Stakeholder-Specific Vulnerability Categorization
SSVC is a decision-tree framework, developed by Carnegie Mellon's SEI with CISA, that helps organizations decide what to do about a vulnerability rather than just scoring its severity. It walks through questions like whether exploitation is active, how automatable an attack is, and what the impact would be, ending in a concrete action such as track, attend, or act now. It matters because a raw CVSS number does not tell a specific organization whether to patch tonight or next quarter.