SSVC
SSVC copied to clipboard
CERTCC
Replace "policy" terminology
Is your feature request related to a problem? Please describe.
Using the word "policy" to describe the mapping of a combination of decision point values to an outcome set might be accurate in an academic software-oriented environment. However, we have received word from SSVC users that the word "policy" can bring unwarranted attention to what SSVC is and does.
Describe the solution you'd like
We should find a less contentious term, as it's not our intention to claim that SSVC dictates any sort of "capital-P Policy" in any setting. It's just a name for the mapping of a full enumeration of a decision point group's values to an outcome set.
To resolve this issue, we should:
- have a discussion of alternative terms (that can happen here in this issue)
- choose one
- implement it in both the software tooling and text content
This issue does not affect the intent of #592: we still need a technical object to represent the data, we just should call it whatever we decide here. No need to delay #592 waiting for this to resolve, we can always fix whatever we do there based on the outcome here.
I asked ChatGPT to generate a few suggestions:
Here are some possible replacements:
Decision Framework – Emphasizes that it’s a structured method for making choices based on set criteria. Decision Model – Highlights the systematic nature of the decision-making process. Outcome Matrix – Focuses on the mapping aspect, where inputs (decision points) correspond to specific outcomes. Response Map – Suggests a structured way to guide actions based on vulnerabilities. Prioritization Schema – Makes it clear that this is about ranking and responding rather than setting policy. Action Guide – Simplifies the concept while still implying structured decision-making. Decision Mapping – Reinforces the idea of predefined pathways based on inputs.
If the SSVC project is concerned with avoiding confusion while maintaining clarity, I’d recommend Decision Framework or Outcome Matrix as strong replacements. They retain the structured nature of SSVC’s mapping while avoiding unintended associations with governmental or organizational policy-making authority.
I'm not offering my opinion on these yet, I just wanted to put them here to spark discussion.
+1 for Decision Framework or Prioritization Framework which both represent close to what SSVC is doing and less authoritative burden on the Coordinators
+1 for Prioritization Framework (because 'Prioritization' is used throughout the in-review Explanation/Overview document)
a combination of decision point values to an outcome set
Could it just be "decision"?
So just baselining terminology here, the object we're talking about would be the thing that serves as the object from which a csv-tabular representation is derived.
In my mind, a "decision" is a row in such a table but not the table itself (a set of specific decision table values + a specific outcome).
But I also just became aware (or was at least reminded in a way that it seemed new in the moment) of the fact that Decision Table is the compound noun people already use to describe such things:
- https://en.wikipedia.org/wiki/Decision_table
- https://www.geeksforgeeks.org/software-engineering-decision-table/
so maybe that's the best choice because it's
- already in widespread use elsewhere
- evocative of what it actually is -- nobody will be surprised when a "Decision Table" shows up represented as a CSV file
- avoids nebulous words like "framework"
- continues the pattern of using "Decision" as a modifier to a descriptive noun (Decision Point, Decision Point Value, Decision Model, etc.)
Content changes can be made once technical implementation to close
- #592