SVCC Exploitation Flag /Element is broken based on a flawed design.

[timrohrbaugh]

SVCC Exploitation should not be a three-way switch. The key reason the design is the cause of being broken is because when it is switch to POC because of the reconition of exploit code being seen in the wild and subsequently is found as part of an active intrustion then when the flag is moved to Active we loose the key knowledge of POC. I suggest making Exploitation none or Active but then adding POC yes/no as a fourth element of SVCC.

[dallison-cisa]

@timrohrbaugh, thank you for your feedback.

For a CVE Record that has been previously assessed as Exploitation: poc,

1. if the CVE references do not include the reference link to the proof of concept, a reference will be added in the ADP container.
2. if the CVE references do include the reference link to the proof of concept, a reference will not be added in the ADP container.

If a CVE Record has SSVC that has been reassessed from Exploitation: poc to Exploitation: active, it can be assumed that either

• the included ADP reference link is either for the active exploitation or for the PoC reference, (see CVE-2025-25257 ) or
• one of the CVE Record reference links was for the poc.

This unfortunately does not handle the instance wherein the CNA removes a reference. That reference might have contained the proof of concept.

I would like to leave this issue open for discussion from other parties.

[sei-vsarvepalli]

Ideally SSVC metrics are repeated with the old history retained. SSVC records were designed to be write once and never update - append only type record.. The timestamp should be updated so there should be two SSVC metrics record and one that was evaluated at date 1 and later at date 2.

I recommend that KEV records also be represented using SSVC In-Kev metric supported as a SSVC decision point metric - https://github.com/CERTCC/SSVC/blob/main/data/json/decision_points/cisa/in_kev_1_0_0.json

Ideally if you use the https://github.com/CERTCC/SSVC/blob/main/data/schema/v2/Decision_Point_Value_Selection-2-0-0.schema.json - you can provide URL resource for both records of date 1 when a record has Exploitation as poc and the later date 2 when Exploitation was re-evaluated to be active

[amanion-cisa]

Hi @timrohrbaugh,

I understand your request to treat PoC and EITW as independent binary flags and maybe also to retain the history of SSVC decision points. In the short term, I don't expect the current definition of Exploitation in the CISA Coordinator tree (or the tree itself) to change. As currently defined, None -> Public PoC -> Active measure general threat and imply that Active includes Public PoC. I appreciate this may not always be entirely true.

@sei-vsarvepalli points out that there are more recent SSVC schema and a KEV-specific decision point. Vulnrichment will (re)consider updating the SSVC schema, possibly related to CVE and CSAF schema updates, and related to #40.

[timrohrbaugh]

Thank you for the response. I understand the design might not change in the short term but to carry the current state of these important aspects in the most up to date ssvc would be the most efficent design after much thought. We do compensate for the temporal nature of change but we have devised a system and data design to accomodate this and other aspects. Most teams dont have the time to do this though. As for the references being added as an internal process, that would be a good process to follow but the SSVC flag is best to be consistent to carry your teams determination that it exists. That said I have found many examples where there is no clear reference by the CNA or ADP that is the source of the POC designation. Im sure you all pull many CTI sources including metasploit moduals, commerical CTI that may not be represented by a reference which is understandable. The POC flag by those that have riggor to their investigation would be highly valuable as is to help sort activity by defensive teams when looking as large backlogs of CVEs that teams are working off and are at various stages of remediation. I would say one key point on time noted is that if you flag POC on say Dec 14th and cyber teams dont pick this up immidiately what they should do it set that date as the starting point of doing retro hunt activity. Thank you all for the responses. I speak for others when I say we all apprecate the work :)