SSVC v2025.9.5

What's Changed

• Publish v2025.9.3 by @ahouseholder in #1035
• Fix for Issue 1060 by @sei-vsarvepalli in #1061

Full Changelog: v2025.9.4...v2025.9.5

SSVC v2025.9.4

Maintenance release. Update acknowledgements page, bump dependencies, and fix a minor SSVC calculator UI bug.

What's Changed

• Publish 2025.9.2 by @ahouseholder in #1000
• Update acks page by @sei-renae in #1037
• Bump DavidAnson/markdownlint-cli2-action from 20 to 21 by @dependabot[bot] in #1039
• Bump actions/checkout from 5 to 6 by @dependabot[bot] in #1042
• Bump DavidAnson/markdownlint-cli2-action from 21 to 22 by @dependabot[bot] in #1046
• Bump tj-actions/changed-files from 47.0.0 to 47.0.1 by @dependabot[bot] in #1047
• Bump actions/upload-artifact from 5 to 6 by @dependabot[bot] in #1048
• Fix for prompting div location failure by @sei-vsarvepalli in #1056
• Fix JavaScript object property syntax in ssvc-explorer/simple.js by @Copilot in #1058

Full Changelog: v2025.9.3...v2025.9.4

SSVC v2025.9.3

This release includes minor changes to the SSVC calculator display, along with some housekeeping tasks.

What's Changed

• Extend methods to generate Selection Schema for CVE and other projects by @sei-vsarvepalli in #1002
• Removed debug print statement by @sei-vsarvepalli in #1008
• Add API examples endpoints by @ahouseholder in #1006
• Move pyproject.toml to root level dir by @sei-renae in #980
• Refactor Default Automatable Values into reusable include file by @Copilot in #1010
• Refactor Default System Exposure Values into an includable by @Copilot in #1014
• Refactor default safety values tip into an includable file by @Copilot in #1015
• Refactor Default Mission Impact Values into reusable include file by @Copilot in #1016
• Refactor default decision point values from collect.md to includable files by @Copilot in #1013
• Bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #1021
• Setup copilot instructions by @sei-renae in #1024
• Fix graph view cutoff in Explorer with fixed bottom buffer by @Copilot in #1004
• Initialize SVG viewBox to prevent zoom control jump on first interaction by @Copilot in #1026
• Change syntax of markdownlint ignores by @sei-renae in #1029
• Remove mention of kebab case by @sei-renae in #1030
• ✨ Set up GitHub Copilot instructions for SSVC repository by @Copilot in #1012
• Truncate long labels in decision table visualization by @sei-vsarvepalli in #1028

New Contributors

• @Copilot made their first contribution in #1010

Full Changelog: v2025.9.2...v2025.9.3

SSVC v2025.9.2

This release renames the Policy Explorer tool to SSVC Explorer, consolidates our change log into our SSVC Release Notes on GitHub, and makes a few dependency updates.

What's Changed

• Publish SSVC v2025.9.1 by @sei-vsarvepalli in #985
• Update Dependabot config to use uv by @ahouseholder in #986
• Relax version pins in pyproject.toml by @ahouseholder in #987
• bump mkdocs-include-markdown-plugin version to 7.1.8 by @ahouseholder in #988
• Integrate javascript by @sei-vsarvepalli in #992
• Update change log page to point to GitHub releases by @sei-renae in #994

Full Changelog: v2025.9.1...v2025.9.2

SSVC v2025.9.1

This release cleans up some regular expression details with the namespace pattern.

What's Changed

• Publish SSVC v2025.9 by @sei-vsarvepalli in #958
• Use NS_PATTERN_STR instead of compiled regex by @ahouseholder in #979
• fix src/ssvc/utils/patterns.py regexp by @bernhardreiter in #984

Full Changelog: v2025.9...v2025.9.1

SSVC v2025.9

In this release, we’ve introduced major new capabilities, refined core concepts, and added supporting tools and documentation.

Significant Changes

Decision Tables as a First-Class Object

• Added a DecisionTable Python object and corresponding JSON schema to represent a complete SSVC decision model.
  • A DecisionTable contains a set of DecisionPoints, designates one as the outcome, and provides a mapping that fully enumerates input combinations and assigns each combination to a specific outcome value.
  • The Python implementation includes validation to ensure mappings are logically consistent with the partial order formed by ordered decision point values.
• Terminology change: what we previously called a Decision Tree or Decision Policy is now standardized as a Decision Table.
  • Rationale:
    1. Avoid confusion between the operations research use of "decision tree" and the machine learning sense.
    2. The word policy has overloaded meanings beyond our intended usage.
    3. Decision Table is an established term that better conveys our intent.
  • See issue #698 for discussion.
• Added DecisionTable objects for specific use cases: Deployer, CISA Coordinator, CVSS v4 equivalence sets, coordinator triage models, and qualitative severity ratings.

Formalizing Decision Point Value Selections

• Added a SelectionList Python object and corresponding JSON schema to represent shareable decision point value selections in data exchange formats.
• Integration with the OASIS CSAF working group: the SSVC SelectionList format is being incorporated into a forthcoming revision of the CSAF specification.
• Extended support for probability- and quantile-bin–based decision points.

First Steps Toward an SSVC API

• Introduced a FastAPI-based Registry API with a Registry object that manages DecisionPoint and DecisionTable instances.
• API endpoints are versioned (/v1/) to allow for future compatibility.
• Packaged for containerized deployment via docker-compose.

Namespace Improvements

• Refined namespace specification and implementation to support:
  • Reverse-domain formats
  • Fragments (e.g., ssvc#example)
  • Language tags
  • Extensions
• Aligned namespace patterns with a formal ABNF grammar.
• Updated documentation: Namespaces Reference.

Tooling Enhancements

• SSVC Calculator updated to support new schema and decision tables.
• New SSVC Policy Explorer tool.
• Docker configurations for test, docs, and api containers, all buildable with docker-compose.
  • Documentation: Container HowTo.

New How-To Articles

• Using EPSS with SSVC
  • Combining EPSS with other Exploitation-Related Decision Points
  • EPSS Quantile Binning as an SSVC Amplifier
• How to use Docker for local SSVC development
• How to implement CVSS v4 Equivalence Sets in SSVC

Documentation Improvements

• Python-driven rendering of SSVC objects (DecisionPoints and DecisionTables) for more consistent examples.
• Decision tables can now be rendered as both mermaid diagrams and tables.
• New reference pages:
  • Decision Points
  • Decision Tables
• Automated generation of CSV examples in documentation.
• ADR added: Use of Calendar Versioning (CalVer) for SSVC releases.

---

Highlights from merged PRs include:

• Introduction of DecisionTable and related objects (#795, #843, #856, #863, #868, #871, #887).
• Namespace improvements and ABNF pattern formalization (#791, #824, #882, #898, #921, #925, #934, #938).
• Selection object and schema improvements (#821, #897, #940, #971).
• Registry API and Docker integration (#893, #917, #952).
• EPSS integration and new decision points (#931, #933, #949).
• Documentation and tooling refinements (#900, #929, #885, #886, #954, #970).
• ADR on Calendar Versioning (#956).
• Bug fixes and cleanup (#822, #870, #945, #953, #928).

See the full PR list below.

---

Dependency Updates

Routine bumps to mkdocs, pandas, jsonschema, and GitHub Actions tooling.

---

What's Changed

• Attempt to resolve #764 into Publish branch for updates. by @sei-vsarvepalli in #767
• Publish v2025.3.3 by @ahouseholder in #772
• Publish v2025.6 by @ahouseholder in #793
• Refactor namespaces by @ahouseholder in #791
• Bump mkdocs-bibtex from 4.2.5 to 4.2.10 in the mkdocs group by @dependabot[bot] in #794
• Bump mkdocs-bibtex from 4.2.10 to 4.3.0 in the mkdocs group by @dependabot[bot] in #804
• Bump markdown-exec from 1.10.3 to 1.11.0 by @dependabot[bot] in #805
• Bump the mkdocs group with 2 updates by @dependabot[bot] in #811
• Bump pandas from 2.3.0 to 2.3.1 by @dependabot[bot] in #819
• Fix for Bug paging issue #818 by @sei-vsarvepalli in #822
• Bump jsonschema from 4.24.0 to 4.25.0 by @dependabot[bot] in #827
• Improve namespace implementation by @ahouseholder in #824
• Minimalist Selection Object by @ahouseholder in #821
• Bump the mkdocs group with 2 updates by @dependabot[bot] in #837
• Bump mkdocs-print-site-plugin from 2.7.3 to 2.8 in the mkdocs group by @dependabot[bot] in #840
• Initial Decision Table object by @ahouseholder in #795
• Add DecisionTable objects for Deployer and CISA Coordinator by @sei-vsarvepalli in #843
• Refactor registry construction by @ahouseholder in #844
• Fix CISA Decision Tree extra text remove by @sei-vsarvepalli in #854
• Add Coordinator Publish DecisionTable by @ahouseholder in #856
• Fix imports in `doctools.py by @ahouseholder in #857
• Add DecisionTable objects for CVSS v4 Equivalence Sets by @ahouseholder in #863
• Move a file to be consistent in data/json/decision_points folder by @sei-vsarvepalli in #866
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #864
• SSVC Cacluator to accept new schema by @sei-vsarvepalli in #867
• Create DecisionTable representation of coordinator triage decision model by @ahouseholder in #868
• Fix a few bugs around Human Impact decision point and decision table by @ahouseholder in #870
• Add CVSS v4 MacroVector to Quality Severity Rating DecisionTable by @sei-vsarvepalli in #871
• fix broken f-strings by @bernhardreiter in #881
• Add CVSS v4 DecisionTable docs for EQ1-6, Qualitative Severity Rating by @ahouseholder in #887
• DecisionTable to mermaid by @ahouseholder in #886
• Apply black and markdownlint --fix by @ahouseholder in #885
• Distinguish resource from references in Selections #833 by @sei-vsarvepalli in #897
• Namespacepattern updates from #882 by @sei-vsarvepalli in #898
• implement new namespace patterns based on ABNF by @bernhardreiter in #882
• Add Documentation for DecisionTable objects by @ahouseholder in #900
• Bump actions/upload-pages-artifact from 3 to 4 by @dependabot[bot] in #913
• Bump jsonschema from 4.25.0 to 4.25.1 by @dependabot[bot] in #912
• Bump the mkdocs group with 2 updates by @dependabot[bot] in #911
• Bump pandas from 2.3.1 to 2.3.2 by @dependabot[bot] in #910
• Update CVE items to be unique and update tests see #905 by @sei-vsarvepalli in #914
• Add FastAPI for SsvcObjectRegistry, including docker container. Also convert package management to uv by @ahouseholder in #893
• change "policy" to "decision table" in relevant docs by @ahouseholder in #906
• fix namespace ABNF and resulting pattern by @bernhardreiter in #921
• Remove default volume mount in docker-compose config by @ahouseholder in https://github.com/CERTCC/SSVC/...

SSVC v2025.6

What's Changed

• Add an 'Explanation' Overview document by @sei-renae in #716
• Simplify Makefile / Dockerfile interactions using docker-compose.yml by @ahouseholder in #785

Dependency Updates

• Bump pydantic from 2.11.1 to 2.11.3 by @dependabot in #776
• Bump tj-actions/changed-files from 46.0.3 to 46.0.5 by @dependabot in #777
• Bump pydantic from 2.11.1 to 2.11.4 by @dependabot in #778
• Bump the mkdocs group across 1 directory with 4 updates by @dependabot in #779
• Bump DavidAnson/markdownlint-cli2-action from 19 to 20 by @dependabot in #781
• Bump pydantic from 2.11.4 to 2.11.5 by @dependabot in #782
• Bump the mkdocs group with 2 updates by @dependabot in #783
• Bump jsonschema from 4.23.0 to 4.24.0 by @dependabot in #784
• Bump mkdocstrings-python from 1.16.11 to 1.16.12 in the mkdocs group by @dependabot in #787
• Bump pandas from 2.2.3 to 2.3.0 by @dependabot in #786
• Bump mkdocs-include-markdown-plugin from 7.1.5 to 7.1.6 in the mkdocs group by @dependabot in #789
• Bump pydantic from 2.11.5 to 2.11.7 by @dependabot in #790

Full Changelog: v2025.3.3...v2025.6

SSVC v2025.3.3

Maintenance release to update site design template and dependencies

What's Changed

• Bump pydantic from 2.10.6 to 2.11.1 by @dependabot in #768
• Bump the mkdocs group with 3 updates by @dependabot in #769
• Bump markdown-exec from 1.10.2 to 1.10.3 by @dependabot in #770
• Update site design template by @sei-renae in #771

Full Changelog: v2025.3.2...v2025.3.3

SSVC v2025.3.2

What's Changed

• Change docs copyright page to reflect new LICENSE wording by @sei-renae in #763
• Update namespace to ensure sufficient limits are established by @sei-vsarvepalli in #765

Full Changelog: v2025.3.1...v2025.3.2

SSVC v2025.3.1

What's Changed

• Update copyright & licensing statements by @sei-renae in #758
• Bump site deployment environment to python 3.12

Full Changelog: v2025.3...v2025.3.1