Publish v2025.9.4 (#1059)

ahouseholder · web-flow · commit f4b54c1f5eb3 · 2026-01-09T15:52:52.000-05:00
diff --git a/.github/workflows/deploy_site.yml b/.github/workflows/deploy_site.yml
@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Python
         uses: actions/setup-python@v6
diff --git a/.github/workflows/link_checker.yml b/.github/workflows/link_checker.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Python
         uses: actions/setup-python@v6
diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml
@@ -13,15 +13,15 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         fetch-depth: 0
-    - uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62
+    - uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891
       id: changed-files
       with:
         files: '**/*.md'
         separator: ","
-    - uses: DavidAnson/markdownlint-cli2-action@v20
+    - uses: DavidAnson/markdownlint-cli2-action@v22
       if: steps.changed-files.outputs.any_changed == 'true'
       with:
         globs: ${{ steps.changed-files.outputs.all_changed_files }}
diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         fetch-tags: true
     - name: Set up Python 3.12
@@ -37,7 +37,7 @@ jobs:
       run: |
         uv build 
     - name: Upload Artifacts
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: ssvc
         path: src/dist/ssvc-*.tar.gz
diff --git a/docs/about/acknowledgements.md b/docs/about/acknowledgements.md
@@ -1,25 +1,55 @@
 # Acknowledgements
 
-The authors would first like to acknowledge the valuable contributions of previous authors who have worked on earlier versions
-of this report: Art Manion, Madison Oliver, and Deana Shick.
+The SSVC team would first like to acknowledge the valuable contributions of
+previous authors who have worked on earlier versions of SSVC: Eric Hatleback,
+Bon Jin Koo, Art Manion, Madison Oliver, Deana Shick, and Jonathan Spring.
 
-The authors thank the [contributors](https://github.com/CERTCC/SSVC/graphs/contributors) to the
-[SSVC project](https://github.com/CERTCC/SSVC) on Github as well as the following individuals for helpful comments on
-prior drafts (listed in alphabetical order):
+SSVC began as a series of papers before we created this site. Earlier versions
+were written by:  
+[1] J. M. Spring, E. Hatleback, A. D. Householder, A. Manion, and D. Shick,
+"Towards Improving CVSS," Software Engineering Institute, Carnegie Mellon
+University, Dec. 2018. [Online]. Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/2018_019_001_538372.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/2018_019_001_538372.pdf)  
+[2] J. M. Spring, E. Hatleback, A. D. Householder, A. Manion, and D. Shick,
+"Prioritizing Vulnerability Response: a Stakeholder-Specific Vulnerability
+Categorization," Software Engineering Institute, Carnegie Mellon University,
+Nov. 2019. [Online]. Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/2019_019_001_636391.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/2019_019_001_636391.pdf)  
+[3] J. M. Spring, E. Hatleback, A. D. Householder, A. Manion, and D. Shick,
+"Prioritizing Vulnerability Response: a Stakeholder-Specific Vulnerability
+Categorization (Version 1.1)," Software Engineering Institute, Carnegie Mellon
+University, Dec. 2020. [Online]. Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/weis20-final6.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/weis20-final6.pdf)  
+[4] J. M. Spring, A. D. Householder, E. Hatleback, A. Manion, M. Oliver,
+V. Sarvepalli, L. Tyzenhaus, and C. Yarbrough,
+"Prioritizing Vulnerability Response: a Stakeholder-Specific Vulnerability
+Categorization (Version 2.0)," Software Engineering Institute, Carnegie Mellon
+University, Apr. 2021. [Online]. Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/2021_019_001_653461.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/2021_019_001_653461.pdf)  
+[5] J. M. Spring, E. Hatleback, A. D. Householder, V. Sarvepalli, L. Tyzenhaus,
+and C. Yarbrough, "Prioritizing Vulnerability Response: a Stakeholder-Specific
+Vulnerability Categorization (SSVC) version 2.1.0-edb6c97," Software
+Engineering Institute, Carnegie Mellon University, Sep. 2023. [Online].
+Available: [https://github.com/CERTCC/SSVC/blob/main/pdfs/ssvc_2_1_draft.pdf](https://github.com/CERTCC/SSVC/blob/main/pdfs/ssvc_2_1_draft.pdf)  
+
+The SSVC team thanks the [contributors](https://github.com/CERTCC/SSVC/graphs/contributors)
+to the [SSVC project](https://github.com/CERTCC/SSVC) on GitHub as well as the
+following individuals for helpful comments on earlier versions (listed in
+alphabetical order):
 Muhammad Akbar,
 Will Dormann,
 Manish Gaur,
 Ralph Langer,
-David Oxley
+David Oxley,
 Dale Peterson,
+Bernhard Reiter,
+Thomas Schmidt,
 Jeroen van der Ham,
 Michel van Eeten,
 and Sounil Yu.
 
-The authors also thank those others too numerous to name individually who provided comments and feedback, including:
+The SSVC team also thanks those others too numerous to name individually who
+provided comments and feedback, including:
 Attendees at S4, Miami FL 2020;
 Attendees at A Conference on Defense (ACoD), Austin TX 2020;
 Anonymous WEIS reviewers;
 Various staff members and analysts at CERT/CC, CISA, McAfee, and VMWare;
 FIRST CVSS SIG and EPSS SIG members;
+OASIS CSAF TC;
 and others who wish to remain anonymous.
diff --git a/docs/ssvc-explorer/index.md b/docs/ssvc-explorer/index.md
@@ -76,13 +76,12 @@ Language
 <button onclick="SSVC.updateTree()" data-update="1" style="margin-top: 10px;padding: 8px 12px;border: none;background-color: #007bff;color: #fff;border-radius: 4px;cursor: pointer; float:right">Update</button>
 <button onclick="SSVC.popupEnd()" style="margin: 10px 10px 0px 0px;;padding: 8px 12px;border: none;background-color: #ff2121;color: #fff;border-radius: 4px;cursor: pointer; float:right">Cancel</button>
 </div>
-</div>
-
 <div data-yesno="1" style="display:none">
 <h4 style="text-align: center">Would you like to proceed?</h4>
 <button style="margin-top: 10px;padding: 8px 12px;border: none;background-color: #007bff;color: #fff;border-radius: 4px;cursor: pointer; float:right">Yes</button>
 <button style="margin: 10px 10px 0px 0px;;padding: 8px 12px;border: none;background-color: #ff2121;color: #fff;border-radius: 4px;cursor: pointer; float:right">No</button>
 </div>
+</div>
 <form autocomplete="off">
 <span style="font-size: 20px;font-weight: bold; vertical-align:top">Sample Decision Models:</span>
 <input type="file" name="fileupload" style="display:none" onchange="SSVC.readFile(this)">
diff --git a/docs/ssvc-explorer/simple.js b/docs/ssvc-explorer/simple.js
@@ -2627,6 +2627,7 @@ function fun_execute(w) {
     return {
 	ssvc_launch: ssvc_launch,
 	decision_trees: decision_trees,
+	decision_points: decision_points,
 	form: form,
 	loadSSVC: loadSSVC,
 	readFile: readFile,
