Add SSVC doc explaining "human-scale bottleneck" idea#1087
Open
ahouseholder wants to merge 15 commits intomainfrom
Open
Add SSVC doc explaining "human-scale bottleneck" idea#1087ahouseholder wants to merge 15 commits intomainfrom
ahouseholder wants to merge 15 commits intomainfrom
Conversation
ahouseholder
requested review from
cgyarbrough,
j--- and
sei-vsarvepalli
as code owners
ahouseholder
added
the
content/semantic
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new How-To documentation page explaining SSVC’s role as a “human-scale bottleneck” between large-scale automated vulnerability data collection/analysis and large-scale operational response, emphasizing policy governance and accountability.
Changes:
- Added a new documentation page describing SSVC decision points as a compact, human-governable interface in automated workflows.
- Documented design characteristics (ordinal/orthogonal/chunky) and how decision tables encode organizational policy and governance refinement.
You can also share your feedback on Copilot code review. Take the survey.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
sei-renae
reviewed
Mar 18, 2026
Contributor
|
Some high level notes:
|
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
reviewed
Mar 18, 2026
sei-renae
requested changes
Mar 18, 2026
Contributor
sei-renae
left a comment
sei-renae
left a comment
There was a problem hiding this comment.
See comments in-line and in the Conversation.
- Move file from docs/howto/ to docs/topics/ (parallels decision_points_as_bricks.md, addresses Diataxis how-to vs. explanation concern) - Update mkdocs.yml nav: remove from howto, add to topics alongside decision_points_as_bricks.md - Fix intro: add 'designed by humans, for humans' thesis and 'not a process bottleneck' clarification at top of document (threads at lines 68, 107) - Add diagram scope clarification: make explicit that Decision Model = SSVC scope, Data Mapping and Use & Respond are adjacent but outside scope (thread at line 36) - Fix 'layer' jargon: replace 'any layer of the model' with explicit enumeration of outcomes, decision points, decision table, and data mapping (thread at line 97) - Fix Use & Respond contradiction: remove direct feedback link that conflicted with use.md documentation; restate as 'observing real-world results' (line 105) - Add prepare.md hyperlink to Input Automation section (thread at line 113) - Fix all relative links: bootstrap/ -> ../howto/bootstrap/ after file move Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Introduces the standard AI/autonomy term 'human-on-the-loop' in two places to connect it explicitly to the 'human-scale bottleneck' concept: - Introduction: adds one sentence defining the term after establishing that the decision table can be fully automated - Conclusion: replaces the closing sentence with an explicit 'human-on-the-loop' framing that ties accountability to policy governance, not per-decision review Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
sei-renae
reviewed
Mar 31, 2026
- Reframe opening sentence to lead with what SSVC does (not 'designed to provide') - Emphasize 'on' in human-on-the-loop (H**O**TL) per reviewer request - Fix broken CSAF URL split across lines - Lowercase 'large language models' (not a proper noun) - Simplify 'mathematical properties of intervals' to 'equal spacing between values' - Replace repetitive lead-in for 'Role of the Human' section with fresh sentence - Fix odd spacing: rejoin split quote in Output Automation bullet - Keep link to prepare.md for data mapping (correct; collect.md covers data ops) - Fix markdownlint issues (trailing spaces, list indentation) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
resolves #1033
This pull request adds a new documentation file explaining the role of SSVC (Stakeholder-Specific Vulnerability Categorization) as a human-scale bottleneck in automated vulnerability response processes. The document clarifies how SSVC condenses complex, automated data into manageable decision points, and emphasizes the importance of human oversight in policy definition and governance.
Key additions to documentation: