Skip to content

Add SSVC doc explaining "human-scale bottleneck" idea#1087

Open
ahouseholder wants to merge 8 commits intomainfrom
fix-1033
Open

Add SSVC doc explaining "human-scale bottleneck" idea#1087
ahouseholder wants to merge 8 commits intomainfrom
fix-1033

Conversation

@ahouseholder
Copy link
Contributor

@ahouseholder ahouseholder commented Mar 12, 2026

resolves #1033

This pull request adds a new documentation file explaining the role of SSVC (Stakeholder-Specific Vulnerability Categorization) as a human-scale bottleneck in automated vulnerability response processes. The document clarifies how SSVC condenses complex, automated data into manageable decision points, and emphasizes the importance of human oversight in policy definition and governance.

Key additions to documentation:

  • Introduced a comprehensive explanation of SSVC as a human-scale bottleneck, ensuring transparency and accountability in automated vulnerability response workflows.
  • Detailed the characteristics of SSVC decision points, including their ordinal, orthogonal, and "chunky" nature, which keeps the decision table compact and understandable.
  • Explained how the SSVC decision table codifies policy as code, mapping technical inputs to business-aligned outcomes, and outlined criteria for effective table design.
  • Provided guidance on governance and policy refinement, describing how SSVC enables straightforward modification and clear accountability for risk owners.
  • Clarified that SSVC is not a process bottleneck—automation can occur throughout, with humans responsible for designing and governing the decision framework rather than reviewing every decision.

Copilot AI review requested due to automatic review settings March 12, 2026 20:07
@ahouseholder ahouseholder self-assigned this Mar 12, 2026
@ahouseholder ahouseholder requested a review from sei-renae March 12, 2026 20:07
@ahouseholder ahouseholder added the content/semantic Changes to the semantic content of the SSVC documentation label Mar 12, 2026
@ahouseholder ahouseholder added this to the 2026-03 milestone Mar 12, 2026
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new How-To documentation page explaining SSVC’s role as a “human-scale bottleneck” between large-scale automated vulnerability data collection/analysis and large-scale operational response, emphasizing policy governance and accountability.

Changes:

  • Added a new documentation page describing SSVC decision points as a compact, human-governable interface in automated workflows.
  • Documented design characteristics (ordinal/orthogonal/chunky) and how decision tables encode organizational policy and governance refinement.

You can also share your feedback on Copilot code review. Take the survey.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cgyarbrough cgyarbrough Awaiting requested review from cgyarbrough cgyarbrough is a code owner

@sei-vsarvepalli sei-vsarvepalli Awaiting requested review from sei-vsarvepalli sei-vsarvepalli is a code owner

@j--- j--- Awaiting requested review from j--- j--- is a code owner

@sei-renae sei-renae Awaiting requested review from sei-renae

At least 1 approving review is required to merge this pull request.

Assignees

@ahouseholder ahouseholder

Labels

content/semantic Changes to the semantic content of the SSVC documentation

Projects

None yet

Milestone

2026-03

Development

Successfully merging this pull request may close these issues.

Write up the "SSVC as human-scale bottleneck" concept

2 participants

@ahouseholder