Supplier Tree Utility Calculation

[ctao5660]

Hi, regarding the patch supplier tree, it says that the suggested supplier tree is based off

1.Exploitation

2. Utility
3. Public Safety Impact

I'm a little confused because as the patch supplier, would you have access to data for the Value Density sub-decision point for Utility? In the description of Value Density it is based off the system it is on, and the value of resources on that system. But as the patch supplier we won't know what system is running our software. Value Density would be different between a linux server with an important database that runs our software, and my dads old laptop that runs our software.

I think I have the same concerns regarding the Public Safety Impact. Isn't it system dependent?

[j---]

Hi Christopher, Thanks for your question. Currently, the Value Density description says:

The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users. Examples of concentrated value are database systems, Kerberos servers, web servers hosting login pages, and cloud service providers. However, usefulness and uniqueness of the resources on the vulnerable system also inform value density.

I understand your question as how this description interacts with the Scope and Reasoning Steps Forward subsections. The summary there is:

Overall, we summarize this aspect of scope as consider credible effects based on known use cases of the software system as a part of cyber-physical systems.

I understand you're saying a supplier does not know all possible uses of their software. However, the scope of SSVC is to answer for known use cases. If there is a known, credible use case that the supplier is making server software that will be administrated by professionals, then the supplier knows value density should be set to concentrated. If some people are able to spin up hobbyist systems, that's fine, but that is handled by the deployer under Mission Impact, or possibly Situated Safety Impact, not value density.

The Gathering Information About Value Density subsection does ask for specific counter examples for software projects that don't match the "administrated by professionals" heuristic that also don't have a good explanation using the alternative heuristic listed. That's:

the value of the vulnerability if it were sold on the open market. Some firms, such as Zerodium, make such pricing structures public.

I don't believe you mentioned what software you are writing, can you be more specific about your situation and provide some information about how these two heuristics fail for it? The more details we have, the better we can update the document.

The Public Safety Impact situation is more or less the same, can you put your question in terms of framing against how it interacts with the Scope and Reasoning Steps Forward subsections please?

One minor question:

1.Exploitation

2. Utility
3. Public Safety Impact

Did you leave out Technical Impact on purpose?

[ctao5660]

Without going too much into specifics, we write enterprise software used in a professional setting.

I don’t think our use case is a counter example, and the heuristics do seem to work out. I was just looking for some clarification about scoring our product vulns with ssvc. It makes sense to set value density to ‘concentrated’ and re evaluate as necessary.

Oh whoops forgot about technical impact. Thanks for all the info! I’ll open another issue if I have data that supports a counter example as we implement the ssvc supplier tree.

On Mon, Nov 7, 2022 at 11:39 AM j--- @.***> wrote:

Hi Christopher, Thanks for your question. Currently, the Value Density description says:

The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users. Examples of concentrated value are database systems, Kerberos servers, web servers hosting login pages, and cloud service providers. However, usefulness and uniqueness of the resources on the vulnerable system also inform value density.

I understand your question as how this description interacts with the Scope and Reasoning Steps Forward subsections. The summary there is:

Overall, we summarize this aspect of scope as consider credible effects based on known use cases of the software system as a part of cyber-physical systems.

I understand you're saying a supplier does not know all possible uses of their software. However, the scope of SSVC is to answer for known use cases. If there is a known, credible use case that the supplier is making server software that will be administrated by professionals, then the supplier knows value density should be set to concentrated. If some people are able to spin up hobbyist systems, that's fine, but that is handled by the deployer under Mission Impact, or possibly Situated Safety Impact, not value density.

The Gathering Information About Value Density subsection does ask for specific counter examples for software projects that don't match the "administrated by professionals" heuristic that also don't have a good explanation using the alternative heuristic listed. That's:

the value of the vulnerability if it were sold on the open market. Some firms, such as Zerodium https://zerodium.com/program.html, make such pricing structures public.

I don't believe you mentioned what software you are writing, can you be more specific about your situation and provide some information about how these two heuristics fail for it? The more details we have, the better we can update the document.

The Public Safety Impact situation is more or less the same, can you put your question in terms of framing against how it interacts with the Scope and Reasoning Steps Forward subsections please?

One minor question:

1.Exploitation

2. Utility
3. Public Safety Impact

Did you leave out Technical Impact on purpose?

— Reply to this email directly, view it on GitHub https://github.com/CERTCC/SSVC/issues/208#issuecomment-1306096998, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJQVXRVJ33B3ACP6UF63HLDWHFLHXANCNFSM6AAAAAARY5O7QQ . You are receiving this because you authored the thread.Message ID: @.***>

[j---]

OK, thanks. If you do find a counterexample or another problem, please do bring it up. Could you please highlight some points in the documentation where you think we could better explain this so future readers can more easily find the answer to your question? That way we can improve the docs. (If there aren't any, then I'll suggest we close this issue). Thanks!

[ctao5660]

I think at least the definition of value density should be more use case agnostic since it sounds more geared toward people using the deployed tree. Other than that, I had no issues reading the white paper. You can close the issue, thanks!

On Mon, Nov 7, 2022 at 12:28 PM j--- @.***> wrote:

OK, thanks. If you do find a counterexample or another problem, please do bring it up. Could you please highlight some points in the documentation where you think we could better explain this so future readers can more easily find the answer to your question? That way we can improve the docs. (If there aren't any, then I'll suggest we close this issue). Thanks!

— Reply to this email directly, view it on GitHub https://github.com/CERTCC/SSVC/issues/208#issuecomment-1306148366, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJQVXRRPF4X3SXOEIYI3J3LWHFQ6ZANCNFSM6AAAAAARY5O7QQ . You are receiving this because you authored the thread.Message ID: @.***>

[j---]

Thanks for the feedback!