support safe operation.

SafetyImpactMinor means any one of the following is observed, - "Physical Harm": Physical discomfort for users of the system OR a minor occupational safety hazard OR reduction in physical system safety margins.

SafetyImpactNone does not mean no impact literally; the effect is below the threshold for all aspects described in SituatedSafetyImpactMinor.

constants of Stakeholder.

constants of Stakeholder.

TechnicalImpactPartial means the exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability.

TechnicalImpactTotal means the exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability.

UtilityEfficient means {yes to automatable and diffuse value} or {no to automatable and concentrated value}.

UtilityLaborious means no to automatable and diffuse value.

UtilitySuperEffective means yes to automatable and concentrated value.

ValueDensityConcentrated means the system that contains the vulnerable component is rich in resources.

ValueDensityDiffuse means the system that contains the vulnerable component has limited resources.

TreeDeployer makes decision by Exploitation, Exposure, Utility, HumanImpact.

TreeHumanImpact makes decision by SafetyImpact, MissionImpact.

TreePublicSafetyImpact makes decision by SafetyImpact.

TreeSupplier makes decision by Exploitation, Utility, TechnicalImpact, PublicSafetyImpact.

TreeUtility makes decision by Automatable, ValueDensity.

Vector holds the decisions vector of SSVC(V2).

types of Utility group.

Exploitation of SSVC(V2) vector, abbreviates as 'E', it means the evidence of active exploitation of a vulnerability.

Exposure of SSVC(V2) vector, abbreviates as 'X', it means the accessible attack surface of the affected system or service.

types of HumanImpact group.

types of HumanImpact group.

Priority of SSVC(V2) vector, abbreviates as 'P'(on StakeholderDeployer side) or 'R'(on StakeholderSupplier side), it means the action should take after decision.

PublicSafetyImpact of SSVC(V2) vector, abbreviates as 'P', it means the perspective of StakeholderSupplier for SafetyImpact.

SafetyImpact of SSVC(V2) vector, abbreviates as 'S', is a part of PublicSafetyImpact or HumanImpact, it means the safety impacts of affected system compromise.

Stakeholder of SSVC(V2) vector.

TechnicalImpact of SSVC(V2) vector, abbreviates as 'T', it means the technical impact of exploiting the vulnerability.

types of Utility group.

types of Utility group.