Add SSVC doc explaining "human-scale bottleneck" idea#1087
Open
ahouseholder wants to merge 13 commits intomainfrom
Open
Add SSVC doc explaining "human-scale bottleneck" idea#1087ahouseholder wants to merge 13 commits intomainfrom
ahouseholder wants to merge 13 commits intomainfrom
Conversation
ahouseholder
requested review from
cgyarbrough,
j--- and
sei-vsarvepalli
as code owners
ahouseholder
added
the
content/semantic
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new How-To documentation page explaining SSVC’s role as a “human-scale bottleneck” between large-scale automated vulnerability data collection/analysis and large-scale operational response, emphasizing policy governance and accountability.
Changes:
- Added a new documentation page describing SSVC decision points as a compact, human-governable interface in automated workflows.
- Documented design characteristics (ordinal/orthogonal/chunky) and how decision tables encode organizational policy and governance refinement.
You can also share your feedback on Copilot code review. Take the survey.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
sei-renae
reviewed
Mar 18, 2026
Contributor
|
Some high level notes:
|
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
requested changes
Mar 18, 2026
Contributor
sei-renae
left a comment
sei-renae
left a comment
There was a problem hiding this comment.
See comments in-line and in the Conversation.
- Move file from docs/howto/ to docs/topics/ (parallels decision_points_as_bricks.md, addresses Diataxis how-to vs. explanation concern) - Update mkdocs.yml nav: remove from howto, add to topics alongside decision_points_as_bricks.md - Fix intro: add 'designed by humans, for humans' thesis and 'not a process bottleneck' clarification at top of document (threads at lines 68, 107) - Add diagram scope clarification: make explicit that Decision Model = SSVC scope, Data Mapping and Use & Respond are adjacent but outside scope (thread at line 36) - Fix 'layer' jargon: replace 'any layer of the model' with explicit enumeration of outcomes, decision points, decision table, and data mapping (thread at line 97) - Fix Use & Respond contradiction: remove direct feedback link that conflicted with use.md documentation; restate as 'observing real-world results' (line 105) - Add prepare.md hyperlink to Input Automation section (thread at line 113) - Fix all relative links: bootstrap/ -> ../howto/bootstrap/ after file move Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Introduces the standard AI/autonomy term 'human-on-the-loop' in two places to connect it explicitly to the 'human-scale bottleneck' concept: - Introduction: adds one sentence defining the term after establishing that the decision table can be fully automated - Conclusion: replaces the closing sentence with an explicit 'human-on-the-loop' framing that ties accountability to policy governance, not per-decision review Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
sei-renae
reviewed
Mar 31, 2026
| csaf. | ||
| io/), [CVE JSON](https://cveproject.github.io/cve-schema/schema/docs/)), and | ||
| diverse analytical tools, increasingly including AI features like Large | ||
| Language Models (LLMs). SSVC's |
Contributor
There was a problem hiding this comment.
Large Language Models are not a proper noun and should be all lowercase
| The initial stages of vulnerability | ||
| response—[data collection and mapping](../howto/bootstrap/collect.md)—often involve large | ||
| amounts of information, various data sharing formats (e.g., [CSAF](https://www. | ||
| csaf. |
Contributor
There was a problem hiding this comment.
I hope markdownlint catches this...
| - **Densely Defined and Ordinal:** Each decision point uses values that are | ||
| ordered (ordinal variables), moving from least likely to most likely to imply | ||
| action (e.g., Low, Medium, High). This ordering provides a clear, qualitative | ||
| progression without the mathematical properties of intervals. |
Contributor
There was a problem hiding this comment.
What is the audience of this doc (do we expect the audience to know about math intervals)?
|
|
||
| The concept of SSVC as a human-scale bottleneck means that the complexity of the | ||
| automated threat landscape is filtered through a framework designed by humans, | ||
| for humans, and understood by humans. |
Contributor
There was a problem hiding this comment.
this was said almost verbatim in the first paragraph
| # SSVC: The Human-Scale Bottleneck in Automated Vulnerability Response | ||
|
|
||
| The Stakeholder-Specific Vulnerability Categorization (SSVC) framework is | ||
| designed to provide a human-scale decision bottleneck in the vulnerability |
Contributor
There was a problem hiding this comment.
this does not make sense to me, or sounds like bad advertising (if it does make sense)
| does *not* mean that a human must manually review every vulnerability | ||
| decision—the decision table, once defined, can be entirely automated. | ||
| In AI and autonomous systems terminology, this makes SSVC a | ||
| *human-on-the-loop* pattern: humans are not required to approve every |
Contributor
There was a problem hiding this comment.
HOTL is too similar to HITL, so we should really emphasize the O in HOTL
| established during [Prepare](../howto/bootstrap/prepare.md) defines how to | ||
| connect data sources to decision point values. | ||
| - **Output Automation:** The prioritized outcome from the SSVC table (e.g., " | ||
| Immediate") can feed directly into automated patching, ticketing, or software |
Contributor
There was a problem hiding this comment.
odd spacing - markdownlint might not catch
| - Have there been cases where the table led to a decision that was later | ||
| regretted? | ||
| - Are there new constraints or requirements not yet captured? | ||
| - Is the [data mapping](../howto/bootstrap/prepare.md) still appropriate—are the |
Contributor
There was a problem hiding this comment.
should this link to collect.md?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
resolves #1033
This pull request adds a new documentation file explaining the role of SSVC (Stakeholder-Specific Vulnerability Categorization) as a human-scale bottleneck in automated vulnerability response processes. The document clarifies how SSVC condenses complex, automated data into manageable decision points, and emphasizes the importance of human oversight in policy definition and governance.
Key additions to documentation: