From 49f9c0184cee2de7fc194e387fa4c7b79db254ba Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 20 Jan 2025 15:10:44 +0000
Subject: [PATCH 01/31] Bump mkdocs-material from 9.5.49 to 9.5.50 in the
 mkdocs group

Bumps the mkdocs group with 1 update: [mkdocs-material](https://github.com/squidfunk/mkdocs-material).


Updates `mkdocs-material` from 9.5.49 to 9.5.50
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.5.49...9.5.50)

---
updated-dependencies:
- dependency-name: mkdocs-material
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mkdocs
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 7a27ea0b..4d1e1e20 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,7 @@ mkdocs==1.6.1
 mkdocs-bibtex==2.16.2
 mkdocs-include-markdown-plugin==7.1.2
 mkdocs-table-reader-plugin==3.1.0
-mkdocs-material==9.5.49
+mkdocs-material==9.5.50
 mkdocs-material-extensions==1.3.1
 mkdocstrings==0.27.0
 mkdocstrings-python==1.13.0

From d023dcf400a2759758c131c6d65e2286f23219fa Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 20 Jan 2025 15:10:50 +0000
Subject: [PATCH 02/31] Bump mkdocs-bibtex from 2.16.2 to 3.0.0

Bumps [mkdocs-bibtex](https://github.com/shyamd/mkdocs-bibtex) from 2.16.2 to 3.0.0.
- [Release notes](https://github.com/shyamd/mkdocs-bibtex/releases)
- [Commits](https://github.com/shyamd/mkdocs-bibtex/compare/v2.16.2...v3.0.0)

---
updated-dependencies:
- dependency-name: mkdocs-bibtex
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 7a27ea0b..45e4db03 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
 mkdocs==1.6.1
-mkdocs-bibtex==2.16.2
+mkdocs-bibtex==3.0.0
 mkdocs-include-markdown-plugin==7.1.2
 mkdocs-table-reader-plugin==3.1.0
 mkdocs-material==9.5.49

From 0e934c56a92d37e08faa1093a9c0b46c019cf06e Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <adh@cert.org>
Date: Wed, 22 Jan 2025 15:10:15 -0500
Subject: [PATCH 03/31] reformat python with black

doing this as a bulk change to catch up older code with current formatting
---
 src/SSVC_csv-to-latex.py                      | 12 +++-
 src/ssvc/_mixins.py                           |  2 +
 src/ssvc/csv_analyzer.py                      | 16 +++--
 src/ssvc/decision_points/automatable.py       |  1 +
 .../decision_points/cvss/attack_vector.py     |  7 ++-
 .../cvss/availability_impact.py               |  6 +-
 .../cvss/availability_requirement.py          |  5 +-
 .../cvss/confidentiality_requirement.py       |  5 +-
 .../decision_points/cvss/exploitability.py    |  5 +-
 .../cvss/integrity_requirement.py             |  5 +-
 .../decision_points/cvss/report_confidence.py |  5 +-
 src/ssvc/decision_points/helpers.py           | 22 +++++--
 src/ssvc/decision_points/human_impact.py      |  6 +-
 src/ssvc/decision_points/utility.py           |  8 ++-
 src/ssvc/doctools.py                          | 19 ++++--
 src/ssvc/dp_groups/cvss/collections.py        | 17 +++--
 src/ssvc/dp_groups/ssvc/collections.py        | 19 ++++--
 src/ssvc/dp_groups/ssvc/deployer.py           |  5 +-
 src/ssvc/outcomes/groups.py                   | 12 +++-
 src/ssvc/policy_generator.py                  | 20 ++++--
 src/ssvc_v2.py                                | 62 ++++++++++---------
 src/test/test_csv_analyzer.py                 | 14 ++++-
 src/test/test_doctools.py                     |  4 +-
 src/test/test_dp_groups.py                    | 24 +++++--
 src/test/test_mixins.py                       | 22 +++++--
 src/test/test_policy_generator.py             | 11 +++-
 src/test/test_schema.py                       | 29 +++++++--
 27 files changed, 267 insertions(+), 96 deletions(-)

diff --git a/src/SSVC_csv-to-latex.py b/src/SSVC_csv-to-latex.py
index 0e2953fe..77a294df 100755
--- a/src/SSVC_csv-to-latex.py
+++ b/src/SSVC_csv-to-latex.py
@@ -224,7 +224,9 @@ def print_forest_options(
 """
     )
     location.write(pri5string)
-    location.write("}\n")  # close the last tikzset; forestset is already closed
+    location.write(
+        "}\n"
+    )  # close the last tikzset; forestset is already closed
 
 
 def begin_forest(location):
@@ -334,7 +336,9 @@ def main():
             if path[i] not in dpoint_values[i]:
                 dpoint_values[i].append(path[i])
     for i in range(depth):
-        dpoint_values[i].sort(key=lambda j: sort_order[i].index(j), reverse=True)
+        dpoint_values[i].sort(
+            key=lambda j: sort_order[i].index(j), reverse=True
+        )
         # reverse because the latex will flip it again
         # loop twice so we don't sort every time we check a new path
 
@@ -366,7 +370,9 @@ def main():
                 del tmp_path[-1]
             i = i - 1
             ofile.write(latex_brace_close)  # close each latex brace
-            del tmp_path[-1]  # every time we close a brace, update the path to reflect
+            del tmp_path[
+                -1
+            ]  # every time we close a brace, update the path to reflect
         else:  # "Normal" case
             if counts[i] == len(dpoint_values[i]):
                 try:
diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py
index 609c7b73..10db03fb 100644
--- a/src/ssvc/_mixins.py
+++ b/src/ssvc/_mixins.py
@@ -24,6 +24,7 @@
 
 from . import _schemaVersion
 
+
 @dataclass_json
 @dataclass(kw_only=True)
 class _Versioned:
@@ -34,6 +35,7 @@ class _Versioned:
     version: str = "0.0.0"
     schemaVersion: str = _schemaVersion
 
+
 @dataclass_json
 @dataclass(kw_only=True)
 class _Namespaced:
diff --git a/src/ssvc/csv_analyzer.py b/src/ssvc/csv_analyzer.py
index c1c668af..bb42e468 100644
--- a/src/ssvc/csv_analyzer.py
+++ b/src/ssvc/csv_analyzer.py
@@ -95,7 +95,9 @@ def _imp_df(column_names: list, importances: list) -> pd.DataFrame:
         a dataframe of feature importances
     """
     df = (
-        pd.DataFrame({"feature": column_names, "feature_importance": importances})
+        pd.DataFrame(
+            {"feature": column_names, "feature_importance": importances}
+        )
         .sort_values("feature_importance", ascending=False)
         .reset_index(drop=True)
     )
@@ -184,7 +186,9 @@ def _perm_feat_imp(model, x, y):
 
 def _parse_args(args) -> argparse.Namespace:
     # parse command line
-    parser = argparse.ArgumentParser(description="Analyze an SSVC tree csv file")
+    parser = argparse.ArgumentParser(
+        description="Analyze an SSVC tree csv file"
+    )
     parser.add_argument(
         "csvfile", metavar="csvfile", type=str, help="the csv file to analyze"
     )
@@ -371,8 +375,12 @@ def check_topological_order(df, target):
     for u in H.nodes:
         H.nodes[u]["outcome"] = G.nodes[u]["outcome"]
 
-    logger.debug(f"Original graph: {len(G.nodes)} nodes with {len(G.edges)} edges")
-    logger.debug(f"Reduced graph: {len(H.nodes)} nodes with {len(H.edges)} edges")
+    logger.debug(
+        f"Original graph: {len(G.nodes)} nodes with {len(G.edges)} edges"
+    )
+    logger.debug(
+        f"Reduced graph: {len(H.nodes)} nodes with {len(H.edges)} edges"
+    )
 
     problems = []
     # check if the outcome is topologically sorted
diff --git a/src/ssvc/decision_points/automatable.py b/src/ssvc/decision_points/automatable.py
index c7051279..7146dbfc 100644
--- a/src/ssvc/decision_points/automatable.py
+++ b/src/ssvc/decision_points/automatable.py
@@ -72,5 +72,6 @@ def main():
 
     print_versions_and_diffs(versions)
 
+
 if __name__ == "__main__":
     main()
diff --git a/src/ssvc/decision_points/cvss/attack_vector.py b/src/ssvc/decision_points/cvss/attack_vector.py
index fba9ac29..5e4e6971 100644
--- a/src/ssvc/decision_points/cvss/attack_vector.py
+++ b/src/ssvc/decision_points/cvss/attack_vector.py
@@ -194,7 +194,12 @@
     ),
 )
 
-versions = [ACCESS_VECTOR_1, ACCESS_VECTOR_2, ATTACK_VECTOR_3, ATTACK_VECTOR_3_0_1]
+versions = [
+    ACCESS_VECTOR_1,
+    ACCESS_VECTOR_2,
+    ATTACK_VECTOR_3,
+    ATTACK_VECTOR_3_0_1,
+]
 
 
 def main():
diff --git a/src/ssvc/decision_points/cvss/availability_impact.py b/src/ssvc/decision_points/cvss/availability_impact.py
index 3312b80c..a5f2fccb 100644
--- a/src/ssvc/decision_points/cvss/availability_impact.py
+++ b/src/ssvc/decision_points/cvss/availability_impact.py
@@ -127,7 +127,11 @@
     ),
 )
 
-versions = [AVAILABILITY_IMPACT_1, AVAILABILITY_IMPACT_2, AVAILABILITY_IMPACT_2_0_1]
+versions = [
+    AVAILABILITY_IMPACT_1,
+    AVAILABILITY_IMPACT_2,
+    AVAILABILITY_IMPACT_2_0_1,
+]
 
 
 def main():
diff --git a/src/ssvc/decision_points/cvss/availability_requirement.py b/src/ssvc/decision_points/cvss/availability_requirement.py
index 0e84929b..3b7c1ff9 100644
--- a/src/ssvc/decision_points/cvss/availability_requirement.py
+++ b/src/ssvc/decision_points/cvss/availability_requirement.py
@@ -17,7 +17,10 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPointValue
-from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_ND, NOT_DEFINED_X
+from ssvc.decision_points.cvss._not_defined import (
+    NOT_DEFINED_ND,
+    NOT_DEFINED_X,
+)
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
diff --git a/src/ssvc/decision_points/cvss/confidentiality_requirement.py b/src/ssvc/decision_points/cvss/confidentiality_requirement.py
index 427cf6b3..e2c96099 100644
--- a/src/ssvc/decision_points/cvss/confidentiality_requirement.py
+++ b/src/ssvc/decision_points/cvss/confidentiality_requirement.py
@@ -17,7 +17,10 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPointValue
-from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_ND, NOT_DEFINED_X
+from ssvc.decision_points.cvss._not_defined import (
+    NOT_DEFINED_ND,
+    NOT_DEFINED_X,
+)
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
diff --git a/src/ssvc/decision_points/cvss/exploitability.py b/src/ssvc/decision_points/cvss/exploitability.py
index 06815614..842f0608 100644
--- a/src/ssvc/decision_points/cvss/exploitability.py
+++ b/src/ssvc/decision_points/cvss/exploitability.py
@@ -17,7 +17,10 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPointValue
-from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_ND, NOT_DEFINED_X
+from ssvc.decision_points.cvss._not_defined import (
+    NOT_DEFINED_ND,
+    NOT_DEFINED_X,
+)
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
diff --git a/src/ssvc/decision_points/cvss/integrity_requirement.py b/src/ssvc/decision_points/cvss/integrity_requirement.py
index a5c5eba5..39750c38 100644
--- a/src/ssvc/decision_points/cvss/integrity_requirement.py
+++ b/src/ssvc/decision_points/cvss/integrity_requirement.py
@@ -17,7 +17,10 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPointValue
-from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_ND, NOT_DEFINED_X
+from ssvc.decision_points.cvss._not_defined import (
+    NOT_DEFINED_ND,
+    NOT_DEFINED_X,
+)
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
diff --git a/src/ssvc/decision_points/cvss/report_confidence.py b/src/ssvc/decision_points/cvss/report_confidence.py
index 7c87f076..88b3e921 100644
--- a/src/ssvc/decision_points/cvss/report_confidence.py
+++ b/src/ssvc/decision_points/cvss/report_confidence.py
@@ -17,7 +17,10 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPointValue
-from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_ND, NOT_DEFINED_X
+from ssvc.decision_points.cvss._not_defined import (
+    NOT_DEFINED_ND,
+    NOT_DEFINED_X,
+)
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py
index 84c61bdc..8e2a1380 100644
--- a/src/ssvc/decision_points/helpers.py
+++ b/src/ssvc/decision_points/helpers.py
@@ -126,7 +126,9 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]:
         major = True
 
     for name in dp2_names.difference(dp1_names):
-        diffs.append(f"(major or minor) {dp2.name} v{dp2.version} adds value {name}")
+        diffs.append(
+            f"(major or minor) {dp2.name} v{dp2.version} adds value {name}"
+        )
         maybe_major = True
         maybe_minor = True
 
@@ -139,17 +141,27 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]:
         v2 = v2[name]
 
         if v1 != v2:
-            diffs.append(f"(minor) {dp2.name} v{dp2.version} value {name} key changed")
+            diffs.append(
+                f"(minor) {dp2.name} v{dp2.version} value {name} key changed"
+            )
             minor = True
         else:
-            diffs.append(f"{dp2.name} v{dp2.version} value {name} key did not change")
+            diffs.append(
+                f"{dp2.name} v{dp2.version} value {name} key did not change"
+            )
 
     # did the value descriptions change?
     for name in intersection:
-        v1 = {value["name"]: value["description"] for value in dp1.to_dict()["values"]}
+        v1 = {
+            value["name"]: value["description"]
+            for value in dp1.to_dict()["values"]
+        }
         v1 = v1[name]
 
-        v2 = {value["name"]: value["description"] for value in dp2.to_dict()["values"]}
+        v2 = {
+            value["name"]: value["description"]
+            for value in dp2.to_dict()["values"]
+        }
         v2 = v2[name]
 
         if v1 != v2:
diff --git a/src/ssvc/decision_points/human_impact.py b/src/ssvc/decision_points/human_impact.py
index bc3c48ad..6e610421 100644
--- a/src/ssvc/decision_points/human_impact.py
+++ b/src/ssvc/decision_points/human_impact.py
@@ -121,7 +121,11 @@
 
 
 def main():
-    versions = (MISSION_AND_WELL_BEING_IMPACT_1, HUMAN_IMPACT_2, HUMAN_IMPACT_2_0_1)
+    versions = (
+        MISSION_AND_WELL_BEING_IMPACT_1,
+        HUMAN_IMPACT_2,
+        HUMAN_IMPACT_2_0_1,
+    )
 
     print_versions_and_diffs(versions)
 
diff --git a/src/ssvc/decision_points/utility.py b/src/ssvc/decision_points/utility.py
index 9aace78a..69191d25 100644
--- a/src/ssvc/decision_points/utility.py
+++ b/src/ssvc/decision_points/utility.py
@@ -28,7 +28,9 @@
 )
 
 LABORIOUS_2 = SsvcDecisionPointValue(
-    name="Laborious", key="L", description="Automatable:No AND Value Density:Diffuse"
+    name="Laborious",
+    key="L",
+    description="Automatable:No AND Value Density:Diffuse",
 )
 
 SUPER_EFFECTIVE = SsvcDecisionPointValue(
@@ -44,7 +46,9 @@
 )
 
 LABORIOUS = SsvcDecisionPointValue(
-    name="Laborious", key="L", description="Virulence:Slow and Value Density:Diffuse"
+    name="Laborious",
+    key="L",
+    description="Virulence:Slow and Value Density:Diffuse",
 )
 
 UTILITY_1 = SsvcDecisionPoint(
diff --git a/src/ssvc/doctools.py b/src/ssvc/doctools.py
index 5baca11b..eb7119af 100644
--- a/src/ssvc/doctools.py
+++ b/src/ssvc/doctools.py
@@ -34,7 +34,10 @@
 import logging
 import os
 
-from ssvc.decision_points.base import REGISTERED_DECISION_POINTS, SsvcDecisionPoint
+from ssvc.decision_points.base import (
+    REGISTERED_DECISION_POINTS,
+    SsvcDecisionPoint,
+)
 from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1  # noqa
 
 logger = logging.getLogger(__name__)
@@ -154,7 +157,9 @@ def dump_decision_point(
     """
     # - generate markdown table
     # make dp.name safe for use in a filename
-    basename = _filename_friendly(dp.name) + f"_{_filename_friendly(dp.version)}"
+    basename = (
+        _filename_friendly(dp.name) + f"_{_filename_friendly(dp.version)}"
+    )
     # - generate json example
     json_file = dump_json(basename, dp, jsondir, overwrite)
 
@@ -165,7 +170,11 @@ def dump_decision_point(
 
 
 def dump_markdown(
-    basename: str, dp: SsvcDecisionPoint, json_file: str, outdir: str, overwrite: bool
+    basename: str,
+    dp: SsvcDecisionPoint,
+    json_file: str,
+    outdir: str,
+    overwrite: bool,
 ) -> dict:
     """
     Generate the markdown table file for a decision point.
@@ -266,7 +275,9 @@ def main():
         default=False,
     )
 
-    parser.add_argument("--outdir", help="output directory", default="./tmp/md_out")
+    parser.add_argument(
+        "--outdir", help="output directory", default="./tmp/md_out"
+    )
     parser.add_argument(
         "--jsondir", help="json output directory", default="./tmp/json_out"
     )
diff --git a/src/ssvc/dp_groups/cvss/collections.py b/src/ssvc/dp_groups/cvss/collections.py
index e7adf706..ebe1e0f4 100644
--- a/src/ssvc/dp_groups/cvss/collections.py
+++ b/src/ssvc/dp_groups/cvss/collections.py
@@ -28,7 +28,10 @@
     ATTACK_VECTOR_3,
     ATTACK_VECTOR_3_0_1,
 )
-from ssvc.decision_points.cvss.authentication import AUTHENTICATION_1, AUTHENTICATION_2
+from ssvc.decision_points.cvss.authentication import (
+    AUTHENTICATION_1,
+    AUTHENTICATION_2,
+)
 from ssvc.decision_points.cvss.availability_impact import (
     AVAILABILITY_IMPACT_1,
     AVAILABILITY_IMPACT_2,
@@ -96,10 +99,14 @@
     SUBSEQUENT_INTEGRITY_IMPACT_1,
 )
 from ssvc.decision_points.cvss.supplemental.automatable import AUTOMATABLE_1
-from ssvc.decision_points.cvss.supplemental.provider_urgency import PROVIDER_URGENCY_1
+from ssvc.decision_points.cvss.supplemental.provider_urgency import (
+    PROVIDER_URGENCY_1,
+)
 from ssvc.decision_points.cvss.supplemental.recovery import RECOVERY_1
 from ssvc.decision_points.cvss.supplemental.safety import SAFETY_1
-from ssvc.decision_points.cvss.supplemental.value_density import VALUE_DENSITY_1
+from ssvc.decision_points.cvss.supplemental.value_density import (
+    VALUE_DENSITY_1,
+)
 from ssvc.decision_points.cvss.supplemental.vulnerability_response_effort import (
     VULNERABILITY_RESPONSE_EFFORT_1,
 )
@@ -327,7 +334,9 @@
     name="CVSSv4",
     description="All decision points for CVSS v4 (including supplemental metrics)",
     version="1.0.0",
-    decision_points=tuple(_BASE_4 + _THREAT_4 + _ENVIRONMENTAL_4 + _SUPPLEMENTAL_4),
+    decision_points=tuple(
+        _BASE_4 + _THREAT_4 + _ENVIRONMENTAL_4 + _SUPPLEMENTAL_4
+    ),
 )
 
 CVSSv4_Equivalence_Sets = SsvcDecisionPointGroup(
diff --git a/src/ssvc/dp_groups/ssvc/collections.py b/src/ssvc/dp_groups/ssvc/collections.py
index 006d824a..5b10d719 100644
--- a/src/ssvc/dp_groups/ssvc/collections.py
+++ b/src/ssvc/dp_groups/ssvc/collections.py
@@ -16,10 +16,19 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 
-from ssvc.dp_groups.base import SsvcDecisionPointGroup, get_all_decision_points_from
-from ssvc.dp_groups.ssvc.coordinator_publication import COORDINATOR_PUBLICATION_1
+from ssvc.dp_groups.base import (
+    SsvcDecisionPointGroup,
+    get_all_decision_points_from,
+)
+from ssvc.dp_groups.ssvc.coordinator_publication import (
+    COORDINATOR_PUBLICATION_1,
+)
 from ssvc.dp_groups.ssvc.coordinator_triage import COORDINATOR_TRIAGE_1
-from ssvc.dp_groups.ssvc.deployer import DEPLOYER_2, DEPLOYER_3, PATCH_APPLIER_1
+from ssvc.dp_groups.ssvc.deployer import (
+    DEPLOYER_2,
+    DEPLOYER_3,
+    PATCH_APPLIER_1,
+)
 from ssvc.dp_groups.ssvc.supplier import PATCH_DEVELOPER_1, SUPPLIER_2
 
 
@@ -27,7 +36,9 @@
     name="SSVCv1",
     description="The first version of the SSVC.",
     version="1.0.0",
-    decision_points=get_all_decision_points_from(PATCH_APPLIER_1, PATCH_DEVELOPER_1),
+    decision_points=get_all_decision_points_from(
+        PATCH_APPLIER_1, PATCH_DEVELOPER_1
+    ),
 )
 SSVCv2 = SsvcDecisionPointGroup(
     name="SSVCv2",
diff --git a/src/ssvc/dp_groups/ssvc/deployer.py b/src/ssvc/dp_groups/ssvc/deployer.py
index feb2b4b4..d20a20cc 100644
--- a/src/ssvc/dp_groups/ssvc/deployer.py
+++ b/src/ssvc/dp_groups/ssvc/deployer.py
@@ -21,7 +21,10 @@
 from ssvc.decision_points.automatable import AUTOMATABLE_2
 from ssvc.decision_points.exploitation import EXPLOITATION_1
 from ssvc.decision_points.human_impact import HUMAN_IMPACT_2
-from ssvc.decision_points.mission_impact import MISSION_IMPACT_1, MISSION_IMPACT_2
+from ssvc.decision_points.mission_impact import (
+    MISSION_IMPACT_1,
+    MISSION_IMPACT_2,
+)
 from ssvc.decision_points.safety_impact import SAFETY_IMPACT_1
 from ssvc.decision_points.system_exposure import (
     SYSTEM_EXPOSURE_1,
diff --git a/src/ssvc/outcomes/groups.py b/src/ssvc/outcomes/groups.py
index 0da720a5..457d8140 100644
--- a/src/ssvc/outcomes/groups.py
+++ b/src/ssvc/outcomes/groups.py
@@ -38,7 +38,9 @@
     name="Publish, Do Not Publish",
     description="The publish outcome group.",
     outcomes=(
-        OutcomeValue(name="Do Not Publish", key="N", description="Do Not Publish"),
+        OutcomeValue(
+            name="Do Not Publish", key="N", description="Do Not Publish"
+        ),
         OutcomeValue(name="Publish", key="P", description="Publish"),
     ),
 )
@@ -159,7 +161,9 @@
     outcomes=(
         # drop, reconsider later, easy win, do first
         OutcomeValue(name="Drop", key="D", description="Drop"),
-        OutcomeValue(name="Reconsider Later", key="R", description="Reconsider Later"),
+        OutcomeValue(
+            name="Reconsider Later", key="R", description="Reconsider Later"
+        ),
         OutcomeValue(name="Easy Win", key="E", description="Easy Win"),
         OutcomeValue(name="Do First", key="F", description="Do First"),
     ),
@@ -173,7 +177,9 @@
     description="PrioritizedRiskRemediation outcome group based on TheParanoids.",
     outcomes=(
         OutcomeValue(name="Track 5", key="5", description="Track"),
-        OutcomeValue(name="Track Closely 4", key="4", description="Track Closely"),
+        OutcomeValue(
+            name="Track Closely 4", key="4", description="Track Closely"
+        ),
         OutcomeValue(name="Attend 3", key="3", description="Attend"),
         OutcomeValue(name="Attend 2", key="2", description="Attend"),
         OutcomeValue(name="Act 1", key="1", description="Act"),
diff --git a/src/ssvc/policy_generator.py b/src/ssvc/policy_generator.py
index b52e20b1..c9dd5b52 100644
--- a/src/ssvc/policy_generator.py
+++ b/src/ssvc/policy_generator.py
@@ -87,7 +87,9 @@ def __init__(
             # validate that the outcome weights sum to 1.0
             total = sum(outcome_weights)
             if not math.isclose(total, 1.0):
-                raise ValueError(f"Outcome weights must sum to 1.0, but sum to {total}")
+                raise ValueError(
+                    f"Outcome weights must sum to 1.0, but sum to {total}"
+                )
 
             self.outcome_weights = outcome_weights
         logger.debug(f"Outcome weights: {self.outcome_weights}")
@@ -203,7 +205,9 @@ def _assign_outcomes(self):
         logger.debug(f"Layer count: {len(layers)}")
         logger.debug(f"Layer sizes: {[len(layer) for layer in layers]}")
 
-        outcome_counts = [round(node_count * weight) for weight in self.outcome_weights]
+        outcome_counts = [
+            round(node_count * weight) for weight in self.outcome_weights
+        ]
 
         toposort = list(nx.topological_sort(self.G))
         logger.debug(f"Toposort: {toposort[:4]}...{toposort[-4:]}")
@@ -292,11 +296,15 @@ def _confirm_topological_order(self, node_order: list) -> None:
         # all nodes must be in the graph
         for node in node_order:
             if node not in self.G.nodes:
-                raise ValueError(f"Node order contains node {node} not in the graph")
+                raise ValueError(
+                    f"Node order contains node {node} not in the graph"
+                )
 
         for node in self.G.nodes:
             if node not in node_order:
-                raise ValueError(f"Graph contains node {node} not in the node order")
+                raise ValueError(
+                    f"Graph contains node {node} not in the node order"
+                )
 
         node_idx = {node: i for i, node in enumerate(node_order)}
 
@@ -353,7 +361,9 @@ def main():
     )
 
     with PolicyGenerator(
-        dp_group=dpg, outcomes=DSOI, outcome_weights=[0.097, 0.583, 0.278, 0.042]
+        dp_group=dpg,
+        outcomes=DSOI,
+        outcome_weights=[0.097, 0.583, 0.278, 0.042],
     ) as pg:
         pg.emit_policy()
 
diff --git a/src/ssvc_v2.py b/src/ssvc_v2.py
index 9b73caae..5e60507f 100644
--- a/src/ssvc_v2.py
+++ b/src/ssvc_v2.py
@@ -1,38 +1,36 @@
 #!/usr/bin/env python
-'''
+"""
 file: ssvc_v2
 author: adh
 created_at: 3/23/21 3:23 PM
-'''
+"""
 
 import os
 import pandas as pd
 
-DATAPATH="../data/csvs"
+DATAPATH = "../data/csvs"
 
 PATHS = {
-    'coord_pub': os.path.join(DATAPATH,"coord-publish-options.csv"),
-    'coord_triage': os.path.join(DATAPATH,"coord-triage-options.csv"),
-    'deployer': os.path.join(DATAPATH,"deployer-options.csv"),
-    'supplier': os.path.join(DATAPATH,"supplier-options.csv"),
+    "coord_pub": os.path.join(DATAPATH, "coord-publish-options.csv"),
+    "coord_triage": os.path.join(DATAPATH, "coord-triage-options.csv"),
+    "deployer": os.path.join(DATAPATH, "deployer-options.csv"),
+    "supplier": os.path.join(DATAPATH, "supplier-options.csv"),
 }
 
 DEFAULTS = {
-    'coord_pub': {
+    "coord_pub": {
         # An analyst should feel comfortable selecting none if they (or their search scripts) have performed searches
         # in the appropriate places for public PoCs and active exploitation (as described above) and found none.
         "Exploitation": "none",
     },
-    'coord_triage': {
-
-    },
-    'deployer': {
+    "coord_triage": {},
+    "deployer": {
         # An analyst should feel comfortable selecting none if they (or their search scripts) have performed searches
         # in the appropriate places for public PoCs and active exploitation (as described above) and found none.
         "Exploitation": "none",
-        "Exposure": "unavoidable"
+        "Exposure": "unavoidable",
     },
-    'supplier': {
+    "supplier": {
         # An analyst should feel comfortable selecting none if they (or their search scripts) have performed searches
         # in the appropriate places for public PoCs and active exploitation (as described above) and found none.
         "Exploitation": "none",
@@ -40,28 +38,30 @@
 }
 
 # confirm that PATHS and DEFAULTS keys match
-assert(set(PATHS.keys()) == set(DEFAULTS.keys()))
+assert set(PATHS.keys()) == set(DEFAULTS.keys())
+
 
 def _load_csvs(path_dict):
     data = {}
-    for key,path in path_dict.items():
+    for key, path in path_dict.items():
         df = pd.read_csv(path)
         data[key] = df
     return data
 
+
 DATA = _load_csvs(PATHS)
 
 # confirm that PATHS and DATA keys match
-assert(set(PATHS.keys()) == set(DATA.keys()))
+assert set(PATHS.keys()) == set(DATA.keys())
 
 
-def lookup(key, query_dict,use_defaults=True):
+def lookup(key, query_dict, use_defaults=True):
     # get the full table
     df = DATA[key]
 
     if use_defaults:
         # copy the defaults before we use them
-        defaults = DEFAULTS.get(key,{})
+        defaults = DEFAULTS.get(key, {})
         q = dict(defaults)
     else:
         q = {}
@@ -69,21 +69,22 @@ def lookup(key, query_dict,use_defaults=True):
     q.update(query_dict)
 
     # with each pass, slice the table
-    for k,v in q.items():
+    for k, v in q.items():
 
         df = df.loc[df[k] == v]
     return df
 
-def outcome_dist(df,normalize=True):
-    '''
+
+def outcome_dist(df, normalize=True):
+    """
     Given a dataframe representing an SSVC tree fragment,
     compute and return the distribution of outcomes
-    '''
-    return df['Priority'].value_counts(normalize=normalize)
+    """
+    return df["Priority"].value_counts(normalize=normalize)
 
 
 def main():
-    for key,df in DATA.items():
+    for key, df in DATA.items():
         print(key, df.columns)
 
     print()
@@ -91,24 +92,25 @@ def main():
         "Utility": "laborious",
         "Public_Safety_Impact": "minimal",
     }
-    df = lookup('coord_triage',query)
+    df = lookup("coord_triage", query)
     print(query)
     print(df)
     print(outcome_dist(df).round(decimals=3).to_dict())
 
     print()
-    query = {'Value added': "precedence"}
-    df = lookup('coord_pub',query)
+    query = {"Value added": "precedence"}
+    df = lookup("coord_pub", query)
     print(query)
     print(df)
     print(outcome_dist(df).round(decimals=3).to_dict())
 
     print()
     query = {"Public-Safety Impact": "minimal"}
-    df = lookup('supplier',query)
+    df = lookup("supplier", query)
     print(query)
     print(df)
     print(outcome_dist(df).round(decimals=3).to_dict())
 
-if __name__ == '__main__':
+
+if __name__ == "__main__":
     main()
diff --git a/src/test/test_csv_analyzer.py b/src/test/test_csv_analyzer.py
index b010367a..7ac94e45 100644
--- a/src/test/test_csv_analyzer.py
+++ b/src/test/test_csv_analyzer.py
@@ -26,7 +26,8 @@ def test_col_norm(self):
         # fold to lowercase
         self.assertEqual(acsv._col_norm("Exploitation"), "exploitation")
         self.assertEqual(
-            acsv._col_norm("AbcdEfghIjklmnOpqrstUvwxYz"), "abcdefghijklmnopqrstuvwxyz"
+            acsv._col_norm("AbcdEfghIjklmnOpqrstUvwxYz"),
+            "abcdefghijklmnopqrstuvwxyz",
         )
 
         # replace strings of non-alphanumeric characters with underscores
@@ -40,7 +41,12 @@ def test_imp_df(self):
         # imp_df should return a dataframe with the column names and feature importances
         # sorted in descending order by feature importance
 
-        column_names = ["exploitation", "human_impact", "automatable", "exposure"]
+        column_names = [
+            "exploitation",
+            "human_impact",
+            "automatable",
+            "exposure",
+        ]
         importances = [0.347222, 0.291667, 0.180556, 0.166667]
         df = acsv._imp_df(column_names, importances)
         self.assertEqual(df["feature"][0], "exploitation")
@@ -81,7 +87,9 @@ def test_drop_col_feat_imp(self):
         )
 
     def test_split_data(self):
-        df = pd.DataFrame({"A": [1, 2, 3, 4], "B": [5, 6, 7, 8], "C": [9, 10, 11, 12]})
+        df = pd.DataFrame(
+            {"A": [1, 2, 3, 4], "B": [5, 6, 7, 8], "C": [9, 10, 11, 12]}
+        )
         x, y = acsv._split_data(df, "C")
 
         self.assertTrue(x.equals(df.drop("C", axis=1)))
diff --git a/src/test/test_doctools.py b/src/test/test_doctools.py
index a41095cd..55a3e633 100644
--- a/src/test/test_doctools.py
+++ b/src/test/test_doctools.py
@@ -150,7 +150,9 @@ def test_dump_markdown(self):
         # should be a symlink
         self.assertTrue(os.path.islink(symlink))
         # should point to the include file
-        self.assertEqual(os.path.realpath(symlink), os.path.realpath(include_file))
+        self.assertEqual(
+            os.path.realpath(symlink), os.path.realpath(include_file)
+        )
 
         # should not overwrite the file
         overwrite = False
diff --git a/src/test/test_dp_groups.py b/src/test/test_dp_groups.py
index 08c48b29..3c9b5249 100644
--- a/src/test/test_dp_groups.py
+++ b/src/test/test_dp_groups.py
@@ -27,9 +27,15 @@ def setUp(self) -> None:
                 description=f"Description of Decision Point {i}",
                 version="1.0.0",
                 values=(
-                    SsvcDecisionPointValue(name="foo", key="FOO", description="foo"),
-                    SsvcDecisionPointValue(name="bar", key="BAR", description="bar"),
-                    SsvcDecisionPointValue(name="baz", key="BAZ", description="baz"),
+                    SsvcDecisionPointValue(
+                        name="foo", key="FOO", description="foo"
+                    ),
+                    SsvcDecisionPointValue(
+                        name="bar", key="BAR", description="bar"
+                    ),
+                    SsvcDecisionPointValue(
+                        name="baz", key="BAZ", description="baz"
+                    ),
                 ),
             )
             self.dps.append(dp)
@@ -40,7 +46,9 @@ def tearDown(self) -> None:
     def test_iter(self):
         # add them to a decision point group
         g = dpg.SsvcDecisionPointGroup(
-            name="Test Group", description="Test Group", decision_points=self.dps
+            name="Test Group",
+            description="Test Group",
+            decision_points=self.dps,
         )
 
         self.assertTrue(hasattr(g, "__iter__"))
@@ -52,7 +60,9 @@ def test_iter(self):
     def test_len(self):
         # add them to a decision point group
         g = dpg.SsvcDecisionPointGroup(
-            name="Test Group", description="Test Group", decision_points=self.dps
+            name="Test Group",
+            description="Test Group",
+            decision_points=self.dps,
         )
 
         self.assertEqual(len(self.dps), len(g.decision_points))
@@ -61,7 +71,9 @@ def test_len(self):
     def test_json_roundtrip(self):
         # add them to a decision point group
         g = dpg.SsvcDecisionPointGroup(
-            name="Test Group", description="Test Group", decision_points=self.dps
+            name="Test Group",
+            description="Test Group",
+            decision_points=self.dps,
         )
 
         # serialize the group to json
diff --git a/src/test/test_mixins.py b/src/test/test_mixins.py
index 53e7c517..d76fac1f 100644
--- a/src/test/test_mixins.py
+++ b/src/test/test_mixins.py
@@ -81,10 +81,20 @@ def test_mixin_combos(self):
         # We need to test all the combinations
         mixins = [
             {"class": _Keyed, "args": {"key": "fizz"}, "has_default": False},
-            {"class": _Namespaced, "args": {"namespace": "buzz"}, "has_default": True},
-            {"class": _Versioned, "args": {"version": "1.2.3"}, "has_default": True},
+            {
+                "class": _Namespaced,
+                "args": {"namespace": "buzz"},
+                "has_default": True,
+            },
+            {
+                "class": _Versioned,
+                "args": {"version": "1.2.3"},
+                "has_default": True,
+            },
+        ]
+        keys_with_defaults = [
+            x["args"].keys() for x in mixins if x["has_default"]
         ]
-        keys_with_defaults = [x["args"].keys() for x in mixins if x["has_default"]]
         # flatten the list
         keys_with_defaults = [
             item for sublist in keys_with_defaults for item in sublist
@@ -116,7 +126,11 @@ class Foo(_Base, *classes):
                         self.assertEqual(getattr(Foo, k), getattr(obj, k))
                     else:
                         self.assertRaises(
-                            TypeError, Foo, name="foo", description="baz", **args_copy
+                            TypeError,
+                            Foo,
+                            name="foo",
+                            description="baz",
+                            **args_copy,
                         )
 
                 # instantiate the object
diff --git a/src/test/test_policy_generator.py b/src/test/test_policy_generator.py
index bce92cf4..366f8d6b 100644
--- a/src/test/test_policy_generator.py
+++ b/src/test/test_policy_generator.py
@@ -34,7 +34,8 @@ def setUp(self) -> None:
             name="test",
             description="test",
             outcomes=[
-                OutcomeValue(key=c, name=c, description=c) for c in self.og_names
+                OutcomeValue(key=c, name=c, description=c)
+                for c in self.og_names
             ],
         )
         self.dpg = SsvcDecisionPointGroup(
@@ -317,8 +318,12 @@ def test_confirm_topological_order(self):
 
         self.assertIsNone(pg._confirm_topological_order([0, 1, 2, 3, 4, 5]))
         self.assertIsNone(pg._confirm_topological_order([0, 1, 3, 2, 4, 5]))
-        self.assertRaises(ValueError, pg._confirm_topological_order, [0, 1, 2, 4, 3, 5])
-        self.assertRaises(ValueError, pg._confirm_topological_order, [0, 1, 2, 3, 5])
+        self.assertRaises(
+            ValueError, pg._confirm_topological_order, [0, 1, 2, 4, 3, 5]
+        )
+        self.assertRaises(
+            ValueError, pg._confirm_topological_order, [0, 1, 2, 3, 5]
+        )
 
 
 if __name__ == "__main__":
diff --git a/src/test/test_schema.py b/src/test/test_schema.py
index 4fb346fb..be879174 100644
--- a/src/test/test_schema.py
+++ b/src/test/test_schema.py
@@ -27,11 +27,17 @@
 from ssvc.decision_points.critical_software import CRITICAL_SOFTWARE_1  # noqa
 from ssvc.decision_points.high_value_asset import HIGH_VALUE_ASSET_1  # noqa
 from ssvc.decision_points.in_kev import IN_KEV_1
-from ssvc.dp_groups.cvss.collections import CVSSv1, CVSSv2, CVSSv3, CVSSv4  # noqa
+from ssvc.dp_groups.cvss.collections import (
+    CVSSv1,
+    CVSSv2,
+    CVSSv3,
+    CVSSv4,
+)  # noqa
 
 # importing these causes the decision points to register themselves
 from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1  # noqa
 
+
 def retrieve_local(uri):
     fileuri = uri.replace("https://certcc.github.io/SSVC", os.getcwd())
     if os.path.exists(fileuri):
@@ -41,6 +47,7 @@ def retrieve_local(uri):
         return Resource.from_contents(schema)
     raise FileNotFoundError(f"Could not find DEBUG path issues {fileuri}")
 
+
 registry = Registry(retrieve=retrieve_local)
 
 
@@ -79,11 +86,15 @@ def test_decision_point_validation(self):
             loaded = json.loads(as_json)
 
             try:
-                Draft202012Validator({"$ref": schema_url}, registry=registry).validate(loaded)
+                Draft202012Validator(
+                    {"$ref": schema_url}, registry=registry
+                ).validate(loaded)
             except jsonschema.exceptions.ValidationError as e:
                 exp = e
 
-            self.assertIsNone(exp, f"Validation failed for {dp.name} {dp.version}")
+            self.assertIsNone(
+                exp, f"Validation failed for {dp.name} {dp.version}"
+            )
             self.logger.debug(
                 f"Validation passed for Decision Point ({dp.namespace}) {dp.name} v{dp.version}"
             )
@@ -96,12 +107,18 @@ def test_decision_point_group_validation(self):
             loaded = json.loads(as_json)
 
             try:
-                Draft202012Validator({"$ref": schema_url},registry=registry).validate(loaded)
+                Draft202012Validator(
+                    {"$ref": schema_url}, registry=registry
+                ).validate(loaded)
             except jsonschema.exceptions.ValidationError as e:
                 exp = e
 
-            self.assertIsNone(exp, f"Validation failed for {dpg.name} {dpg.version}")
-            self.logger.debug(f"Validation passed for Decision Point Group {dpg.name} v{dpg.version}")
+            self.assertIsNone(
+                exp, f"Validation failed for {dpg.name} {dpg.version}"
+            )
+            self.logger.debug(
+                f"Validation passed for Decision Point Group {dpg.name} v{dpg.version}"
+            )
 
 
 if __name__ == "__main__":

From f0106794679052b634feb03dd09ea98bc0851d21 Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <ahouseholder@users.noreply.github.com>
Date: Wed, 22 Jan 2025 16:34:55 -0500
Subject: [PATCH 04/31] fix unit test (#669)

* fix unit test

* add some comments explaining why we're doing it this way

also use with... syntax to reduce filehandler boilerplate
---
 src/test/test_schema.py | 40 +++++++++++++++++++++++++++-------------
 1 file changed, 27 insertions(+), 13 deletions(-)

diff --git a/src/test/test_schema.py b/src/test/test_schema.py
index 4fb346fb..4121074d 100644
--- a/src/test/test_schema.py
+++ b/src/test/test_schema.py
@@ -13,33 +13,41 @@
 
 import json
 import logging
+import os
 import unittest
 
 import jsonschema
 from jsonschema import Draft202012Validator
 from referencing import Registry, Resource
-import os
 
 import ssvc.decision_points  # noqa F401
 from ssvc.decision_points.base import REGISTERED_DECISION_POINTS
-
 # importing these causes the decision points to register themselves
 from ssvc.decision_points.critical_software import CRITICAL_SOFTWARE_1  # noqa
 from ssvc.decision_points.high_value_asset import HIGH_VALUE_ASSET_1  # noqa
 from ssvc.decision_points.in_kev import IN_KEV_1
 from ssvc.dp_groups.cvss.collections import CVSSv1, CVSSv2, CVSSv3, CVSSv4  # noqa
-
 # importing these causes the decision points to register themselves
 from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1  # noqa
 
-def retrieve_local(uri):
-    fileuri = uri.replace("https://certcc.github.io/SSVC", os.getcwd())
-    if os.path.exists(fileuri):
-        fh = open(fileuri)
+
+def retrieve_local(uri: str) -> Resource:
+    # retrieve_local gets called anytime we're trying to get a schema.
+    # Because our schemas refer to each other by https: uris, we need this function
+    # to load the schema from a local file instead of trying to download it from the internet
+
+    # here we compute the path to the data directory where the schemas are stored
+    my_file_path = os.path.abspath(__file__)
+    my_dir = os.path.dirname(my_file_path)
+    data_path = os.path.join(my_dir, "..", "..", "data")
+    data_path = os.path.abspath(data_path)
+
+    fileuri = uri.replace("https://certcc.github.io/SSVC/data", data_path)
+
+    with open(fileuri) as fh:
         schema = json.load(fh)
-        fh.close()
-        return Resource.from_contents(schema)
-    raise FileNotFoundError(f"Could not find DEBUG path issues {fileuri}")
+    return Resource.from_contents(schema)
+
 
 registry = Registry(retrieve=retrieve_local)
 
@@ -79,7 +87,9 @@ def test_decision_point_validation(self):
             loaded = json.loads(as_json)
 
             try:
-                Draft202012Validator({"$ref": schema_url}, registry=registry).validate(loaded)
+                Draft202012Validator({"$ref": schema_url}, registry=registry).validate(
+                    loaded
+                )
             except jsonschema.exceptions.ValidationError as e:
                 exp = e
 
@@ -96,12 +106,16 @@ def test_decision_point_group_validation(self):
             loaded = json.loads(as_json)
 
             try:
-                Draft202012Validator({"$ref": schema_url},registry=registry).validate(loaded)
+                Draft202012Validator({"$ref": schema_url}, registry=registry).validate(
+                    loaded
+                )
             except jsonschema.exceptions.ValidationError as e:
                 exp = e
 
             self.assertIsNone(exp, f"Validation failed for {dpg.name} {dpg.version}")
-            self.logger.debug(f"Validation passed for Decision Point Group {dpg.name} v{dpg.version}")
+            self.logger.debug(
+                f"Validation passed for Decision Point Group {dpg.name} v{dpg.version}"
+            )
 
 
 if __name__ == "__main__":

From 4e4e3f9074ac8c9e2a53fde1213396e4b0afe77b Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <ahouseholder@users.noreply.github.com>
Date: Wed, 22 Jan 2025 16:35:17 -0500
Subject: [PATCH 05/31] bump copyright (#670)

---
 LICENSE                                           |  2 +-
 docs/assets/cert_seal.svg                         | 15 +++++++++++++++
 docs/ssvc-calc/findex.html                        | 15 +++++++++++++++
 docs/ssvc-calc/old_index.html                     | 15 +++++++++++++++
 docs/ssvc-calc/ssvc.js                            | 15 +++++++++++++++
 docs/ssvc-calc/ungraph.js                         | 15 +++++++++++++++
 src/SSVC_csv-to-latex.py                          | 14 ++++++++++++++
 src/enumerate-coord-publish-options.sh            | 15 +++++++++++++++
 src/enumerate-coord-triage-options.sh             | 15 +++++++++++++++
 src/enumerate-deployer-options.sh                 | 15 +++++++++++++++
 src/enumerate-supplier-options.sh                 | 15 +++++++++++++++
 src/ssvc/__init__.py                              |  2 +-
 src/ssvc/_mixins.py                               |  4 +++-
 src/ssvc/csv_analyzer.py                          |  2 +-
 src/ssvc/decision_points/__init__.py              | 13 +++++++++++++
 src/ssvc/decision_points/automatable.py           |  3 ++-
 src/ssvc/decision_points/base.py                  |  2 +-
 src/ssvc/decision_points/critical_software.py     |  2 +-
 src/ssvc/decision_points/cvss/__init__.py         |  2 +-
 src/ssvc/decision_points/cvss/_not_defined.py     |  2 +-
 .../decision_points/cvss/attack_complexity.py     |  2 +-
 .../decision_points/cvss/attack_requirements.py   |  2 +-
 src/ssvc/decision_points/cvss/attack_vector.py    |  2 +-
 src/ssvc/decision_points/cvss/authentication.py   |  2 +-
 .../decision_points/cvss/availability_impact.py   |  2 +-
 .../cvss/availability_requirement.py              |  2 +-
 src/ssvc/decision_points/cvss/base.py             |  2 +-
 .../cvss/collateral_damage_potential.py           |  2 +-
 .../cvss/confidentiality_impact.py                |  2 +-
 .../cvss/confidentiality_requirement.py           |  2 +-
 src/ssvc/decision_points/cvss/eq_sets.py          |  2 +-
 src/ssvc/decision_points/cvss/exploitability.py   |  2 +-
 src/ssvc/decision_points/cvss/helpers.py          |  2 +-
 src/ssvc/decision_points/cvss/impact_bias.py      |  2 +-
 src/ssvc/decision_points/cvss/integrity_impact.py |  2 +-
 .../decision_points/cvss/integrity_requirement.py |  2 +-
 .../decision_points/cvss/privileges_required.py   |  2 +-
 .../decision_points/cvss/remediation_level.py     |  2 +-
 .../decision_points/cvss/report_confidence.py     |  2 +-
 src/ssvc/decision_points/cvss/scope.py            |  2 +-
 .../cvss/subsequent_availability_impact.py        |  2 +-
 .../cvss/subsequent_confidentiality_impact.py     |  2 +-
 .../cvss/subsequent_integrity_impact.py           |  2 +-
 .../decision_points/cvss/supplemental/__init__.py |  2 +-
 .../cvss/supplemental/automatable.py              |  2 +-
 .../cvss/supplemental/provider_urgency.py         |  2 +-
 .../decision_points/cvss/supplemental/recovery.py |  2 +-
 .../decision_points/cvss/supplemental/safety.py   |  2 +-
 .../cvss/supplemental/value_density.py            |  2 +-
 .../supplemental/vulnerability_response_effort.py |  2 +-
 .../decision_points/cvss/target_distribution.py   |  2 +-
 src/ssvc/decision_points/cvss/user_interaction.py |  2 +-
 src/ssvc/decision_points/exploitation.py          |  2 +-
 src/ssvc/decision_points/helpers.py               |  2 +-
 src/ssvc/decision_points/high_value_asset.py      |  2 +-
 src/ssvc/decision_points/human_impact.py          |  2 +-
 src/ssvc/decision_points/in_kev.py                |  2 +-
 src/ssvc/decision_points/mission_impact.py        |  2 +-
 src/ssvc/decision_points/mission_prevalence.py    |  2 +-
 src/ssvc/decision_points/public_safety_impact.py  |  2 +-
 src/ssvc/decision_points/public_value_added.py    |  2 +-
 src/ssvc/decision_points/report_credibility.py    |  2 +-
 src/ssvc/decision_points/report_public.py         |  2 +-
 src/ssvc/decision_points/safety_impact.py         |  2 +-
 src/ssvc/decision_points/supplier_cardinality.py  | 13 +++++++++++++
 src/ssvc/decision_points/supplier_contacted.py    | 13 +++++++++++++
 src/ssvc/decision_points/supplier_engagement.py   | 13 +++++++++++++
 src/ssvc/decision_points/supplier_involvement.py  | 13 +++++++++++++
 src/ssvc/decision_points/system_exposure.py       | 13 +++++++++++++
 src/ssvc/decision_points/technical_impact.py      | 13 +++++++++++++
 src/ssvc/decision_points/utility.py               |  2 +-
 src/ssvc/decision_points/value_density.py         | 13 +++++++++++++
 src/ssvc/doctools.py                              |  2 +-
 src/ssvc/dp_groups/__init__.py                    |  2 +-
 src/ssvc/dp_groups/base.py                        |  2 +-
 src/ssvc/dp_groups/cvss/__init__.py               |  2 +-
 src/ssvc/dp_groups/cvss/collections.py            |  2 +-
 src/ssvc/dp_groups/ssvc/__init__.py               |  2 +-
 src/ssvc/dp_groups/ssvc/collections.py            |  2 +-
 .../dp_groups/ssvc/coordinator_publication.py     |  2 +-
 src/ssvc/dp_groups/ssvc/coordinator_triage.py     |  2 +-
 src/ssvc/dp_groups/ssvc/deployer.py               |  2 +-
 src/ssvc/dp_groups/ssvc/supplier.py               |  2 +-
 src/ssvc/outcomes/__init__.py                     | 13 ++++++++++++-
 src/ssvc/outcomes/base.py                         |  2 +-
 src/ssvc/outcomes/groups.py                       |  2 +-
 src/ssvc/policy_generator.py                      |  2 +-
 src/ssvc_v2.py                                    | 12 ++++++++++++
 src/test/__init__.py                              |  2 +-
 src/test/test_csv_analyzer.py                     |  2 +-
 src/test/test_cvss_helpers.py                     |  2 +-
 src/test/test_doctools.py                         |  2 +-
 src/test/test_dp_base.py                          |  2 +-
 src/test/test_dp_groups.py                        |  2 +-
 src/test/test_dp_helpers.py                       |  2 +-
 src/test/test_mixins.py                           | 13 +++++++++++++
 src/test/test_outcomes.py                         |  2 +-
 src/test/test_policy_generator.py                 |  2 +-
 src/test/test_schema.py                           |  2 +-
 99 files changed, 371 insertions(+), 79 deletions(-)

diff --git a/LICENSE b/LICENSE
index c5d2a6ad..816cc7df 100644
--- a/LICENSE
+++ b/LICENSE
@@ -3,7 +3,7 @@ The following license applies to software contained in this repository.
 ----
 MIT License
 
-Copyright (c) 2020 Carnegie Mellon University
+Copyright (c) 2020-2025 Carnegie Mellon University
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/docs/assets/cert_seal.svg b/docs/assets/cert_seal.svg
index 980c324c..27a989d3 100644
--- a/docs/assets/cert_seal.svg
+++ b/docs/assets/cert_seal.svg
@@ -1 +1,16 @@
+<!--
+  - Copyright (c) 2025 Carnegie Mellon University and Contributors.
+  -  see Contributors.md for a full list of Contributors
+  -  see ContributionInstructions.md for information on how you can Contribute to this project
+  - Stakeholder Specific Vulnerability Categorization (SSVC) is
+  - licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+  - with this Software or contact permission@sei.cmu.edu for full terms.
+  - Created, in part, with funding and support from the United States Government
+  - (see Acknowledgments file). This program may include and/or can make use of
+  - certain third party source code, object code, documentation and other files
+  - (“Third Party Software”). See LICENSE.md for more details.
+  - Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+  - U.S. Patent and Trademark Office by Carnegie Mellon University
+  -->
+
 <svg id="Layer_1" data-name="Layer 1" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 364.35 364.35"><defs><style>.cls-1,.cls-2{fill:none;stroke:#000;stroke-miterlimit:3.86;}.cls-1{stroke-width:4.35px;}.cls-2{stroke-width:1.25px;}.cls-3{fill:#232020;}.cls-4{fill:#231f20;}</style></defs><title>cert_seal</title><path class="cls-1" d="M189,15.3a180,180,0,1,0,180,180A180,180,0,0,0,189,15.3Zm0,299.92a119.92,119.92,0,0,1,0-239.84c63.92,0,119.92,53.69,119.92,119.92A119.92,119.92,0,0,1,189,315.22Z" transform="translate(-6.81 -13.13)"/><circle class="cls-2" cx="188.98" cy="195.3" r="171.85" transform="matrix(0.16, -0.99, 0.99, 0.16, -41.05, 337.18)"/><polygon points="33.33 148.14 36.21 157.01 45.53 157.01 37.99 162.49 40.87 171.35 33.33 165.87 25.79 171.35 28.67 162.49 21.13 157.01 30.45 157.01 33.33 148.14"/><polygon points="331.78 148.14 334.66 157.01 343.98 157.01 336.44 162.49 339.32 171.35 331.78 165.87 324.24 171.35 327.12 162.49 319.58 157.01 328.9 157.01 331.78 148.14"/><path class="cls-2" d="M61.87,195.3A127.11,127.11,0,1,1,189,322.41,127.11,127.11,0,0,1,61.87,195.3Z" transform="translate(-6.81 -13.13)"/><path d="M43.76,141.88a3.69,3.69,0,0,0,.39,3.51,7.15,7.15,0,0,0,3.67,2.49q5.4,1.92,6.84-2.13a13.55,13.55,0,0,0,.61-4.42l2.87,1a12.16,12.16,0,0,1-.74,4.73,7.22,7.22,0,0,1-4,4.63,9.58,9.58,0,0,1-6.8-.31,10.7,10.7,0,0,1-4.09-2.48,7.09,7.09,0,0,1-2-3.67,8.19,8.19,0,0,1,.42-4.38,11.5,11.5,0,0,1,2.81-4.32l2.4,2.09a18.31,18.31,0,0,0-1.4,1.55A5.87,5.87,0,0,0,43.76,141.88Z" transform="translate(-6.81 -13.13)"/><path d="M64.73,129.87l-4.21-.67-2.74,5.61,3.12,2.91-1.72,3.51-12.81-13,2-4,18.13,2.09Zm-7.33-1.23-6.48-1c-.5-.08-.89-.16-1.17-.22.78.67,2.68,2.41,5.69,5.24Z" transform="translate(-6.81 -13.13)"/><path d="M63.82,118.31l5.55,3.53-2,3.07L53,115.71l2.68-4.21a8.51,8.51,0,0,1,3.85-3.68,5.07,5.07,0,0,1,6,2.8,5.46,5.46,0,0,1,.3,3q6.95-.15,9-.24l-2.17,3.4-7.74-.08Zm-2.49-1.58.63-1a4.46,4.46,0,0,0,.88-2.46,2.06,2.06,0,0,0-1.08-1.66,1.87,1.87,0,0,0-1.91-.22A5.09,5.09,0,0,0,58,113.31l-.59.93Z" transform="translate(-6.81 -13.13)"/><path d="M85.46,100.26l-2.94,3.56-14.74-2.49-.07.08c1.87,1.34,3.17,2.32,3.93,2.94l6.22,5.13L75.79,112l-13.22-10.9,2.92-3.54L80.12,100l0-.06c-1.79-1.33-3-2.28-3.75-2.87l-6.26-5.16,2.08-2.52Z" transform="translate(-6.81 -13.13)"/><path d="M95.05,90.9,88,97.78,76,85.48l7.08-6.87,2.07,2.14-4.47,4.34,2.62,2.7,4.16-4,2.08,2.13-4.17,4,3.08,3.17L93,88.75Z" transform="translate(-6.81 -13.13)"/><path d="M96.24,77.46l5.34-4.21,5.5,7a18.88,18.88,0,0,1-4.19,4.54,7.53,7.53,0,0,1-6.06,1.87q-3-.52-5.66-3.87A8.68,8.68,0,0,1,89,76.22a9,9,0,0,1,3.74-5.9A12.75,12.75,0,0,1,97.41,68l.85,3a8.69,8.69,0,0,0-3.64,1.68,4.83,4.83,0,0,0-2,3.58,6.16,6.16,0,0,0,1.52,4.22,6.84,6.84,0,0,0,3.54,2.64,4,4,0,0,0,3.52-.9,11.52,11.52,0,0,0,1.66-1.62l-2.21-2.8-2.55,2Z" transform="translate(-6.81 -13.13)"/><path d="M110.45,79,101,64.65l3-2L113.49,77Z" transform="translate(-6.81 -13.13)"/><path d="M125.19,70.16,116.57,75l-8.36-15,8.61-4.82,1.45,2.6-5.44,3,1.84,3.29,5.06-2.84,1.46,2.6-5.07,2.83,2.16,3.86,5.44-3Z" transform="translate(-6.81 -13.13)"/><path d="M139.9,63.78l-8.42-11.26-.1,0q1.59,3.8,2.06,5.08l2.68,7.5-3.05,1.1-5.78-16.14L132,48.43l8.23,11,.07,0-.37-13.78,4.66-1.67,5.77,16.13-3.19,1.15-2.73-7.64c-.13-.36-.27-.78-.43-1.25s-.55-1.75-1.19-3.81l-.1,0L143,62.66Z" transform="translate(-6.81 -13.13)"/><path d="M163.37,57.2l-9.63,2.16L150,42.64l9.63-2.16.65,2.91-6.08,1.36.82,3.67,5.66-1.27.65,2.91-5.66,1.26,1,4.32,6.08-1.37Z" transform="translate(-6.81 -13.13)"/><path d="M166.33,56.71l-2.18-17,3.6-.46,1.8,14,6.89-.88.38,3Z" transform="translate(-6.81 -13.13)"/><path d="M179.08,55.24l-.64-17.12,3.63-.14.53,14.13,6.94-.26.11,3Z" transform="translate(-6.81 -13.13)"/><path d="M207.71,47.33a9.31,9.31,0,0,1-2.57,6.37,9.12,9.12,0,0,1-12.06-.85c-1.3-1.62-1.84-3.85-1.64-6.69s1.05-5,2.56-6.37A8,8,0,0,1,200.21,38a7.83,7.83,0,0,1,5.87,2.7C207.36,42.27,207.91,44.49,207.71,47.33Zm-12.48-.88a7.16,7.16,0,0,0,.79,4.39,3.81,3.81,0,0,0,3.15,1.68q4.34.3,4.74-5.46T200,41a3.84,3.84,0,0,0-3.36,1.23A7.14,7.14,0,0,0,195.23,46.45Z" transform="translate(-6.81 -13.13)"/><path d="M224.68,59.34l-4.52-.93-4.71-14.19-.1,0c-.32,2.27-.57,3.89-.77,4.85L213,57l-3.18-.65,3.43-16.79,4.49.92,4.72,14.06.08,0c.33-2.21.59-3.76.77-4.67l1.63-7.94,3.2.65Z" transform="translate(-6.81 -13.13)"/><path d="M253,51.25l-4,10.32a6.31,6.31,0,0,1-2,2.78,5.43,5.43,0,0,1-3.08,1.15,8.86,8.86,0,0,1-3.81-.68,7.27,7.27,0,0,1-4.16-3.45,6,6,0,0,1,0-5l4-10.28,3.37,1.32-3.83,9.77a4.38,4.38,0,0,0-.32,3A3.31,3.31,0,0,0,241.29,62a3.21,3.21,0,0,0,2.74.07,4.41,4.41,0,0,0,1.82-2.42l3.82-9.75Z" transform="translate(-6.81 -13.13)"/><path d="M263.13,75.9l-4-2.22-.29-15-.09,0q-1.47,3.1-2.17,4.4l-3.88,7.06-2.85-1.56,8.26-15,4,2.21.34,14.83.08,0c1-2,1.67-3.41,2.12-4.22l3.9-7.11,2.87,1.58Z" transform="translate(-6.81 -13.13)"/><path d="M266.07,78l9.6-14.19,3,2L269.08,80Z" transform="translate(-6.81 -13.13)"/><path d="M290.74,75.07l2.86,2.29-15.27,9.71-3.08-2.48,6.19-17,2.86,2.29-3.87,10c-.24.58-.53,1.24-.88,2s-.61,1.25-.77,1.52A31.24,31.24,0,0,1,281.83,81Z" transform="translate(-6.81 -13.13)"/><path d="M291.15,99l-7-6.92,12-12.22,7,6.92-2.08,2.12-4.45-4.37L294,87.18l4.14,4.06L296,93.37l-4.13-4.07-3.1,3.15,4.44,4.37Z" transform="translate(-6.81 -13.13)"/><path d="M300.57,99.73l-5.05,4.2-2.33-2.79,13.17-11L309.55,94a8.51,8.51,0,0,1,2.33,4.78,5.06,5.06,0,0,1-4.49,4.84,5.44,5.44,0,0,1-2.93-.63q-2,6.67-2.51,8.65l-2.58-3.1,2.43-7.35Zm2.27-1.89.75.9a4.49,4.49,0,0,0,2.07,1.59,2.05,2.05,0,0,0,1.91-.53,1.86,1.86,0,0,0,.79-1.75,5,5,0,0,0-1.26-2.33l-.71-.84Z" transform="translate(-6.81 -13.13)"/><path d="M312.69,119.24a4.44,4.44,0,0,1-4,.65,7.26,7.26,0,0,1-3.7-3.11,11,11,0,0,1-1.85-4.6l2.8-1.89a19.23,19.23,0,0,0,.74,3,8.66,8.66,0,0,0,1,2,3.16,3.16,0,0,0,1.4,1.27,1.55,1.55,0,0,0,1.48-.23,1.5,1.5,0,0,0,.59-.73,3.24,3.24,0,0,0,.17-1.11,19.44,19.44,0,0,0-.28-2.49,10.47,10.47,0,0,1-.13-2.75,5.4,5.4,0,0,1,.61-1.92,4.59,4.59,0,0,1,1.49-1.56,4.42,4.42,0,0,1,3.83-.72,6.4,6.4,0,0,1,3.45,2.82,9.68,9.68,0,0,1,1.16,2.29,17.55,17.55,0,0,1,.68,2.6l-3,.6a17.4,17.4,0,0,0-.61-2.32,7.4,7.4,0,0,0-.8-1.59,2.29,2.29,0,0,0-1.28-1,1.57,1.57,0,0,0-1.35.24,1.47,1.47,0,0,0-.57.65,2.3,2.3,0,0,0-.18,1,22,22,0,0,0,.29,2.59,9.2,9.2,0,0,1-.08,4A4.5,4.5,0,0,1,312.69,119.24Z" transform="translate(-6.81 -13.13)"/><path d="M310,124.24l14.88-8.49,1.8,3.15-14.88,8.5Z" transform="translate(-6.81 -13.13)"/><path d="M316.54,136.7,315,133.42l12.74-6.06-2-4.2,2.73-1.3L334,133.54l-2.73,1.3-2-4.2Z" transform="translate(-6.81 -13.13)"/><path d="M330.94,145.48l7.84,1,1.3,3.69-11.76-1.89-6.29,2.2-1.2-3.4L327,145l8.11-8.87,1.3,3.72Z" transform="translate(-6.81 -13.13)"/><path d="M36.9,209a4.4,4.4,0,0,1-3.73-1.48,7.27,7.27,0,0,1-1.58-4.57,11.05,11.05,0,0,1,.78-4.9l3.37-.17a20.56,20.56,0,0,0-.93,3A8.89,8.89,0,0,0,34.6,203a3.26,3.26,0,0,0,.55,1.81,1.55,1.55,0,0,0,1.4.56,1.48,1.48,0,0,0,.88-.32,3.07,3.07,0,0,0,.71-.87,21,21,0,0,0,1-2.27,10.37,10.37,0,0,1,1.3-2.43A5.17,5.17,0,0,1,42,198.19a4.93,4.93,0,0,1,5.73.77,6.39,6.39,0,0,1,1.52,4.19,9.82,9.82,0,0,1-.18,2.56,17.17,17.17,0,0,1-.76,2.58l-2.88-1a16.93,16.93,0,0,0,.67-2.31,7.62,7.62,0,0,0,.13-1.77,2.41,2.41,0,0,0-.56-1.56,1.59,1.59,0,0,0-1.29-.48,1.56,1.56,0,0,0-.82.26,2.46,2.46,0,0,0-.65.75,20.81,20.81,0,0,0-1.09,2.36,9.31,9.31,0,0,1-2.12,3.41A4.48,4.48,0,0,1,36.9,209Z" transform="translate(-6.81 -13.13)"/><path d="M43.69,228.34c-2.8.47-5.06.14-6.8-1a9.16,9.16,0,0,1-2-11.93c1.27-1.64,3.31-2.69,6.12-3.17s5.08-.14,6.8,1a7.92,7.92,0,0,1,3.23,5.6,7.78,7.78,0,0,1-1.23,6.33Q47.89,227.63,43.69,228.34ZM41.6,216a7.15,7.15,0,0,0-4.08,1.8,3.81,3.81,0,0,0-.89,3.45c.48,2.86,2.63,4,6.42,3.32s5.47-2.38,5-5.23a3.84,3.84,0,0,0-2-3A7.16,7.16,0,0,0,41.6,216Z" transform="translate(-6.81 -13.13)"/><path d="M37.67,238.57l-1-3.43,16.45-4.79,2.75,9.43-2.86.83-1.75-6L47,235.85l1.63,5.58-2.85.83-1.63-5.58Z" transform="translate(-6.81 -13.13)"/><path d="M43.86,256.21l-1.37-3.37,13.07-5.31-1.75-4.31,2.8-1.14,4.87,12-2.8,1.14-1.75-4.31Z" transform="translate(-6.81 -13.13)"/><path d="M56.52,280.54,54.44,277l6.61-6.53q.36-.36,1.5-1.38c.76-.68,1.29-1.13,1.57-1.33a20.1,20.1,0,0,1-1.94.72c-.9.31-1.55.52-1.94.63l-8.92,2.52L49.24,268l12.62-12.39,1.79,3.09-7,6.6q-2,1.8-3.46,3c.41-.18,1.06-.43,1.95-.76s1.6-.55,2.12-.68l9.55-2.67,1.73,3-7.05,7c-.31.31-.81.76-1.49,1.35s-1.27,1.07-1.78,1.46c.57-.24,1.29-.51,2.16-.82s1.59-.54,2.15-.7l9.18-2.82,1.79,3.09Z" transform="translate(-6.81 -13.13)"/><path d="M67.79,295.73l2.44-3.49-3.85-4.92-4,1.54L60,285.78l17.27-5.85L80,283.42l-9.8,15.39Zm4.31-6.05c2.19-3.19,3.44-5,3.73-5.4s.53-.73.71-.95c-.94.41-3.34,1.36-7.2,2.83Z" transform="translate(-6.81 -13.13)"/><path d="M80.56,300.07l-4.67,4.64-2.56-2.58,12.15-12.08L89,293.59a8.5,8.5,0,0,1,2.74,4.56,4.53,4.53,0,0,1-1.55,3.91,4.58,4.58,0,0,1-2.5,1.31,5.49,5.49,0,0,1-3-.37q-1.36,6.81-1.74,8.84L80.14,309l1.78-7.54ZM82.65,298l.83.83a4.45,4.45,0,0,0,2.2,1.4,2,2,0,0,0,1.85-.69,1.87,1.87,0,0,0,.64-1.82,5,5,0,0,0-1.46-2.2l-.78-.78Z" transform="translate(-6.81 -13.13)"/><path d="M94.07,320.91l-7.66-6.22L97.2,301.38l7.66,6.22L103,309.91,98.15,306l-2.37,2.93,4.5,3.65-1.87,2.31-4.51-3.65-2.78,3.43L96,318.58Z" transform="translate(-6.81 -13.13)"/><path d="M113.64,333.56l-8.49-5,8.71-14.75,8.5,5-1.52,2.56-5.36-3.17-1.92,3.24,5,2.95L117,327l-5-2.95-2.25,3.81,5.37,3.17Z" transform="translate(-6.81 -13.13)"/><path d="M132.86,342.53l-4.23-1.86L127,325.81l-.1,0q-1.17,3.24-1.76,4.57l-3.24,7.39-3-1.3,6.87-15.7,4.2,1.84,1.67,14.74.07,0q1.19-3.14,1.74-4.4l3.25-7.43,3,1.31Z" transform="translate(-6.81 -13.13)"/><path d="M148.1,337.29l6.53,1.87-2.45,8.54a19.3,19.3,0,0,1-3.2-.13,20.69,20.69,0,0,1-2.93-.62,7.55,7.55,0,0,1-5.06-3.82q-1.34-2.76-.16-6.86a8.61,8.61,0,0,1,4.07-5.56,9,9,0,0,1,7-.42,13,13,0,0,1,4.6,2.42l-2,2.46a8.8,8.8,0,0,0-3.5-2,4.84,4.84,0,0,0-4.06.48,6.21,6.21,0,0,0-2.54,3.7,6.86,6.86,0,0,0-.07,4.41,4,4,0,0,0,2.78,2.33,11.3,11.3,0,0,0,2.29.41l1-3.43-3.12-.9Z" transform="translate(-6.81 -13.13)"/><path d="M158,349.6l3.16-16.84,3.57.67-3.15,16.84Z" transform="translate(-6.81 -13.13)"/><path d="M183,352.7l-4.6-.39-6.32-13.55H172c0,2.3-.11,3.93-.19,4.9l-.69,8-3.23-.28,1.46-17.07,4.56.39,6.32,13.42h.09c.07-2.22.14-3.8.22-4.72l.69-8.08,3.26.28Z" transform="translate(-6.81 -13.13)"/><path d="M199.29,352.39l-9.86.31-.54-17.13,9.86-.31.1,3-6.24.19.12,3.76,5.8-.18.09,3-5.79.18.13,4.42,6.23-.2Z" transform="translate(-6.81 -13.13)"/><path d="M214.83,350.61l-9.78,1.28-2.22-17,9.78-1.28.38,2.95-6.18.81.49,3.73,5.75-.75.39,2.95-5.75.75.57,4.38,6.18-.8Z" transform="translate(-6.81 -13.13)"/><path d="M222.61,342.31l1.55,6.39-3.53.86-4-16.65,4.85-1.18a8.53,8.53,0,0,1,5.32,0,5.07,5.07,0,0,1,2.37,6.16,5.54,5.54,0,0,1-1.86,2.35q5.13,4.71,6.66,6.07l-3.92.95-5.52-5.42Zm-.7-2.87,1.14-.27a4.55,4.55,0,0,0,2.34-1.16,2.06,2.06,0,0,0,.37-1.95,1.88,1.88,0,0,0-1.23-1.49,5.16,5.16,0,0,0-2.64.11l-1.07.26Z" transform="translate(-6.81 -13.13)"/><path d="M238.18,344.8l-5.54-16.21,3.43-1.18,5.55,16.21Z" transform="translate(-6.81 -13.13)"/><path d="M261.45,335.19l-4.2,1.93-12.18-8.67-.09,0c1.09,2,1.84,3.48,2.24,4.36l3.37,7.33-3,1.35L240.49,326l4.16-1.91,12.12,8.56.07,0q-1.54-3-2.13-4.22L251.33,321l3-1.37Z" transform="translate(-6.81 -13.13)"/><path d="M267.69,320.32l5.75-3.63,4.74,7.51a19.62,19.62,0,0,1-2.22,2.3,20.48,20.48,0,0,1-2.41,1.77,7.55,7.55,0,0,1-6.23,1.24q-2.94-.84-5.22-4.44a8.64,8.64,0,0,1-1.45-6.74,9,9,0,0,1,4.33-5.47,12.81,12.81,0,0,1,4.86-1.83l.53,3.1a8.69,8.69,0,0,0-3.8,1.29,4.83,4.83,0,0,0-2.34,3.36,6.12,6.12,0,0,0,1.07,4.35,6.8,6.8,0,0,0,3.24,3,3.93,3.93,0,0,0,3.59-.53,11.62,11.62,0,0,0,1.83-1.43l-1.91-3-2.74,1.73Z" transform="translate(-6.81 -13.13)"/><path d="M289.76,316.14l-11.14-13,2.77-2.36,11.13,13Z" transform="translate(-6.81 -13.13)"/><path d="M307.84,298.66,304.65,302l-14.52-3.59-.07.08c1.75,1.47,3,2.55,3.69,3.22l5.82,5.58-2.25,2.35L285,297.78l3.17-3.31L302.54,298l0-.06c-1.68-1.46-2.86-2.5-3.53-3.14l-5.85-5.61,2.26-2.36Z" transform="translate(-6.81 -13.13)"/><path d="M314.18,282.71a4.47,4.47,0,0,1,1.91,3.54,7.27,7.27,0,0,1-1.74,4.51A10.88,10.88,0,0,1,310.6,294l-2.69-2a19.88,19.88,0,0,0,2.64-1.68,8.66,8.66,0,0,0,1.58-1.56,3.2,3.2,0,0,0,.74-1.74,1.7,1.7,0,0,0-1.59-1.65,3.21,3.21,0,0,0-1.1.21,20.14,20.14,0,0,0-2.26,1.07,10.44,10.44,0,0,1-2.55,1,5.29,5.29,0,0,1-2,.05,4.94,4.94,0,0,1-3.89-4.28,6.44,6.44,0,0,1,1.53-4.19,10.43,10.43,0,0,1,1.79-1.84,18.14,18.14,0,0,1,2.24-1.49l1.55,2.64a18,18,0,0,0-2,1.34,7.82,7.82,0,0,0-1.24,1.27,2.39,2.39,0,0,0-.57,1.55,1.61,1.61,0,0,0,.67,1.2,1.63,1.63,0,0,0,.8.33,2.63,2.63,0,0,0,1-.15,23.35,23.35,0,0,0,2.35-1.12,9.23,9.23,0,0,1,3.82-1.23A4.52,4.52,0,0,1,314.18,282.71Z" transform="translate(-6.81 -13.13)"/><path d="M324.46,275.36l-1.89,3.1-12.05-7.33-2.42,4-2.58-1.57,6.72-11.06,2.58,1.57-2.41,4Z" transform="translate(-6.81 -13.13)"/><path d="M328.78,267.57l-15.3-7.7,1.63-3.25,15.3,7.7Z" transform="translate(-6.81 -13.13)"/><path d="M335.46,252.87l-1.37,3.36L321,250.92l-1.75,4.31-2.8-1.14,4.87-12,2.8,1.14-1.75,4.31Z" transform="translate(-6.81 -13.13)"/><path d="M326,226.11l10.68,3a6.26,6.26,0,0,1,3,1.71,5.46,5.46,0,0,1,1.45,3,8.68,8.68,0,0,1-.28,3.86,7.28,7.28,0,0,1-3,4.49,6,6,0,0,1-5,.52l-10.63-3,1-3.49,10.1,2.81a4.47,4.47,0,0,0,3,0,3.34,3.34,0,0,0,1.59-2.3,3.26,3.26,0,0,0-.2-2.74,4.43,4.43,0,0,0-2.61-1.55L325,229.6Z" transform="translate(-6.81 -13.13)"/><path d="M344.69,218.05l-.56,3.59-13.94-2.19-.72,4.6-3-.47,2-12.78,3,.47-.72,4.59Z" transform="translate(-6.81 -13.13)"/><path d="M346.35,199.2l-.57,9.85-17.1-1,.57-9.85,3,.17-.36,6.22,3.76.22L336,199l3,.17-.33,5.79,4.41.26.36-6.23Z" transform="translate(-6.81 -13.13)"/><path class="cls-3" d="M138.53,205.88c-.21-1.73-.84-8.83-8.14-8.83-8,0-11.32,8.34-11.32,18.69,0,3,0,17.24,10.49,17.24,4.52,0,8.83-2.84,9-9.52h11.33c-.21,3-.49,7.65-4.51,11.82-4.46,4.58-10.08,5.62-14.67,5.62-17.3,0-22.93-12.78-22.93-25.23,0-15.91,8.9-26.47,23-26.47,11,0,18.7,6.67,18.7,16.68Z" transform="translate(-6.81 -13.13)"/><polygon class="cls-3" points="150.13 176.35 183.76 176.35 183.76 184.55 160.9 184.55 160.9 196.5 182.3 196.5 182.3 204.71 160.9 204.71 160.9 218.25 184.52 218.25 184.52 226.59 150.13 226.59 150.13 176.35"/><path class="cls-3" d="M198.41,189.48h19.26c5.55-.07,11.18-.07,15.21,3.4a12.71,12.71,0,0,1,4.38,9.66c0,9.39-8.07,11.61-10.49,12.31,7.57.69,8.13,5,9,11.53a96,96,0,0,0,1.53,9.73,9,9,0,0,0,1.53,3.61H227c-.49-2.78-2-15.5-2.72-17.44-1-2.86-3.6-2.86-5.41-2.86H209.4v20.3h-11Zm10.64,22h8.68c1.26,0,3.76,0,5.49-1.38a6.94,6.94,0,0,0,2.79-5.84c0-3.4-1.68-5-2.65-5.63-1.67-1.18-3.68-1.18-7.08-1.18h-7.23Z" transform="translate(-6.81 -13.13)"/><polygon class="cls-3" points="248.31 184.69 233.37 184.69 233.37 176.35 274.1 176.35 274.1 184.69 259.16 184.69 259.16 226.59 248.31 226.59 248.31 184.69"/><path class="cls-4" d="M279.24,177.53c-10.62-40.21-46.51-69.79-89.17-69.79-51,0-92.38,42.32-92.38,94.54a96.16,96.16,0,0,0,7.44,37.24,99.94,99.94,0,0,1-5-31.46c0-47.17,32-85.41,71.35-85.41,30.42,0,56.37,22.79,66.64,54.88Z" transform="translate(-6.81 -13.13)"/></svg>
\ No newline at end of file
diff --git a/docs/ssvc-calc/findex.html b/docs/ssvc-calc/findex.html
index afab1d97..63456ee2 100644
--- a/docs/ssvc-calc/findex.html
+++ b/docs/ssvc-calc/findex.html
@@ -1,3 +1,18 @@
+<!--
+  ~ Copyright (c) 2025 Carnegie Mellon University and Contributors.
+  ~ - see Contributors.md for a full list of Contributors
+  ~ - see ContributionInstructions.md for information on how you can Contribute to this project
+  ~ Stakeholder Specific Vulnerability Categorization (SSVC) is
+  ~ licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+  ~ with this Software or contact permission@sei.cmu.edu for full terms.
+  ~ Created, in part, with funding and support from the United States Government
+  ~ (see Acknowledgments file). This program may include and/or can make use of
+  ~ certain third party source code, object code, documentation and other files
+  ~ (“Third Party Software”). See LICENSE.md for more details.
+  ~ Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+  ~ U.S. Patent and Trademark Office by Carnegie Mellon University
+  -->
+
 <!DOCTYPE html>
 <html lang="en">
   <head>
diff --git a/docs/ssvc-calc/old_index.html b/docs/ssvc-calc/old_index.html
index 32b1e3d6..9d99945f 100644
--- a/docs/ssvc-calc/old_index.html
+++ b/docs/ssvc-calc/old_index.html
@@ -1,3 +1,18 @@
+<!--
+  ~ Copyright (c) 2025 Carnegie Mellon University and Contributors.
+  ~ - see Contributors.md for a full list of Contributors
+  ~ - see ContributionInstructions.md for information on how you can Contribute to this project
+  ~ Stakeholder Specific Vulnerability Categorization (SSVC) is
+  ~ licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+  ~ with this Software or contact permission@sei.cmu.edu for full terms.
+  ~ Created, in part, with funding and support from the United States Government
+  ~ (see Acknowledgments file). This program may include and/or can make use of
+  ~ certain third party source code, object code, documentation and other files
+  ~ (“Third Party Software”). See LICENSE.md for more details.
+  ~ Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+  ~ U.S. Patent and Trademark Office by Carnegie Mellon University
+  -->
+
 <!DOCTYPE html>
 <html lang="en">
   <head>
diff --git a/docs/ssvc-calc/ssvc.js b/docs/ssvc-calc/ssvc.js
index 812bf022..f9d6cdc6 100644
--- a/docs/ssvc-calc/ssvc.js
+++ b/docs/ssvc-calc/ssvc.js
@@ -1,3 +1,18 @@
+/*
+ * Copyright (c) 2025 Carnegie Mellon University and Contributors.
+ * - see Contributors.md for a full list of Contributors
+ * - see ContributionInstructions.md for information on how you can Contribute to this project
+ * Stakeholder Specific Vulnerability Categorization (SSVC) is
+ * licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+ * with this Software or contact permission@sei.cmu.edu for full terms.
+ * Created, in part, with funding and support from the United States Government
+ * (see Acknowledgments file). This program may include and/or can make use of
+ * certain third party source code, object code, documentation and other files
+ * (“Third Party Software”). See LICENSE.md for more details.
+ * Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+ * U.S. Patent and Trademark Office by Carnegie Mellon University
+ */
+
 /* SSVC code for graph building */
 const _version = "5.1.7"
 const _tool = "Dryad SSVC Calculator "+_version
diff --git a/docs/ssvc-calc/ungraph.js b/docs/ssvc-calc/ungraph.js
index 717ffded..8fc751e6 100644
--- a/docs/ssvc-calc/ungraph.js
+++ b/docs/ssvc-calc/ungraph.js
@@ -1,3 +1,18 @@
+/*
+ * Copyright (c) 2025 Carnegie Mellon University and Contributors.
+ * - see Contributors.md for a full list of Contributors
+ * - see ContributionInstructions.md for information on how you can Contribute to this project
+ * Stakeholder Specific Vulnerability Categorization (SSVC) is
+ * licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+ * with this Software or contact permission@sei.cmu.edu for full terms.
+ * Created, in part, with funding and support from the United States Government
+ * (see Acknowledgments file). This program may include and/or can make use of
+ * certain third party source code, object code, documentation and other files
+ * (“Third Party Software”). See LICENSE.md for more details.
+ * Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+ * U.S. Patent and Trademark Office by Carnegie Mellon University
+ */
+
 /* SSVC code for no graphics implementation of SSVC calculator */
 const ungraph_libversion = "1.1.4"
 function checkclose() {
diff --git a/src/SSVC_csv-to-latex.py b/src/SSVC_csv-to-latex.py
index 0e2953fe..c60bc9b8 100755
--- a/src/SSVC_csv-to-latex.py
+++ b/src/SSVC_csv-to-latex.py
@@ -1,4 +1,18 @@
 #!/usr/bin/python
+
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 ##########
 ## put import statements here
 import optparse, sys, string, glob, re
diff --git a/src/enumerate-coord-publish-options.sh b/src/enumerate-coord-publish-options.sh
index 93a83982..d9e4739f 100755
--- a/src/enumerate-coord-publish-options.sh
+++ b/src/enumerate-coord-publish-options.sh
@@ -1,5 +1,20 @@
 #!/bin/sh
 
+#
+# Copyright (c) 2025 Carnegie Mellon University and Contributors.
+# - see Contributors.md for a full list of Contributors
+# - see ContributionInstructions.md for information on how you can Contribute to this project
+# Stakeholder Specific Vulnerability Categorization (SSVC) is
+# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+# with this Software or contact permission@sei.cmu.edu for full terms.
+# Created, in part, with funding and support from the United States Government
+# (see Acknowledgments file). This program may include and/or can make use of
+# certain third party source code, object code, documentation and other files
+# (“Third Party Software”). See LICENSE.md for more details.
+# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+# U.S. Patent and Trademark Office by Carnegie Mellon University
+#
+
 # row numbers make change discussion a lot easier
 i=1
 
diff --git a/src/enumerate-coord-triage-options.sh b/src/enumerate-coord-triage-options.sh
index ef4b5857..9c283223 100755
--- a/src/enumerate-coord-triage-options.sh
+++ b/src/enumerate-coord-triage-options.sh
@@ -1,5 +1,20 @@
 #!/bin/sh
 
+#
+# Copyright (c) 2025 Carnegie Mellon University and Contributors.
+# - see Contributors.md for a full list of Contributors
+# - see ContributionInstructions.md for information on how you can Contribute to this project
+# Stakeholder Specific Vulnerability Categorization (SSVC) is
+# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+# with this Software or contact permission@sei.cmu.edu for full terms.
+# Created, in part, with funding and support from the United States Government
+# (see Acknowledgments file). This program may include and/or can make use of
+# certain third party source code, object code, documentation and other files
+# (“Third Party Software”). See LICENSE.md for more details.
+# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+# U.S. Patent and Trademark Office by Carnegie Mellon University
+#
+
 # row numbers make change discussion a lot easier
 i=1
 
diff --git a/src/enumerate-deployer-options.sh b/src/enumerate-deployer-options.sh
index f2990052..bb2d63a8 100755
--- a/src/enumerate-deployer-options.sh
+++ b/src/enumerate-deployer-options.sh
@@ -1,5 +1,20 @@
 #!/bin/sh
 
+#
+# Copyright (c) 2025 Carnegie Mellon University and Contributors.
+# - see Contributors.md for a full list of Contributors
+# - see ContributionInstructions.md for information on how you can Contribute to this project
+# Stakeholder Specific Vulnerability Categorization (SSVC) is
+# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+# with this Software or contact permission@sei.cmu.edu for full terms.
+# Created, in part, with funding and support from the United States Government
+# (see Acknowledgments file). This program may include and/or can make use of
+# certain third party source code, object code, documentation and other files
+# (“Third Party Software”). See LICENSE.md for more details.
+# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+# U.S. Patent and Trademark Office by Carnegie Mellon University
+#
+
 # row numbers make change discussion a lot easier
 i=1
 
diff --git a/src/enumerate-supplier-options.sh b/src/enumerate-supplier-options.sh
index faba3e93..cbee24c5 100755
--- a/src/enumerate-supplier-options.sh
+++ b/src/enumerate-supplier-options.sh
@@ -1,5 +1,20 @@
 #!/bin/sh
 
+#
+# Copyright (c) 2025 Carnegie Mellon University and Contributors.
+# - see Contributors.md for a full list of Contributors
+# - see ContributionInstructions.md for information on how you can Contribute to this project
+# Stakeholder Specific Vulnerability Categorization (SSVC) is
+# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+# with this Software or contact permission@sei.cmu.edu for full terms.
+# Created, in part, with funding and support from the United States Government
+# (see Acknowledgments file). This program may include and/or can make use of
+# certain third party source code, object code, documentation and other files
+# (“Third Party Software”). See LICENSE.md for more details.
+# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+# U.S. Patent and Trademark Office by Carnegie Mellon University
+#
+
 # row numbers make change discussion a lot easier
 i=1
 
diff --git a/src/ssvc/__init__.py b/src/ssvc/__init__.py
index 31995ad1..6706583d 100644
--- a/src/ssvc/__init__.py
+++ b/src/ssvc/__init__.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py
index 609c7b73..69b27017 100644
--- a/src/ssvc/_mixins.py
+++ b/src/ssvc/_mixins.py
@@ -4,7 +4,7 @@
 author: adh
 created_at: 9/20/23 4:51 PM
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
@@ -24,6 +24,7 @@
 
 from . import _schemaVersion
 
+
 @dataclass_json
 @dataclass(kw_only=True)
 class _Versioned:
@@ -34,6 +35,7 @@ class _Versioned:
     version: str = "0.0.0"
     schemaVersion: str = _schemaVersion
 
+
 @dataclass_json
 @dataclass(kw_only=True)
 class _Namespaced:
diff --git a/src/ssvc/csv_analyzer.py b/src/ssvc/csv_analyzer.py
index c1c668af..75ddd26c 100644
--- a/src/ssvc/csv_analyzer.py
+++ b/src/ssvc/csv_analyzer.py
@@ -40,7 +40,7 @@
     Higher values imply more important features.
     """
 
-#  Copyright (c) 2023-2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/__init__.py b/src/ssvc/decision_points/__init__.py
index c4f79b7c..0ffc1a00 100644
--- a/src/ssvc/decision_points/__init__.py
+++ b/src/ssvc/decision_points/__init__.py
@@ -17,4 +17,17 @@
 - A description
 - A key (a short, unique string) that can be used to identify the value in a shorthand way
 """
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 from .base import SsvcDecisionPoint, SsvcDecisionPointValue
diff --git a/src/ssvc/decision_points/automatable.py b/src/ssvc/decision_points/automatable.py
index c7051279..061ee27c 100644
--- a/src/ssvc/decision_points/automatable.py
+++ b/src/ssvc/decision_points/automatable.py
@@ -4,7 +4,7 @@
 author: adh
 created_at: 9/21/23 10:37 AM
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
@@ -72,5 +72,6 @@ def main():
 
     print_versions_and_diffs(versions)
 
+
 if __name__ == "__main__":
     main()
diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py
index 3e1d32ba..2c85c2e6 100644
--- a/src/ssvc/decision_points/base.py
+++ b/src/ssvc/decision_points/base.py
@@ -4,7 +4,7 @@
 author: adh
 created_at: 9/20/23 10:07 AM
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/critical_software.py b/src/ssvc/decision_points/critical_software.py
index c2bdead3..eeab7283 100644
--- a/src/ssvc/decision_points/critical_software.py
+++ b/src/ssvc/decision_points/critical_software.py
@@ -2,7 +2,7 @@
 """
 Provides an SSVC decision point for critical software designation.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/__init__.py b/src/ssvc/decision_points/cvss/__init__.py
index a9bc6dd9..0fd60f21 100644
--- a/src/ssvc/decision_points/cvss/__init__.py
+++ b/src/ssvc/decision_points/cvss/__init__.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/_not_defined.py b/src/ssvc/decision_points/cvss/_not_defined.py
index 96ff8f22..8581f2b1 100644
--- a/src/ssvc/decision_points/cvss/_not_defined.py
+++ b/src/ssvc/decision_points/cvss/_not_defined.py
@@ -2,7 +2,7 @@
 """
 Provides a generic Not Define decision point value for CVSS decision points.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/attack_complexity.py b/src/ssvc/decision_points/cvss/attack_complexity.py
index b679d524..2d6880f3 100644
--- a/src/ssvc/decision_points/cvss/attack_complexity.py
+++ b/src/ssvc/decision_points/cvss/attack_complexity.py
@@ -2,7 +2,7 @@
 """
 Models the CVSS Attack Complexity (formerly known as Access Complexity) metric as an SSVC decision point.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/attack_requirements.py b/src/ssvc/decision_points/cvss/attack_requirements.py
index fd2348bd..d1dfc43c 100644
--- a/src/ssvc/decision_points/cvss/attack_requirements.py
+++ b/src/ssvc/decision_points/cvss/attack_requirements.py
@@ -2,7 +2,7 @@
 """
 CVSS Attack Requirements
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/attack_vector.py b/src/ssvc/decision_points/cvss/attack_vector.py
index fba9ac29..9019d43c 100644
--- a/src/ssvc/decision_points/cvss/attack_vector.py
+++ b/src/ssvc/decision_points/cvss/attack_vector.py
@@ -2,7 +2,7 @@
 """
 Models the CVSS Attack Vector (formerly known as Access Vector) metric as an SSVC decision point.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/authentication.py b/src/ssvc/decision_points/cvss/authentication.py
index d4fa7fd7..50729ce4 100644
--- a/src/ssvc/decision_points/cvss/authentication.py
+++ b/src/ssvc/decision_points/cvss/authentication.py
@@ -3,7 +3,7 @@
 Models the CVSS Authentication metric as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/availability_impact.py b/src/ssvc/decision_points/cvss/availability_impact.py
index 3312b80c..743b6f7c 100644
--- a/src/ssvc/decision_points/cvss/availability_impact.py
+++ b/src/ssvc/decision_points/cvss/availability_impact.py
@@ -3,7 +3,7 @@
 Models the CVSS Availability Impact metric as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/availability_requirement.py b/src/ssvc/decision_points/cvss/availability_requirement.py
index 0e84929b..d8061e19 100644
--- a/src/ssvc/decision_points/cvss/availability_requirement.py
+++ b/src/ssvc/decision_points/cvss/availability_requirement.py
@@ -3,7 +3,7 @@
 Models the CVSS Availability Requirement metric as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/base.py b/src/ssvc/decision_points/cvss/base.py
index 78aaf15f..e8868087 100644
--- a/src/ssvc/decision_points/cvss/base.py
+++ b/src/ssvc/decision_points/cvss/base.py
@@ -4,7 +4,7 @@
 """
 
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/collateral_damage_potential.py b/src/ssvc/decision_points/cvss/collateral_damage_potential.py
index 5d309fbe..27c0caa1 100644
--- a/src/ssvc/decision_points/cvss/collateral_damage_potential.py
+++ b/src/ssvc/decision_points/cvss/collateral_damage_potential.py
@@ -3,7 +3,7 @@
 Models the CVSS Collateral Damage Potential metric as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/confidentiality_impact.py b/src/ssvc/decision_points/cvss/confidentiality_impact.py
index 91e63ac1..4524308c 100644
--- a/src/ssvc/decision_points/cvss/confidentiality_impact.py
+++ b/src/ssvc/decision_points/cvss/confidentiality_impact.py
@@ -2,7 +2,7 @@
 """
 Models the CVSS Confidentiality Impact metric as an SSVC decision point.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/confidentiality_requirement.py b/src/ssvc/decision_points/cvss/confidentiality_requirement.py
index 427cf6b3..c8c443eb 100644
--- a/src/ssvc/decision_points/cvss/confidentiality_requirement.py
+++ b/src/ssvc/decision_points/cvss/confidentiality_requirement.py
@@ -3,7 +3,7 @@
 Models the CVSS Confidentiality Requirement metric as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/eq_sets.py b/src/ssvc/decision_points/cvss/eq_sets.py
index aca56dde..e00a37ee 100644
--- a/src/ssvc/decision_points/cvss/eq_sets.py
+++ b/src/ssvc/decision_points/cvss/eq_sets.py
@@ -2,7 +2,7 @@
 """
 CVSS v4 Equivalence Sets
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/exploitability.py b/src/ssvc/decision_points/cvss/exploitability.py
index 06815614..3058f43a 100644
--- a/src/ssvc/decision_points/cvss/exploitability.py
+++ b/src/ssvc/decision_points/cvss/exploitability.py
@@ -3,7 +3,7 @@
 Model the CVSS Exploitability and Exploit Code Maturity metrics as SSVC decision points.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/helpers.py b/src/ssvc/decision_points/cvss/helpers.py
index 6e2e4ba9..23b0774c 100644
--- a/src/ssvc/decision_points/cvss/helpers.py
+++ b/src/ssvc/decision_points/cvss/helpers.py
@@ -2,7 +2,7 @@
 """
 Provides helpers for working with CVSS decision points.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/impact_bias.py b/src/ssvc/decision_points/cvss/impact_bias.py
index 744e3576..1a3f44e9 100644
--- a/src/ssvc/decision_points/cvss/impact_bias.py
+++ b/src/ssvc/decision_points/cvss/impact_bias.py
@@ -2,7 +2,7 @@
 """
 Model the CVSS Impact Bias as an SSVC decision point.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/integrity_impact.py b/src/ssvc/decision_points/cvss/integrity_impact.py
index 1a78dcd3..a5b6533c 100644
--- a/src/ssvc/decision_points/cvss/integrity_impact.py
+++ b/src/ssvc/decision_points/cvss/integrity_impact.py
@@ -3,7 +3,7 @@
 Models the CVSS Integrity Impact metric as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/integrity_requirement.py b/src/ssvc/decision_points/cvss/integrity_requirement.py
index a5c5eba5..ae49fb37 100644
--- a/src/ssvc/decision_points/cvss/integrity_requirement.py
+++ b/src/ssvc/decision_points/cvss/integrity_requirement.py
@@ -3,7 +3,7 @@
 Models the CVSS Integrity Requirement metric as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/privileges_required.py b/src/ssvc/decision_points/cvss/privileges_required.py
index 62313e28..4c62f852 100644
--- a/src/ssvc/decision_points/cvss/privileges_required.py
+++ b/src/ssvc/decision_points/cvss/privileges_required.py
@@ -2,7 +2,7 @@
 """
 Models the CVSS Privileges Required metric as an SSVC decision point.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/remediation_level.py b/src/ssvc/decision_points/cvss/remediation_level.py
index adc7a5a1..8163f946 100644
--- a/src/ssvc/decision_points/cvss/remediation_level.py
+++ b/src/ssvc/decision_points/cvss/remediation_level.py
@@ -3,7 +3,7 @@
 Models the CVSS Remediation Level metric as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/report_confidence.py b/src/ssvc/decision_points/cvss/report_confidence.py
index 7c87f076..7760e080 100644
--- a/src/ssvc/decision_points/cvss/report_confidence.py
+++ b/src/ssvc/decision_points/cvss/report_confidence.py
@@ -3,7 +3,7 @@
 Models the CVSS Report Confidence metric as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/scope.py b/src/ssvc/decision_points/cvss/scope.py
index b6cf95a8..f56c1ed0 100644
--- a/src/ssvc/decision_points/cvss/scope.py
+++ b/src/ssvc/decision_points/cvss/scope.py
@@ -3,7 +3,7 @@
 Models CVSS Scope as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
index 927e9326..e2efc8a5 100644
--- a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
@@ -2,7 +2,7 @@
 """
 CVSS Subsequent system availability impact decision point.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py b/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
index a8bd1fc4..4ae2c407 100644
--- a/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
@@ -2,7 +2,7 @@
 """
 CVSS Subsequent System Confidentiality Impact
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py b/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
index 3d885aa2..2cf2ccb9 100644
--- a/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
@@ -2,7 +2,7 @@
 """
 CVSS Subsequent System Integrity Impact Decision Point
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/supplemental/__init__.py b/src/ssvc/decision_points/cvss/supplemental/__init__.py
index 1c16ef64..b281a4ee 100644
--- a/src/ssvc/decision_points/cvss/supplemental/__init__.py
+++ b/src/ssvc/decision_points/cvss/supplemental/__init__.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/supplemental/automatable.py b/src/ssvc/decision_points/cvss/supplemental/automatable.py
index aef2ae4f..f679705e 100644
--- a/src/ssvc/decision_points/cvss/supplemental/automatable.py
+++ b/src/ssvc/decision_points/cvss/supplemental/automatable.py
@@ -2,7 +2,7 @@
 """
 Provides the CVSS supplemental metric Automatable
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
index 3f0176a6..a9a7aa36 100644
--- a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
+++ b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
@@ -2,7 +2,7 @@
 """
 Provides the CVSS supplemental metric Provider Urgency as a SSVC decision point.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/supplemental/recovery.py b/src/ssvc/decision_points/cvss/supplemental/recovery.py
index cc815c28..f86994e9 100644
--- a/src/ssvc/decision_points/cvss/supplemental/recovery.py
+++ b/src/ssvc/decision_points/cvss/supplemental/recovery.py
@@ -2,7 +2,7 @@
 """
 Provides the CVSS supplemental metric Recovery
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/supplemental/safety.py b/src/ssvc/decision_points/cvss/supplemental/safety.py
index 807d677a..ca3347b6 100644
--- a/src/ssvc/decision_points/cvss/supplemental/safety.py
+++ b/src/ssvc/decision_points/cvss/supplemental/safety.py
@@ -3,7 +3,7 @@
 Provides CVSS v4 Supplemental Metric for Safety
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/supplemental/value_density.py b/src/ssvc/decision_points/cvss/supplemental/value_density.py
index 35e61b7d..065512cf 100644
--- a/src/ssvc/decision_points/cvss/supplemental/value_density.py
+++ b/src/ssvc/decision_points/cvss/supplemental/value_density.py
@@ -2,7 +2,7 @@
 """
 Provides the CVSS supplemental metric Value Density
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
index 13f61107..40da0e4b 100644
--- a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
+++ b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
@@ -2,7 +2,7 @@
 """
 Provides the CVSS supplemental metric Vulnerability Response Effort.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/target_distribution.py b/src/ssvc/decision_points/cvss/target_distribution.py
index 3601f07b..d96ff767 100644
--- a/src/ssvc/decision_points/cvss/target_distribution.py
+++ b/src/ssvc/decision_points/cvss/target_distribution.py
@@ -3,7 +3,7 @@
 Models CVSS Target Distribution as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/cvss/user_interaction.py b/src/ssvc/decision_points/cvss/user_interaction.py
index f5ce27e0..d1e17418 100644
--- a/src/ssvc/decision_points/cvss/user_interaction.py
+++ b/src/ssvc/decision_points/cvss/user_interaction.py
@@ -3,7 +3,7 @@
 Models CVSS User Interaction as an SSVC decision point.
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/exploitation.py b/src/ssvc/decision_points/exploitation.py
index 15034d9d..0f7c5f59 100644
--- a/src/ssvc/decision_points/exploitation.py
+++ b/src/ssvc/decision_points/exploitation.py
@@ -2,7 +2,7 @@
 """
 Provides the Exploitation decision point and its values.
 """
-#  Copyright (c) 2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py
index 84c61bdc..be057646 100644
--- a/src/ssvc/decision_points/helpers.py
+++ b/src/ssvc/decision_points/helpers.py
@@ -2,7 +2,7 @@
 """
 Provides helper functions for working with SSVC decision points.
 """
-#  Copyright (c) 2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/high_value_asset.py b/src/ssvc/decision_points/high_value_asset.py
index 9cf95f96..476c1848 100644
--- a/src/ssvc/decision_points/high_value_asset.py
+++ b/src/ssvc/decision_points/high_value_asset.py
@@ -2,7 +2,7 @@
 """
 Models a high value asset as a decision point.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/human_impact.py b/src/ssvc/decision_points/human_impact.py
index bc3c48ad..6ed148a5 100644
--- a/src/ssvc/decision_points/human_impact.py
+++ b/src/ssvc/decision_points/human_impact.py
@@ -2,7 +2,7 @@
 """
 Provides the Human Impact decision point and its values.
 """
-#  Copyright (c) 2023-2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/in_kev.py b/src/ssvc/decision_points/in_kev.py
index 70772dba..2eccb516 100644
--- a/src/ssvc/decision_points/in_kev.py
+++ b/src/ssvc/decision_points/in_kev.py
@@ -2,7 +2,7 @@
 """
 Provides a decision point representing whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/mission_impact.py b/src/ssvc/decision_points/mission_impact.py
index 299657ff..ebedb6ae 100644
--- a/src/ssvc/decision_points/mission_impact.py
+++ b/src/ssvc/decision_points/mission_impact.py
@@ -5,7 +5,7 @@
 created_at: 9/21/23 10:20 AM
 """
 
-#  Copyright (c) 2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/mission_prevalence.py b/src/ssvc/decision_points/mission_prevalence.py
index 73998bcc..98691625 100644
--- a/src/ssvc/decision_points/mission_prevalence.py
+++ b/src/ssvc/decision_points/mission_prevalence.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/public_safety_impact.py b/src/ssvc/decision_points/public_safety_impact.py
index cb857797..6b5ff26e 100644
--- a/src/ssvc/decision_points/public_safety_impact.py
+++ b/src/ssvc/decision_points/public_safety_impact.py
@@ -3,7 +3,7 @@
 Provides the Public Safety Impact decision point and its values.
 """
 
-#  Copyright (c) 2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/public_value_added.py b/src/ssvc/decision_points/public_value_added.py
index 6f8158de..1028726c 100644
--- a/src/ssvc/decision_points/public_value_added.py
+++ b/src/ssvc/decision_points/public_value_added.py
@@ -3,7 +3,7 @@
 This module provides the Public Value Added decision point for the Stakeholder Specific Vulnerability Categorization (SSVC) framework.
 """
 
-#  Copyright (c) 2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/report_credibility.py b/src/ssvc/decision_points/report_credibility.py
index 93ff6c4b..621de7dd 100644
--- a/src/ssvc/decision_points/report_credibility.py
+++ b/src/ssvc/decision_points/report_credibility.py
@@ -3,7 +3,7 @@
 Provides the SSVC Report Credibility Decision Point
 """
 
-#  Copyright (c) 2023-2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/report_public.py b/src/ssvc/decision_points/report_public.py
index 7947e1fb..a3232121 100644
--- a/src/ssvc/decision_points/report_public.py
+++ b/src/ssvc/decision_points/report_public.py
@@ -2,7 +2,7 @@
 """
 Provides the SSVC Report Public Decision Point
 """
-#  Copyright (c) 2023-2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/safety_impact.py b/src/ssvc/decision_points/safety_impact.py
index 691263c2..21405db8 100644
--- a/src/ssvc/decision_points/safety_impact.py
+++ b/src/ssvc/decision_points/safety_impact.py
@@ -3,7 +3,7 @@
 Provides the Safety Impact decision point and its values.
 """
 
-#  Copyright (c) 2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/supplier_cardinality.py b/src/ssvc/decision_points/supplier_cardinality.py
index ebde9d27..4eb6d078 100644
--- a/src/ssvc/decision_points/supplier_cardinality.py
+++ b/src/ssvc/decision_points/supplier_cardinality.py
@@ -4,6 +4,19 @@
 author: adh
 created_at: 9/21/23 11:20 AM
 """
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
 
 MULTIPLE = SsvcDecisionPointValue(
diff --git a/src/ssvc/decision_points/supplier_contacted.py b/src/ssvc/decision_points/supplier_contacted.py
index eff08419..87147f5f 100644
--- a/src/ssvc/decision_points/supplier_contacted.py
+++ b/src/ssvc/decision_points/supplier_contacted.py
@@ -4,6 +4,19 @@
 author: adh
 created_at: 9/21/23 11:17 AM
 """
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
 
 YES = SsvcDecisionPointValue(
diff --git a/src/ssvc/decision_points/supplier_engagement.py b/src/ssvc/decision_points/supplier_engagement.py
index 69380931..5c44249d 100644
--- a/src/ssvc/decision_points/supplier_engagement.py
+++ b/src/ssvc/decision_points/supplier_engagement.py
@@ -5,6 +5,19 @@
 created_at: 9/21/23 11:22 AM
 """
 
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
 
 UNRESPONSIVE = SsvcDecisionPointValue(
diff --git a/src/ssvc/decision_points/supplier_involvement.py b/src/ssvc/decision_points/supplier_involvement.py
index afc3ce07..09796f8f 100644
--- a/src/ssvc/decision_points/supplier_involvement.py
+++ b/src/ssvc/decision_points/supplier_involvement.py
@@ -5,6 +5,19 @@
 created_at: 9/21/23 11:28 AM
 """
 
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
 
 UNCOOPERATIVE = SsvcDecisionPointValue(
diff --git a/src/ssvc/decision_points/system_exposure.py b/src/ssvc/decision_points/system_exposure.py
index 61dc6766..131171cf 100644
--- a/src/ssvc/decision_points/system_exposure.py
+++ b/src/ssvc/decision_points/system_exposure.py
@@ -4,6 +4,19 @@
 author: adh
 created_at: 9/21/23 10:16 AM
 """
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
 
 EXP_UNAVOIDABLE = SsvcDecisionPointValue(
diff --git a/src/ssvc/decision_points/technical_impact.py b/src/ssvc/decision_points/technical_impact.py
index da042f62..ffa5d2cb 100644
--- a/src/ssvc/decision_points/technical_impact.py
+++ b/src/ssvc/decision_points/technical_impact.py
@@ -4,6 +4,19 @@
 author: adh
 created_at: 9/21/23 9:49 AM
 """
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
 
 TOTAL = SsvcDecisionPointValue(
diff --git a/src/ssvc/decision_points/utility.py b/src/ssvc/decision_points/utility.py
index 9aace78a..d9e11a29 100644
--- a/src/ssvc/decision_points/utility.py
+++ b/src/ssvc/decision_points/utility.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-#  Copyright (c) 2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/value_density.py b/src/ssvc/decision_points/value_density.py
index eac48a13..f491314b 100644
--- a/src/ssvc/decision_points/value_density.py
+++ b/src/ssvc/decision_points/value_density.py
@@ -4,6 +4,19 @@
 author: adh
 created_at: 9/21/23 10:01 AM
 """
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
 
 CONCENTRATED = SsvcDecisionPointValue(
diff --git a/src/ssvc/doctools.py b/src/ssvc/doctools.py
index 5baca11b..6c7b7414 100644
--- a/src/ssvc/doctools.py
+++ b/src/ssvc/doctools.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/__init__.py b/src/ssvc/dp_groups/__init__.py
index 90a47e3a..216dc3ea 100644
--- a/src/ssvc/dp_groups/__init__.py
+++ b/src/ssvc/dp_groups/__init__.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/base.py b/src/ssvc/dp_groups/base.py
index 3c37512b..8ef826d5 100644
--- a/src/ssvc/dp_groups/base.py
+++ b/src/ssvc/dp_groups/base.py
@@ -4,7 +4,7 @@
 author: adh
 created_at: 9/20/23 4:47 PM
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/cvss/__init__.py b/src/ssvc/dp_groups/cvss/__init__.py
index 7b9251b9..29615765 100644
--- a/src/ssvc/dp_groups/cvss/__init__.py
+++ b/src/ssvc/dp_groups/cvss/__init__.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/cvss/collections.py b/src/ssvc/dp_groups/cvss/collections.py
index e7adf706..5b77edcd 100644
--- a/src/ssvc/dp_groups/cvss/collections.py
+++ b/src/ssvc/dp_groups/cvss/collections.py
@@ -2,7 +2,7 @@
 """
 Models CVSS vectors as SSVC decision point groups
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/ssvc/__init__.py b/src/ssvc/dp_groups/ssvc/__init__.py
index ebb125a0..37d9487d 100644
--- a/src/ssvc/dp_groups/ssvc/__init__.py
+++ b/src/ssvc/dp_groups/ssvc/__init__.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/ssvc/collections.py b/src/ssvc/dp_groups/ssvc/collections.py
index 006d824a..667cbde2 100644
--- a/src/ssvc/dp_groups/ssvc/collections.py
+++ b/src/ssvc/dp_groups/ssvc/collections.py
@@ -2,7 +2,7 @@
 """
 Provides collections of decision points for each version of the SSVC.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/ssvc/coordinator_publication.py b/src/ssvc/dp_groups/ssvc/coordinator_publication.py
index 90258406..6289c661 100644
--- a/src/ssvc/dp_groups/ssvc/coordinator_publication.py
+++ b/src/ssvc/dp_groups/ssvc/coordinator_publication.py
@@ -4,7 +4,7 @@
 author: adh
 created_at: 9/21/23 11:40 AM
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/ssvc/coordinator_triage.py b/src/ssvc/dp_groups/ssvc/coordinator_triage.py
index 8a8f52e5..7266fbea 100644
--- a/src/ssvc/dp_groups/ssvc/coordinator_triage.py
+++ b/src/ssvc/dp_groups/ssvc/coordinator_triage.py
@@ -4,7 +4,7 @@
 author: adh
 created_at: 9/21/23 11:40 AM
 """
-#  Copyright (c) 2023-2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/ssvc/deployer.py b/src/ssvc/dp_groups/ssvc/deployer.py
index feb2b4b4..1b2e2277 100644
--- a/src/ssvc/dp_groups/ssvc/deployer.py
+++ b/src/ssvc/dp_groups/ssvc/deployer.py
@@ -5,7 +5,7 @@
 created_at: 9/21/23 11:40 AM
 """
 
-#  Copyright (c) 2023-2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/ssvc/supplier.py b/src/ssvc/dp_groups/ssvc/supplier.py
index b245d035..dc313dd4 100644
--- a/src/ssvc/dp_groups/ssvc/supplier.py
+++ b/src/ssvc/dp_groups/ssvc/supplier.py
@@ -5,7 +5,7 @@
 created_at: 9/21/23 11:41 AM
 """
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/outcomes/__init__.py b/src/ssvc/outcomes/__init__.py
index 063e8a7a..37d9487d 100644
--- a/src/ssvc/outcomes/__init__.py
+++ b/src/ssvc/outcomes/__init__.py
@@ -1 +1,12 @@
-# Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
diff --git a/src/ssvc/outcomes/base.py b/src/ssvc/outcomes/base.py
index 09235be2..62bb882b 100644
--- a/src/ssvc/outcomes/base.py
+++ b/src/ssvc/outcomes/base.py
@@ -2,7 +2,7 @@
 """
 Provides outcome group and outcome value classes for SSVC.
 """
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/outcomes/groups.py b/src/ssvc/outcomes/groups.py
index 0da720a5..fcbd1169 100644
--- a/src/ssvc/outcomes/groups.py
+++ b/src/ssvc/outcomes/groups.py
@@ -2,7 +2,7 @@
 """
 Provides a set of outcome groups for use in SSVC.
 """
-#  Copyright (c) 2023-2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/policy_generator.py b/src/ssvc/policy_generator.py
index b52e20b1..18e6f3a6 100644
--- a/src/ssvc/policy_generator.py
+++ b/src/ssvc/policy_generator.py
@@ -3,7 +3,7 @@
 Provides a Policy Generator class for SSVC decision point groups.
 
 """
-#  Copyright (c) 2023-2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc_v2.py b/src/ssvc_v2.py
index 9b73caae..05c384b1 100644
--- a/src/ssvc_v2.py
+++ b/src/ssvc_v2.py
@@ -4,6 +4,18 @@
 author: adh
 created_at: 3/23/21 3:23 PM
 '''
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 import os
 import pandas as pd
diff --git a/src/test/__init__.py b/src/test/__init__.py
index cf0a9163..35c6fca4 100644
--- a/src/test/__init__.py
+++ b/src/test/__init__.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/test/test_csv_analyzer.py b/src/test/test_csv_analyzer.py
index b010367a..a7d12056 100644
--- a/src/test/test_csv_analyzer.py
+++ b/src/test/test_csv_analyzer.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023-2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/test/test_cvss_helpers.py b/src/test/test_cvss_helpers.py
index 70f0fb4b..a5dd413e 100644
--- a/src/test/test_cvss_helpers.py
+++ b/src/test/test_cvss_helpers.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/test/test_doctools.py b/src/test/test_doctools.py
index a41095cd..7a8655b2 100644
--- a/src/test/test_doctools.py
+++ b/src/test/test_doctools.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/test/test_dp_base.py b/src/test/test_dp_base.py
index 7d0214d4..a5bf3567 100644
--- a/src/test/test_dp_base.py
+++ b/src/test/test_dp_base.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/test/test_dp_groups.py b/src/test/test_dp_groups.py
index 08c48b29..c249027b 100644
--- a/src/test/test_dp_groups.py
+++ b/src/test/test_dp_groups.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/test/test_dp_helpers.py b/src/test/test_dp_helpers.py
index 97e06046..3502419c 100644
--- a/src/test/test_dp_helpers.py
+++ b/src/test/test_dp_helpers.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/test/test_mixins.py b/src/test/test_mixins.py
index 53e7c517..6e2f6f2f 100644
--- a/src/test/test_mixins.py
+++ b/src/test/test_mixins.py
@@ -1,3 +1,16 @@
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 import unittest
 from dataclasses import dataclass
 
diff --git a/src/test/test_outcomes.py b/src/test/test_outcomes.py
index 3645c8b1..698991b3 100644
--- a/src/test/test_outcomes.py
+++ b/src/test/test_outcomes.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/test/test_policy_generator.py b/src/test/test_policy_generator.py
index bce92cf4..0e623122 100644
--- a/src/test/test_policy_generator.py
+++ b/src/test/test_policy_generator.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023-2024 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/test/test_schema.py b/src/test/test_schema.py
index 4121074d..fc894d20 100644
--- a/src/test/test_schema.py
+++ b/src/test/test_schema.py
@@ -1,4 +1,4 @@
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is

From e95399a9831ea87d60a99e8c37f906b7a3a42646 Mon Sep 17 00:00:00 2001
From: Vijay Sarvepalli <vssarvepalli@cert.org>
Date: Fri, 24 Jan 2025 15:38:09 -0500
Subject: [PATCH 06/31] Add versioned outcomes schema (#672)

* Added Outcomes Schema, Outcomes JSON and scripts to create CVSS decision_points

* added symlink to schema/current folder

* Resolves @ahouseholder feedback
---
 .../cvss/attack_complexity_3.json             |   1 +
 .../cvss/attack_complexity_3_0_1.json         |   1 +
 .../cvss/attack_requirements_1.json           |   1 +
 .../decision_points/cvss/attack_vector_3.json |   1 +
 .../cvss/attack_vector_3_0_1.json             |   1 +
 .../cvss/authentication_1.json                |   1 +
 .../cvss/authentication_2.json                |   1 +
 .../cvss/availability_impact_1.json           |   1 +
 .../cvss/availability_impact_2.json           |   1 +
 .../cvss/availability_impact_2_0_1.json       |   1 +
 .../cvss/availability_requirement_1.json      |   1 +
 .../cvss/availability_requirement_1_1.json    |   1 +
 .../cvss/availability_requirement_1_1_1.json  |   1 +
 .../cvss/collateral_damage_potential_1.json   |   1 +
 .../cvss/collateral_damage_potential_2.json   |   1 +
 .../cvss/confidentiality_impact_1.json        |   1 +
 .../cvss/confidentiality_impact_2.json        |   1 +
 .../cvss/confidentiality_impact_2_0_1.json    |   1 +
 .../cvss/confidentiality_requirement_1.json   |   1 +
 .../cvss/confidentiality_requirement_1_1.json |   1 +
 .../confidentiality_requirement_1_1_1.json    |   1 +
 .../cvss/exploitability_1.json                |   1 +
 .../cvss/exploitability_1_1.json              |   1 +
 .../decision_points/cvss/impact_bias_1.json   |   1 +
 .../cvss/integrity_impact_1.json              |   1 +
 .../cvss/integrity_impact_2.json              |   1 +
 .../cvss/integrity_impact_2_0_1.json          |   1 +
 .../cvss/integrity_requirement_1.json         |   1 +
 .../cvss/integrity_requirement_1_1.json       |   1 +
 .../cvss/integrity_requirement_1_1_1.json     |   1 +
 .../cvss/privileges_required_1.json           |   1 +
 .../cvss/privileges_required_1_0_1.json       |   1 +
 .../cvss/remediation_level_1.json             |   1 +
 .../cvss/remediation_level_1_1.json           |   1 +
 .../cvss/report_confidence_1.json             |   1 +
 .../cvss/report_confidence_1_1.json           |   1 +
 .../cvss/report_confidence_2.json             |   1 +
 data/json/decision_points/cvss/scope_1.json   |   1 +
 .../subsequent_availability_impact_1.json     |   1 +
 .../subsequent_confidentiality_impact_1.json  |   1 +
 .../cvss/subsequent_integrity_impact_1.json   |   1 +
 .../cvss/target_distribution_1.json           |   1 +
 .../cvss/target_distribution_1_1.json         |   1 +
 .../cvss/user_interaction_1.json              |   1 +
 .../cvss/user_interaction_2.json              |   1 +
 data/json/outcomes/CISA.json                  |   1 +
 data/json/outcomes/COORDINATE.json            |   1 +
 data/json/outcomes/CVSS.json                  |   1 +
 data/json/outcomes/DSOI.json                  |   1 +
 data/json/outcomes/EISENHOWER.json            |   1 +
 data/json/outcomes/MOSCOW.json                |   1 +
 data/json/outcomes/PUBLISH.json               |   1 +
 data/json/outcomes/THE_PARANOIDS.json         |   1 +
 data/json/outcomes/VALUE_COMPLEXITY.json      |   1 +
 data/json/outcomes/YES_NO.json                |   1 +
 .../current/Outcome_Group-1-0-1.schema.json   |   1 +
 .../schema/v1/Outcome_Group-1-0-1.schema.json |  74 +++++++
 docs/ssvc-calc/ssvc-calc.html                 | 182 ++++++++++++++++++
 src/cvss_to_json.py                           |  22 +++
 src/outcomes_to_json.py                       |  11 ++
 src/ssvc/outcomes/base.py                     |   4 +-
 src/ssvc/outcomes/groups.py                   |  10 +
 62 files changed, 357 insertions(+), 2 deletions(-)
 create mode 100644 data/json/decision_points/cvss/attack_complexity_3.json
 create mode 100644 data/json/decision_points/cvss/attack_complexity_3_0_1.json
 create mode 100644 data/json/decision_points/cvss/attack_requirements_1.json
 create mode 100644 data/json/decision_points/cvss/attack_vector_3.json
 create mode 100644 data/json/decision_points/cvss/attack_vector_3_0_1.json
 create mode 100644 data/json/decision_points/cvss/authentication_1.json
 create mode 100644 data/json/decision_points/cvss/authentication_2.json
 create mode 100644 data/json/decision_points/cvss/availability_impact_1.json
 create mode 100644 data/json/decision_points/cvss/availability_impact_2.json
 create mode 100644 data/json/decision_points/cvss/availability_impact_2_0_1.json
 create mode 100644 data/json/decision_points/cvss/availability_requirement_1.json
 create mode 100644 data/json/decision_points/cvss/availability_requirement_1_1.json
 create mode 100644 data/json/decision_points/cvss/availability_requirement_1_1_1.json
 create mode 100644 data/json/decision_points/cvss/collateral_damage_potential_1.json
 create mode 100644 data/json/decision_points/cvss/collateral_damage_potential_2.json
 create mode 100644 data/json/decision_points/cvss/confidentiality_impact_1.json
 create mode 100644 data/json/decision_points/cvss/confidentiality_impact_2.json
 create mode 100644 data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
 create mode 100644 data/json/decision_points/cvss/confidentiality_requirement_1.json
 create mode 100644 data/json/decision_points/cvss/confidentiality_requirement_1_1.json
 create mode 100644 data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
 create mode 100644 data/json/decision_points/cvss/exploitability_1.json
 create mode 100644 data/json/decision_points/cvss/exploitability_1_1.json
 create mode 100644 data/json/decision_points/cvss/impact_bias_1.json
 create mode 100644 data/json/decision_points/cvss/integrity_impact_1.json
 create mode 100644 data/json/decision_points/cvss/integrity_impact_2.json
 create mode 100644 data/json/decision_points/cvss/integrity_impact_2_0_1.json
 create mode 100644 data/json/decision_points/cvss/integrity_requirement_1.json
 create mode 100644 data/json/decision_points/cvss/integrity_requirement_1_1.json
 create mode 100644 data/json/decision_points/cvss/integrity_requirement_1_1_1.json
 create mode 100644 data/json/decision_points/cvss/privileges_required_1.json
 create mode 100644 data/json/decision_points/cvss/privileges_required_1_0_1.json
 create mode 100644 data/json/decision_points/cvss/remediation_level_1.json
 create mode 100644 data/json/decision_points/cvss/remediation_level_1_1.json
 create mode 100644 data/json/decision_points/cvss/report_confidence_1.json
 create mode 100644 data/json/decision_points/cvss/report_confidence_1_1.json
 create mode 100644 data/json/decision_points/cvss/report_confidence_2.json
 create mode 100644 data/json/decision_points/cvss/scope_1.json
 create mode 100644 data/json/decision_points/cvss/subsequent_availability_impact_1.json
 create mode 100644 data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json
 create mode 100644 data/json/decision_points/cvss/subsequent_integrity_impact_1.json
 create mode 100644 data/json/decision_points/cvss/target_distribution_1.json
 create mode 100644 data/json/decision_points/cvss/target_distribution_1_1.json
 create mode 100644 data/json/decision_points/cvss/user_interaction_1.json
 create mode 100644 data/json/decision_points/cvss/user_interaction_2.json
 create mode 100644 data/json/outcomes/CISA.json
 create mode 100644 data/json/outcomes/COORDINATE.json
 create mode 100644 data/json/outcomes/CVSS.json
 create mode 100644 data/json/outcomes/DSOI.json
 create mode 100644 data/json/outcomes/EISENHOWER.json
 create mode 100644 data/json/outcomes/MOSCOW.json
 create mode 100644 data/json/outcomes/PUBLISH.json
 create mode 100644 data/json/outcomes/THE_PARANOIDS.json
 create mode 100644 data/json/outcomes/VALUE_COMPLEXITY.json
 create mode 100644 data/json/outcomes/YES_NO.json
 create mode 120000 data/schema/current/Outcome_Group-1-0-1.schema.json
 create mode 100644 data/schema/v1/Outcome_Group-1-0-1.schema.json
 create mode 100644 docs/ssvc-calc/ssvc-calc.html
 create mode 100644 src/cvss_to_json.py
 create mode 100644 src/outcomes_to_json.py

diff --git a/data/json/decision_points/cvss/attack_complexity_3.json b/data/json/decision_points/cvss/attack_complexity_3.json
new file mode 100644
index 00000000..f71772ce
--- /dev/null
+++ b/data/json/decision_points/cvss/attack_complexity_3.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."}, {"key": "H", "name": "High", "description": "A successful attack depends on conditions beyond the attacker's control."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_1.json b/data/json/decision_points/cvss/attack_complexity_3_0_1.json
new file mode 100644
index 00000000..bfece6aa
--- /dev/null
+++ b/data/json/decision_points/cvss/attack_complexity_3_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "values": [{"key": "L", "name": "Low", "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "}, {"key": "H", "name": "High", "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/attack_requirements_1.json b/data/json/decision_points/cvss/attack_requirements_1.json
new file mode 100644
index 00000000..77b1e496
--- /dev/null
+++ b/data/json/decision_points/cvss/attack_requirements_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AT", "name": "Attack Requirements", "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "values": [{"key": "N", "name": "None", "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."}, {"key": "P", "name": "Present", "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/attack_vector_3.json b/data/json/decision_points/cvss/attack_vector_3.json
new file mode 100644
index 00000000..4138eb79
--- /dev/null
+++ b/data/json/decision_points/cvss/attack_vector_3.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. ", "values": [{"key": "P", "name": "Physical", "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."}, {"key": "L", "name": "Local", "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."}, {"key": "A", "name": "Adjacent", "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."}, {"key": "N", "name": "Network", "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/attack_vector_3_0_1.json b/data/json/decision_points/cvss/attack_vector_3_0_1.json
new file mode 100644
index 00000000..e8f2fb92
--- /dev/null
+++ b/data/json/decision_points/cvss/attack_vector_3_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "values": [{"key": "P", "name": "Physical", "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."}, {"key": "L", "name": "Local", "description": "The vulnerable system is not bound to the network stack and the attacker\u2019s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."}, {"key": "A", "name": "Adjacent", "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."}, {"key": "N", "name": "Network", "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed \u201cremotely exploitable\u201d and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/authentication_1.json b/data/json/decision_points/cvss/authentication_1.json
new file mode 100644
index 00000000..e125e865
--- /dev/null
+++ b/data/json/decision_points/cvss/authentication_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", "values": [{"key": "N", "name": "Not Required", "description": "Authentication is not required to access or exploit the vulnerability."}, {"key": "R", "name": "Required", "description": "Authentication is required to access and exploit the vulnerability."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/authentication_2.json b/data/json/decision_points/cvss/authentication_2.json
new file mode 100644
index 00000000..325df4fb
--- /dev/null
+++ b/data/json/decision_points/cvss/authentication_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur.  The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", "values": [{"key": "M", "name": "Multiple", "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."}, {"key": "S", "name": "Single", "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."}, {"key": "N", "name": "None", "description": "Authentication is not required to exploit the vulnerability."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_impact_1.json b/data/json/decision_points/cvss/availability_impact_1.json
new file mode 100644
index 00000000..0666e517
--- /dev/null
+++ b/data/json/decision_points/cvss/availability_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on availability."}, {"key": "P", "name": "Partial", "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."}, {"key": "C", "name": "Complete", "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_impact_2.json b/data/json/decision_points/cvss/availability_impact_2.json
new file mode 100644
index 00000000..b582e82d
--- /dev/null
+++ b/data/json/decision_points/cvss/availability_impact_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to the availability of the system."}, {"key": "L", "name": "Low", "description": "There is reduced performance or interruptions in resource availability."}, {"key": "H", "name": "High", "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_impact_2_0_1.json b/data/json/decision_points/cvss/availability_impact_2_0_1.json
new file mode 100644
index 00000000..7c43bca6
--- /dev/null
+++ b/data/json/decision_points/cvss/availability_impact_2_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to availability within the Vulnerable System."}, {"key": "L", "name": "Low", "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."}, {"key": "H", "name": "High", "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_requirement_1.json b/data/json/decision_points/cvss/availability_requirement_1.json
new file mode 100644
index 00000000..bf9732ba
--- /dev/null
+++ b/data/json/decision_points/cvss/availability_requirement_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_requirement_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1.json
new file mode 100644
index 00000000..73b25c1a
--- /dev/null
+++ b/data/json/decision_points/cvss/availability_requirement_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1_1.json
new file mode 100644
index 00000000..f808db1c
--- /dev/null
+++ b/data/json/decision_points/cvss/availability_requirement_1_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Availability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/collateral_damage_potential_1.json b/data/json/decision_points/cvss/collateral_damage_potential_1.json
new file mode 100644
index 00000000..0b24042d
--- /dev/null
+++ b/data/json/decision_points/cvss/collateral_damage_potential_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CDP", "name": "Collateral Damage Potential", "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", "values": [{"key": "N", "name": "None", "description": "There is no potential for physical or property damage."}, {"key": "L", "name": "Low", "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."}, {"key": "M", "name": "Medium", "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."}, {"key": "H", "name": "High", "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/collateral_damage_potential_2.json b/data/json/decision_points/cvss/collateral_damage_potential_2.json
new file mode 100644
index 00000000..cc97cc2c
--- /dev/null
+++ b/data/json/decision_points/cvss/collateral_damage_potential_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "CDP", "name": "Collateral Damage Potential", "description": "This metric measures the potential for loss of life or physical assets.", "values": [{"key": "N", "name": "None", "description": "There is no potential for loss of life, physical assets, productivity or revenue."}, {"key": "LM", "name": "Low-Medium", "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."}, {"key": "MH", "name": "Medium-High", "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."}, {"key": "H", "name": "High", "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_impact_1.json b/data/json/decision_points/cvss/confidentiality_impact_1.json
new file mode 100644
index 00000000..67e90005
--- /dev/null
+++ b/data/json/decision_points/cvss/confidentiality_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on confidentiality."}, {"key": "P", "name": "Partial", "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."}, {"key": "C", "name": "Complete", "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_impact_2.json b/data/json/decision_points/cvss/confidentiality_impact_2.json
new file mode 100644
index 00000000..13029660
--- /dev/null
+++ b/data/json/decision_points/cvss/confidentiality_impact_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no loss of confidentiality within the impacted component."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."}, {"key": "H", "name": "High", "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
new file mode 100644
index 00000000..683a7830
--- /dev/null
+++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "values": [{"key": "N", "name": "None", "description": "There is no loss of confidentiality within the impacted component."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."}, {"key": "H", "name": "High", "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1.json
new file mode 100644
index 00000000..4470ee41
--- /dev/null
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1.json
new file mode 100644
index 00000000..7b909bc1
--- /dev/null
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
new file mode 100644
index 00000000..016d932b
--- /dev/null
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Confidentiality.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/exploitability_1.json b/data/json/decision_points/cvss/exploitability_1.json
new file mode 100644
index 00000000..fdeac3d9
--- /dev/null
+++ b/data/json/decision_points/cvss/exploitability_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "E", "name": "Exploitability", "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "values": [{"key": "U", "name": "Unproven", "description": "No exploit code is yet available or an exploit method is entirely theoretical."}, {"key": "P", "name": "Proof of Concept", "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."}, {"key": "F", "name": "Functional", "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."}, {"key": "H", "name": "High", "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/exploitability_1_1.json b/data/json/decision_points/cvss/exploitability_1_1.json
new file mode 100644
index 00000000..65792b8c
--- /dev/null
+++ b/data/json/decision_points/cvss/exploitability_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "E", "name": "Exploitability", "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "values": [{"key": "U", "name": "Unproven", "description": "No exploit code is yet available or an exploit method is entirely theoretical."}, {"key": "P", "name": "Proof of Concept", "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."}, {"key": "F", "name": "Functional", "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."}, {"key": "H", "name": "High", "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/impact_bias_1.json b/data/json/decision_points/cvss/impact_bias_1.json
new file mode 100644
index 00000000..2d6b4f51
--- /dev/null
+++ b/data/json/decision_points/cvss/impact_bias_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "IB", "name": "Impact Bias", "description": "This metric measures the impact bias of the vulnerability.", "values": [{"key": "N", "name": "Normal", "description": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."}, {"key": "C", "name": "Confidentiality", "description": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."}, {"key": "I", "name": "Integrity", "description": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."}, {"key": "A", "name": "Availability", "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_impact_1.json b/data/json/decision_points/cvss/integrity_impact_1.json
new file mode 100644
index 00000000..daf6d35c
--- /dev/null
+++ b/data/json/decision_points/cvss/integrity_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on integrity."}, {"key": "P", "name": "Partial", "description": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."}, {"key": "C", "name": "Complete", "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_impact_2.json b/data/json/decision_points/cvss/integrity_impact_2.json
new file mode 100644
index 00000000..58da5c1b
--- /dev/null
+++ b/data/json/decision_points/cvss/integrity_impact_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to the integrity of the system."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_impact_2_0_1.json b/data/json/decision_points/cvss/integrity_impact_2_0_1.json
new file mode 100644
index 00000000..d689989e
--- /dev/null
+++ b/data/json/decision_points/cvss/integrity_impact_2_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no loss of integrity within the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_requirement_1.json b/data/json/decision_points/cvss/integrity_requirement_1.json
new file mode 100644
index 00000000..8d24a7e1
--- /dev/null
+++ b/data/json/decision_points/cvss/integrity_requirement_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1.json
new file mode 100644
index 00000000..25dad33b
--- /dev/null
+++ b/data/json/decision_points/cvss/integrity_requirement_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json
new file mode 100644
index 00000000..9e83e2c2
--- /dev/null
+++ b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Confidentiality.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/privileges_required_1.json b/data/json/decision_points/cvss/privileges_required_1.json
new file mode 100644
index 00000000..cc4dc58e
--- /dev/null
+++ b/data/json/decision_points/cvss/privileges_required_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "PR", "name": "Privileges Required", "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", "values": [{"key": "H", "name": "High", "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."}, {"key": "L", "name": "Low", "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."}, {"key": "N", "name": "None", "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/privileges_required_1_0_1.json b/data/json/decision_points/cvss/privileges_required_1_0_1.json
new file mode 100644
index 00000000..8fcdde86
--- /dev/null
+++ b/data/json/decision_points/cvss/privileges_required_1_0_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "PR", "name": "Privileges Required", "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", "values": [{"key": "H", "name": "High", "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system\u2019s settings and files."}, {"key": "L", "name": "Low", "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."}, {"key": "N", "name": "None", "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/remediation_level_1.json b/data/json/decision_points/cvss/remediation_level_1.json
new file mode 100644
index 00000000..78c08b16
--- /dev/null
+++ b/data/json/decision_points/cvss/remediation_level_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RL", "name": "Remediation Level", "description": "This metric measures the remediation status of a vulnerability.", "values": [{"key": "OF", "name": "Official Fix", "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."}, {"key": "TF", "name": "Temporary Fix", "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."}, {"key": "W", "name": "Workaround", "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."}, {"key": "U", "name": "Unavailable", "description": "There is either no solution available or it is impossible to apply."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/remediation_level_1_1.json b/data/json/decision_points/cvss/remediation_level_1_1.json
new file mode 100644
index 00000000..3354c3a5
--- /dev/null
+++ b/data/json/decision_points/cvss/remediation_level_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "RL", "name": "Remediation Level", "description": "This metric measures the remediation status of a vulnerability.", "values": [{"key": "OF", "name": "Official Fix", "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."}, {"key": "TF", "name": "Temporary Fix", "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."}, {"key": "W", "name": "Workaround", "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."}, {"key": "U", "name": "Unavailable", "description": "There is either no solution available or it is impossible to apply."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/report_confidence_1.json b/data/json/decision_points/cvss/report_confidence_1.json
new file mode 100644
index 00000000..2383385c
--- /dev/null
+++ b/data/json/decision_points/cvss/report_confidence_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "UC", "name": "Unconfirmed", "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."}, {"key": "UR", "name": "Uncorroborated", "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."}, {"key": "C", "name": "Confirmed", "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/report_confidence_1_1.json b/data/json/decision_points/cvss/report_confidence_1_1.json
new file mode 100644
index 00000000..859ae0ae
--- /dev/null
+++ b/data/json/decision_points/cvss/report_confidence_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "UC", "name": "Unconfirmed", "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."}, {"key": "UR", "name": "Uncorroborated", "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."}, {"key": "C", "name": "Confirmed", "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/report_confidence_2.json b/data/json/decision_points/cvss/report_confidence_2.json
new file mode 100644
index 00000000..f35f1bc9
--- /dev/null
+++ b/data/json/decision_points/cvss/report_confidence_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "U", "name": "Unknown", "description": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."}, {"key": "R", "name": "Reasonable", "description": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."}, {"key": "C", "name": "Confirmed", "description": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/scope_1.json b/data/json/decision_points/cvss/scope_1.json
new file mode 100644
index 00000000..640ae6da
--- /dev/null
+++ b/data/json/decision_points/cvss/scope_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "S", "name": "Scope", "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", "values": [{"key": "U", "name": "Unchanged", "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."}, {"key": "C", "name": "Changed", "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/subsequent_availability_impact_1.json b/data/json/decision_points/cvss/subsequent_availability_impact_1.json
new file mode 100644
index 00000000..88822ee1
--- /dev/null
+++ b/data/json/decision_points/cvss/subsequent_availability_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SA", "name": "Subsequent Availability Impact", "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "values": [{"key": "N", "name": "None", "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."}, {"key": "H", "name": "High", "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json b/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json
new file mode 100644
index 00000000..4e08a1a0
--- /dev/null
+++ b/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SC", "name": "Confidentiality Impact to the Subsequent System", "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "values": [{"key": "N", "name": "Negligible", "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."}, {"key": "H", "name": "High", "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/subsequent_integrity_impact_1.json b/data/json/decision_points/cvss/subsequent_integrity_impact_1.json
new file mode 100644
index 00000000..59181634
--- /dev/null
+++ b/data/json/decision_points/cvss/subsequent_integrity_impact_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SI", "name": "Integrity Impact to the Subsequent System", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "values": [{"key": "N", "name": "None", "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/target_distribution_1.json b/data/json/decision_points/cvss/target_distribution_1.json
new file mode 100644
index 00000000..40f0b191
--- /dev/null
+++ b/data/json/decision_points/cvss/target_distribution_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "TD", "name": "Target Distribution", "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "values": [{"key": "N", "name": "None", "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."}, {"key": "L", "name": "Low", "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."}, {"key": "M", "name": "Medium", "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."}, {"key": "H", "name": "High", "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/target_distribution_1_1.json b/data/json/decision_points/cvss/target_distribution_1_1.json
new file mode 100644
index 00000000..c61af269
--- /dev/null
+++ b/data/json/decision_points/cvss/target_distribution_1_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "TD", "name": "Target Distribution", "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "values": [{"key": "N", "name": "None", "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."}, {"key": "L", "name": "Low", "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."}, {"key": "M", "name": "Medium", "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."}, {"key": "H", "name": "High", "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/user_interaction_1.json b/data/json/decision_points/cvss/user_interaction_1.json
new file mode 100644
index 00000000..afc55331
--- /dev/null
+++ b/data/json/decision_points/cvss/user_interaction_1.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "UI", "name": "User Interaction", "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", "values": [{"key": "R", "name": "Required", "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."}, {"key": "N", "name": "None", "description": "The vulnerable system can be exploited without interaction from any user."}]}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/user_interaction_2.json b/data/json/decision_points/cvss/user_interaction_2.json
new file mode 100644
index 00000000..0f2f1640
--- /dev/null
+++ b/data/json/decision_points/cvss/user_interaction_2.json
@@ -0,0 +1 @@
+{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "UI", "name": "User Interaction", "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", "values": [{"key": "A", "name": "Active", "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker\u2019s payload, or the user\u2019s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."}, {"key": "P", "name": "Passive", "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker\u2019s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."}, {"key": "N", "name": "None", "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."}]}
\ No newline at end of file
diff --git a/data/json/outcomes/CISA.json b/data/json/outcomes/CISA.json
new file mode 100644
index 00000000..779e4112
--- /dev/null
+++ b/data/json/outcomes/CISA.json
@@ -0,0 +1 @@
+{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "CISA Levels", "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", "outcomes": [{"key": "T", "name": "Track", "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."}, {"key": "T*", "name": "Track*", "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."}, {"key": "A", "name": "Attend", "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."}, {"key": "A", "name": "Act", "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."}]}
\ No newline at end of file
diff --git a/data/json/outcomes/COORDINATE.json b/data/json/outcomes/COORDINATE.json
new file mode 100644
index 00000000..19ad020f
--- /dev/null
+++ b/data/json/outcomes/COORDINATE.json
@@ -0,0 +1 @@
+{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Decline, Track, Coordinate", "description": "The coordinate outcome group.", "outcomes": [{"key": "D", "name": "Decline", "description": "Decline"}, {"key": "T", "name": "Track", "description": "Track"}, {"key": "C", "name": "Coordinate", "description": "Coordinate"}]}
\ No newline at end of file
diff --git a/data/json/outcomes/CVSS.json b/data/json/outcomes/CVSS.json
new file mode 100644
index 00000000..ee9cec55
--- /dev/null
+++ b/data/json/outcomes/CVSS.json
@@ -0,0 +1 @@
+{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "CVSS Levels", "description": "The CVSS outcome group.", "outcomes": [{"key": "L", "name": "Low", "description": "Low"}, {"key": "M", "name": "Medium", "description": "Medium"}, {"key": "H", "name": "High", "description": "High"}, {"key": "C", "name": "Critical", "description": "Critical"}]}
\ No newline at end of file
diff --git a/data/json/outcomes/DSOI.json b/data/json/outcomes/DSOI.json
new file mode 100644
index 00000000..8cc15f4b
--- /dev/null
+++ b/data/json/outcomes/DSOI.json
@@ -0,0 +1 @@
+{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Defer, Scheduled, Out-of-Cycle, Immediate", "description": "The original SSVC outcome group.", "outcomes": [{"key": "D", "name": "Defer", "description": "Defer"}, {"key": "S", "name": "Scheduled", "description": "Scheduled"}, {"key": "O", "name": "Out-of-Cycle", "description": "Out-of-Cycle"}, {"key": "I", "name": "Immediate", "description": "Immediate"}]}
\ No newline at end of file
diff --git a/data/json/outcomes/EISENHOWER.json b/data/json/outcomes/EISENHOWER.json
new file mode 100644
index 00000000..0bf7844e
--- /dev/null
+++ b/data/json/outcomes/EISENHOWER.json
@@ -0,0 +1 @@
+{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Do, Schedule, Delegate, Delete", "description": "The Eisenhower outcome group.", "outcomes": [{"key": "D", "name": "Delete", "description": "Delete"}, {"key": "G", "name": "Delegate", "description": "Delegate"}, {"key": "S", "name": "Schedule", "description": "Schedule"}, {"key": "O", "name": "Do", "description": "Do"}]}
\ No newline at end of file
diff --git a/data/json/outcomes/MOSCOW.json b/data/json/outcomes/MOSCOW.json
new file mode 100644
index 00000000..e4f466be
--- /dev/null
+++ b/data/json/outcomes/MOSCOW.json
@@ -0,0 +1 @@
+{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Must, Should, Could, Won't", "description": "The Moscow outcome group.", "outcomes": [{"key": "W", "name": "Won't", "description": "Won't"}, {"key": "C", "name": "Could", "description": "Could"}, {"key": "S", "name": "Should", "description": "Should"}, {"key": "M", "name": "Must", "description": "Must"}]}
\ No newline at end of file
diff --git a/data/json/outcomes/PUBLISH.json b/data/json/outcomes/PUBLISH.json
new file mode 100644
index 00000000..355a56a2
--- /dev/null
+++ b/data/json/outcomes/PUBLISH.json
@@ -0,0 +1 @@
+{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Publish, Do Not Publish", "description": "The publish outcome group.", "outcomes": [{"key": "N", "name": "Do Not Publish", "description": "Do Not Publish"}, {"key": "P", "name": "Publish", "description": "Publish"}]}
\ No newline at end of file
diff --git a/data/json/outcomes/THE_PARANOIDS.json b/data/json/outcomes/THE_PARANOIDS.json
new file mode 100644
index 00000000..121804e7
--- /dev/null
+++ b/data/json/outcomes/THE_PARANOIDS.json
@@ -0,0 +1 @@
+{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "theParanoids", "description": "PrioritizedRiskRemediation outcome group based on TheParanoids.", "outcomes": [{"key": "5", "name": "Track 5", "description": "Track"}, {"key": "4", "name": "Track Closely 4", "description": "Track Closely"}, {"key": "3", "name": "Attend 3", "description": "Attend"}, {"key": "2", "name": "Attend 2", "description": "Attend"}, {"key": "1", "name": "Act 1", "description": "Act"}, {"key": "0", "name": "Act ASAP 0", "description": "Act ASAP"}]}
\ No newline at end of file
diff --git a/data/json/outcomes/VALUE_COMPLEXITY.json b/data/json/outcomes/VALUE_COMPLEXITY.json
new file mode 100644
index 00000000..e7f03c44
--- /dev/null
+++ b/data/json/outcomes/VALUE_COMPLEXITY.json
@@ -0,0 +1 @@
+{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Value, Complexity", "description": "The Value/Complexity outcome group.", "outcomes": [{"key": "D", "name": "Drop", "description": "Drop"}, {"key": "R", "name": "Reconsider Later", "description": "Reconsider Later"}, {"key": "E", "name": "Easy Win", "description": "Easy Win"}, {"key": "F", "name": "Do First", "description": "Do First"}]}
\ No newline at end of file
diff --git a/data/json/outcomes/YES_NO.json b/data/json/outcomes/YES_NO.json
new file mode 100644
index 00000000..ad840aaa
--- /dev/null
+++ b/data/json/outcomes/YES_NO.json
@@ -0,0 +1 @@
+{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Yes, No", "description": "The Yes/No outcome group.", "outcomes": [{"key": "N", "name": "No", "description": "No"}, {"key": "Y", "name": "Yes", "description": "Yes"}]}
\ No newline at end of file
diff --git a/data/schema/current/Outcome_Group-1-0-1.schema.json b/data/schema/current/Outcome_Group-1-0-1.schema.json
new file mode 120000
index 00000000..facc9154
--- /dev/null
+++ b/data/schema/current/Outcome_Group-1-0-1.schema.json
@@ -0,0 +1 @@
+../v1/Outcome_Group-1-0-1.schema.json
\ No newline at end of file
diff --git a/data/schema/v1/Outcome_Group-1-0-1.schema.json b/data/schema/v1/Outcome_Group-1-0-1.schema.json
new file mode 100644
index 00000000..aba8d781
--- /dev/null
+++ b/data/schema/v1/Outcome_Group-1-0-1.schema.json
@@ -0,0 +1,74 @@
+{
+    "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "title": "Outcome Group/Set schema definition",
+    "$id": "https://certcc.github.io/SSVC/data/schema/v1/Outcome-1-0-1.schema.json",
+    "description": "An outcome is the result of making a decision. Outcomes are often tailored specifically to the stakeholder context in which the decision is being made. We call the set of possible outcomes for a decision an Outcome Set.",
+    "$defs":     {
+	"schemaVersion": {
+            "description": "Schema version used to represent this Outcome Group",
+            "type": "string",
+            "enum": ["1-0-1"]
+        },
+	"outcome_value": {
+            "type": "object",
+	    "additionalProperties": false,	    
+            "properties": {
+                "key": {
+                    "type": "string",
+                    "description": "A key (a short, unique string) that can be used to identify the Outcome in a shorthand way"
+                },
+                "name": {
+                    "type": "string",
+                    "description": "A short label that captures the description of the Decision Point or the Group of Decision Points."
+                },
+                "description": {
+                    "type": "string",
+                    "description": "Description of the Decision Point Value"
+                }
+            },
+	    "required" : [
+		"key",
+		"name",
+		"description"
+	    ]
+	},
+	"outcome_group": {
+	    "type": "object",
+	    "additionalProperties": false,
+	    "properties": {
+		"schemaVersion": {
+		    "$ref": "#/$defs/schemaVersion"
+		},
+		"version": {
+		    "type": "string",
+		    "description": "Version (a semantic version string) that identifies this object"
+		},
+		"name": {
+		    "type": "string",
+		    "description": "A short label that captures the description of the group of Outcomes"
+		},
+		"description": {
+		    "type": "string",
+		    "description": " Description of the of group of Outcomes."
+		},		
+		"outcomes": {
+		    "description": "Collection Set of Outcomes.",
+		    "uniqueItems": true,
+		    "type": "array",
+		    "minItems": 2,
+		    "items": {
+			"$ref": "#/$defs/outcome_value"
+		    }
+		}
+	    },
+	    "required": [
+		"version",
+		"name",
+		"description",
+		"outcomes",
+		"schemaVersion"
+	    ]
+	}
+    },
+    "$ref": "#/$defs/outcome_group"
+}
diff --git a/docs/ssvc-calc/ssvc-calc.html b/docs/ssvc-calc/ssvc-calc.html
new file mode 100644
index 00000000..e09e4783
--- /dev/null
+++ b/docs/ssvc-calc/ssvc-calc.html
@@ -0,0 +1,182 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>SSVC Lookup Table</title>
+    <script>
+      const csv=`Exploitation,Exposure,Automatable,Human Impact,Priority
+none,small,no,low,defer
+none,small,no,medium,defer
+none,small,no,high,scheduled
+none,small,no,very high,scheduled
+none,small,yes,low,defer
+none,small,yes,medium,scheduled
+none,small,yes,high,scheduled
+none,small,yes,very high,scheduled
+none,controlled,no,low,defer
+none,controlled,no,medium,scheduled
+none,controlled,no,high,scheduled
+none,controlled,no,very high,scheduled
+none,controlled,yes,low,scheduled
+none,controlled,yes,medium,scheduled
+none,controlled,yes,high,scheduled
+none,controlled,yes,very high,scheduled
+none,open,no,low,defer
+none,open,no,medium,scheduled
+none,open,no,high,scheduled
+none,open,no,very high,scheduled
+none,open,yes,low,scheduled
+none,open,yes,medium,scheduled
+none,open,yes,high,scheduled
+none,open,yes,very high,out-of-cycle
+PoC,small,no,low,defer
+PoC,small,no,medium,scheduled
+PoC,small,no,high,scheduled
+PoC,small,no,very high,scheduled
+PoC,small,yes,low,scheduled
+PoC,small,yes,medium,scheduled
+PoC,small,yes,high,scheduled
+PoC,small,yes,very high,scheduled
+PoC,controlled,no,low,defer
+PoC,controlled,no,medium,scheduled
+PoC,controlled,no,high,scheduled
+PoC,controlled,no,very high,scheduled
+PoC,controlled,yes,low,scheduled
+PoC,controlled,yes,medium,scheduled
+PoC,controlled,yes,high,scheduled
+PoC,controlled,yes,very high,out-of-cycle
+PoC,open,no,low,scheduled
+PoC,open,no,medium,scheduled
+PoC,open,no,high,scheduled
+PoC,open,no,very high,out-of-cycle
+PoC,open,yes,low,scheduled
+PoC,open,yes,medium,scheduled
+PoC,open,yes,high,out-of-cycle
+PoC,open,yes,very high,out-of-cycle
+active,small,no,low,scheduled
+active,small,no,medium,scheduled
+active,small,no,high,out-of-cycle
+active,small,no,very high,out-of-cycle
+active,small,yes,low,scheduled
+active,small,yes,medium,out-of-cycle
+active,small,yes,high,out-of-cycle
+active,small,yes,very high,out-of-cycle
+active,controlled,no,low,scheduled
+active,controlled,no,medium,scheduled
+active,controlled,no,high,out-of-cycle
+active,controlled,no,very high,out-of-cycle
+active,controlled,yes,low,out-of-cycle
+active,controlled,yes,medium,out-of-cycle
+active,controlled,yes,high,out-of-cycle
+active,controlled,yes,very high,out-of-cycle
+active,open,no,low,scheduled
+active,open,no,medium,out-of-cycle
+active,open,no,high,out-of-cycle
+active,open,no,very high,immediate
+active,open,yes,low,out-of-cycle
+active,open,yes,medium,out-of-cycle
+active,open,yes,high,immediate
+active,open,yes,very high,immediate`;
+      const ssvcTable = [];
+      let outcomeTitle;
+      const lines = csv.split('\n');
+      const headers = lines.shift().split(',');
+      lines.forEach(function(line) {
+	  const cols = line.split(',');
+	  const row = {};
+	  headers.forEach(function(head,i) {
+	      row[head] = cols[i];
+	  });
+	  ssvcTable.push(row);
+      });
+      function renderCheckboxes() {
+	  const form = document.getElementById('form');
+	  form.style.display = "flex";
+	  form.style.verticalAlign = "top";
+	  headers.forEach(function(header, i) {
+              const div = document.createElement('div');
+	      div.style.padding = "0px";
+	      div.style.border = "1px solid cyan";
+	      const hdiv = document.createElement("div");
+	      hdiv.innerText = header;
+	      hdiv.style.padding = "4px";
+	      hdiv.style.borderBottom = "1px solid cyan";
+	      hdiv.style.fontWeight = "bold"
+	      div.style.display = "inline-block";
+      div.append(hdiv);
+	      [...new Set(ssvcTable.map(row => row[header]))].forEach(function(value ) {
+		  const inputDiv = document.createElement('div');
+		  inputDiv.style.padding = "4px";
+		  const input = document.createElement('input');
+		  input.type = "checkbox"
+		  input.name = header;
+		  const vlabel = document.createElement('label');
+		  vlabel.innerText = value;
+		  input.value = value; 
+		  if(i ==  headers.length -1 ) {
+		      /* Last column for results */
+		      inputDiv.setAttribute("data-result",value);
+		      outcomeTitle = header;
+		      inputDiv.style.fontWeight = "bolder";
+		      inputDiv.style.border = "1px solid green";
+		  } else {
+		      /* Add this except for last row
+			 Last row is our results row. */
+		      inputDiv.append(input);
+		  }
+		  inputDiv.append(vlabel);
+		  div.append(inputDiv);
+              });
+	      form.appendChild(div);
+	  });
+      }
+
+      function filterData() {
+	  const form = document.getElementById('form');
+	  form.querySelectorAll("[data-result]").forEach(function(result) {
+	      result.style.fontWeight = "normal";
+	      result.style.opacity = "0.6";
+	  });
+	  const selections = {};
+	  form.querySelectorAll("input:checked").forEach(function(input) {
+	      if(input.name in selections)
+		  selections[input.name].push(input.value);
+	      else
+		  selections[input.name] = [input.value];
+	  });
+	  console.log(selections);
+	  let rows = ssvcTable;
+	  Object.keys(selections).forEach(function(decision_point) {
+	      let chosen = selections[decision_point];
+	      rows = rows.filter(function(row) {
+		  if(chosen.includes(row[decision_point])){
+		      if(outcomeTitle in row) {
+			  return row;
+		      }
+		  }
+	      });
+	  });
+	  rows.forEach(function(row) {
+	      form.querySelectorAll("[data-result='"+row[outcomeTitle]+"']").forEach(function(result) {
+		  result.style.fontWeight = "bolder";
+		  result.style.opacity = "1.0";
+	      })
+	  })
+	  
+      }
+
+      document.addEventListener('DOMContentLoaded', () => {
+	  renderCheckboxes();
+	  document.getElementById('form').addEventListener('change', filterData);
+      });
+    </script>
+  </head>
+  <body>
+    <h1>SSVC Lookup Table</h1>
+    <form id="form">
+
+    </form>
+  </body>
+</html>
+
diff --git a/src/cvss_to_json.py b/src/cvss_to_json.py
new file mode 100644
index 00000000..63a23465
--- /dev/null
+++ b/src/cvss_to_json.py
@@ -0,0 +1,22 @@
+#!/usr/bin/python3"
+mods = ["attack_complexity", "attack_requirements", "attack_vector",
+        "authentication", "availability_impact", "availability_requirement",
+        "collateral_damage_potential", "confidentiality_impact",
+        "confidentiality_requirement", "exploitability", "helpers",
+        "impact_bias", "integrity_impact", "integrity_requirement",
+        "privileges_required", "remediation_level", "report_confidence",
+        "scope", "subsequent_availability_impact",
+        "subsequent_confidentiality_impact", "subsequent_integrity_impact",
+        "target_distribution", "user_interaction"]
+for mod in mods:
+    module = getattr(__import__('ssvc.decision_points.cvss', fromlist=[mod]),
+                     mod)
+    for dp in dir(module):
+        if dp.upper().find(mod.upper()) > -1:
+        #user_interaction USER_INTERACTION_2
+            print(mod, dp)
+            sdp = getattr(module, dp)
+            with open(f"../data/json/decision_points/cvss/{dp.lower()}.json", "w") as f:
+                f.write(sdp.to_json())
+
+    
diff --git a/src/outcomes_to_json.py b/src/outcomes_to_json.py
new file mode 100644
index 00000000..6a1925a3
--- /dev/null
+++ b/src/outcomes_to_json.py
@@ -0,0 +1,11 @@
+#!/usr/bin/python3
+from ssvc.outcomes import groups
+from ssvc.outcomes.base import OutcomeGroup
+
+for x in dir(groups):
+ outcome = getattr(groups,x);
+ if type(outcome) == OutcomeGroup:
+  with open(f"../data/json/outcomes/{x}.json","w") as f:
+   f.write(outcome.to_json())
+
+ 
diff --git a/src/ssvc/outcomes/base.py b/src/ssvc/outcomes/base.py
index 62bb882b..3436dce3 100644
--- a/src/ssvc/outcomes/base.py
+++ b/src/ssvc/outcomes/base.py
@@ -20,7 +20,7 @@
 
 from dataclasses_json import dataclass_json
 
-from ssvc._mixins import _Base, _Keyed
+from ssvc._mixins import _Base, _Keyed, _Versioned
 
 
 @dataclass_json
@@ -33,7 +33,7 @@ class OutcomeValue(_Base, _Keyed):
 
 @dataclass_json
 @dataclass(kw_only=True)
-class OutcomeGroup(_Base):
+class OutcomeGroup(_Base, _Versioned):
     """
     Models an outcome group.
     """
diff --git a/src/ssvc/outcomes/groups.py b/src/ssvc/outcomes/groups.py
index 8cb328e5..cc654d90 100644
--- a/src/ssvc/outcomes/groups.py
+++ b/src/ssvc/outcomes/groups.py
@@ -23,6 +23,7 @@
 DSOI = OutcomeGroup(
     name="Defer, Scheduled, Out-of-Cycle, Immediate",
     description="The original SSVC outcome group.",
+    version="1.0.0",
     outcomes=(
         OutcomeValue(name="Defer", key="D", description="Defer"),
         OutcomeValue(name="Scheduled", key="S", description="Scheduled"),
@@ -37,6 +38,7 @@
 PUBLISH = OutcomeGroup(
     name="Publish, Do Not Publish",
     description="The publish outcome group.",
+    version="1.0.0",
     outcomes=(
         OutcomeValue(
             name="Do Not Publish", key="N", description="Do Not Publish"
@@ -51,6 +53,7 @@
 COORDINATE = OutcomeGroup(
     name="Decline, Track, Coordinate",
     description="The coordinate outcome group.",
+    version="1.0.0",
     outcomes=(
         OutcomeValue(name="Decline", key="D", description="Decline"),
         OutcomeValue(name="Track", key="T", description="Track"),
@@ -64,6 +67,7 @@
 MOSCOW = OutcomeGroup(
     name="Must, Should, Could, Won't",
     description="The Moscow outcome group.",
+    version="1.0.0",
     outcomes=(
         OutcomeValue(name="Won't", key="W", description="Won't"),
         OutcomeValue(name="Could", key="C", description="Could"),
@@ -78,6 +82,7 @@
 EISENHOWER = OutcomeGroup(
     name="Do, Schedule, Delegate, Delete",
     description="The Eisenhower outcome group.",
+    version="1.0.0",    
     outcomes=(
         OutcomeValue(name="Delete", key="D", description="Delete"),
         OutcomeValue(name="Delegate", key="G", description="Delegate"),
@@ -92,6 +97,7 @@
 CVSS = OutcomeGroup(
     name="CVSS Levels",
     description="The CVSS outcome group.",
+    version="1.0.0",    
     outcomes=(
         OutcomeValue(name="Low", key="L", description="Low"),
         OutcomeValue(name="Medium", key="M", description="Medium"),
@@ -107,6 +113,7 @@
     name="CISA Levels",
     description="The CISA outcome group. "
     "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
+    version="1.0.0",    
     outcomes=(
         OutcomeValue(
             name="Track",
@@ -146,6 +153,7 @@
 YES_NO = OutcomeGroup(
     name="Yes, No",
     description="The Yes/No outcome group.",
+    version="1.0.0",    
     outcomes=(
         OutcomeValue(name="No", key="N", description="No"),
         OutcomeValue(name="Yes", key="Y", description="Yes"),
@@ -158,6 +166,7 @@
 VALUE_COMPLEXITY = OutcomeGroup(
     name="Value, Complexity",
     description="The Value/Complexity outcome group.",
+    version="1.0.0",    
     outcomes=(
         # drop, reconsider later, easy win, do first
         OutcomeValue(name="Drop", key="D", description="Drop"),
@@ -175,6 +184,7 @@
 THE_PARANOIDS = OutcomeGroup(
     name="theParanoids",
     description="PrioritizedRiskRemediation outcome group based on TheParanoids.",
+    version="1.0.0",    
     outcomes=(
         OutcomeValue(name="Track 5", key="5", description="Track"),
         OutcomeValue(

From 2dd69f02e2c12200986ecbe93fe7a5e93dd234bf Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <ahouseholder@users.noreply.github.com>
Date: Mon, 27 Jan 2025 10:12:32 -0500
Subject: [PATCH 07/31] Replace python dataclasses with pydantic dataclasses
 (#674)

* fix unit test (#669)

* fix unit test

* add some comments explaining why we're doing it this way

also use with... syntax to reduce filehandler boilerplate

* use pydantic dataclasses

makes json roundtrip easier
also prepares for FastAPI adoption

# Conflicts:
#	src/ssvc/_mixins.py
#	src/ssvc/decision_points/cvss/base.py
#	src/ssvc_v2.py

* black reformat

* fix unit tests

* black reformat

* use native python types

* update dependencies

* wrap scripts in main() func

* regenerate with indented json

* black reformat

* add placeholder test
---
 .../cvss/attack_complexity_3.json             | 21 +++++-
 .../cvss/attack_complexity_3_0_1.json         | 21 +++++-
 .../cvss/attack_requirements_1.json           | 21 +++++-
 .../decision_points/cvss/attack_vector_3.json | 31 +++++++-
 .../cvss/attack_vector_3_0_1.json             | 31 +++++++-
 .../cvss/authentication_1.json                | 21 +++++-
 .../cvss/authentication_2.json                | 26 ++++++-
 .../cvss/availability_impact_1.json           | 26 ++++++-
 .../cvss/availability_impact_2.json           | 26 ++++++-
 .../cvss/availability_impact_2_0_1.json       | 26 ++++++-
 .../cvss/availability_requirement_1.json      | 31 +++++++-
 .../cvss/availability_requirement_1_1.json    | 31 +++++++-
 .../cvss/availability_requirement_1_1_1.json  | 31 +++++++-
 .../cvss/collateral_damage_potential_1.json   | 31 +++++++-
 .../cvss/collateral_damage_potential_2.json   | 36 ++++++++-
 .../cvss/confidentiality_impact_1.json        | 26 ++++++-
 .../cvss/confidentiality_impact_2.json        | 26 ++++++-
 .../cvss/confidentiality_impact_2_0_1.json    | 26 ++++++-
 .../cvss/confidentiality_requirement_1.json   | 31 +++++++-
 .../cvss/confidentiality_requirement_1_1.json | 31 +++++++-
 .../confidentiality_requirement_1_1_1.json    | 31 +++++++-
 .../cvss/exploitability_1.json                | 31 +++++++-
 .../cvss/exploitability_1_1.json              | 36 ++++++++-
 .../decision_points/cvss/impact_bias_1.json   | 31 +++++++-
 .../cvss/integrity_impact_1.json              | 26 ++++++-
 .../cvss/integrity_impact_2.json              | 26 ++++++-
 .../cvss/integrity_impact_2_0_1.json          | 26 ++++++-
 .../cvss/integrity_requirement_1.json         | 31 +++++++-
 .../cvss/integrity_requirement_1_1.json       | 31 +++++++-
 .../cvss/integrity_requirement_1_1_1.json     | 31 +++++++-
 .../cvss/privileges_required_1.json           | 26 ++++++-
 .../cvss/privileges_required_1_0_1.json       | 26 ++++++-
 .../cvss/remediation_level_1.json             | 31 +++++++-
 .../cvss/remediation_level_1_1.json           | 36 ++++++++-
 .../cvss/report_confidence_1.json             | 26 ++++++-
 .../cvss/report_confidence_1_1.json           | 31 +++++++-
 .../cvss/report_confidence_2.json             | 31 +++++++-
 data/json/decision_points/cvss/scope_1.json   | 21 +++++-
 .../subsequent_availability_impact_1.json     | 26 ++++++-
 .../subsequent_confidentiality_impact_1.json  | 26 ++++++-
 .../cvss/subsequent_integrity_impact_1.json   | 26 ++++++-
 .../cvss/target_distribution_1.json           | 31 +++++++-
 .../cvss/target_distribution_1_1.json         | 36 ++++++++-
 .../cvss/user_interaction_1.json              | 21 +++++-
 .../cvss/user_interaction_2.json              | 26 ++++++-
 data/json/outcomes/CISA.json                  | 29 ++++++-
 data/json/outcomes/COORDINATE.json            | 24 +++++-
 data/json/outcomes/CVSS.json                  | 29 ++++++-
 data/json/outcomes/DSOI.json                  | 29 ++++++-
 data/json/outcomes/EISENHOWER.json            | 29 ++++++-
 data/json/outcomes/MOSCOW.json                | 29 ++++++-
 data/json/outcomes/PUBLISH.json               | 19 ++++-
 data/json/outcomes/THE_PARANOIDS.json         | 39 +++++++++-
 data/json/outcomes/VALUE_COMPLEXITY.json      | 29 ++++++-
 data/json/outcomes/YES_NO.json                | 19 ++++-
 requirements.txt                              |  2 +-
 src/cvss_to_json.py                           | 75 ++++++++++++++-----
 src/outcomes_to_json.py                       | 30 ++++++--
 src/ssvc/_mixins.py                           | 29 +++----
 src/ssvc/decision_points/base.py              | 30 +++-----
 src/ssvc/decision_points/critical_software.py |  2 +-
 src/ssvc/decision_points/cvss/base.py         | 10 +--
 src/ssvc/decision_points/cvss/eq_sets.py      |  2 +-
 src/ssvc/decision_points/helpers.py           | 14 ++--
 src/ssvc/decision_points/high_value_asset.py  |  2 +-
 src/ssvc/decision_points/in_kev.py            |  2 +-
 .../decision_points/report_credibility.py     |  2 +-
 src/ssvc/decision_points/report_public.py     |  2 +-
 .../decision_points/supplier_cardinality.py   |  2 +-
 .../decision_points/supplier_contacted.py     |  2 +-
 .../decision_points/supplier_engagement.py    |  2 +-
 .../decision_points/supplier_involvement.py   |  2 +-
 src/ssvc/decision_points/system_exposure.py   |  4 +-
 src/ssvc/decision_points/technical_impact.py  |  2 +-
 src/ssvc/decision_points/value_density.py     |  2 +-
 src/ssvc/doctools.py                          |  2 +-
 src/ssvc/dp_groups/base.py                    | 17 ++---
 src/ssvc/dp_groups/cvss/collections.py        |  2 +-
 src/ssvc/dp_groups/ssvc/collections.py        |  2 +-
 .../dp_groups/ssvc/coordinator_publication.py |  2 +-
 src/ssvc/dp_groups/ssvc/coordinator_triage.py |  2 +-
 src/ssvc/dp_groups/ssvc/deployer.py           |  6 +-
 src/ssvc/dp_groups/ssvc/supplier.py           |  4 +-
 src/ssvc/outcomes/base.py                     | 19 ++---
 src/ssvc/policy_generator.py                  | 23 ++----
 src/ssvc_v2.py                                |  7 +-
 src/test/test_doctools.py                     |  4 +-
 src/test/test_dp_base.py                      | 10 +--
 src/test/test_dp_groups.py                    |  9 ++-
 src/test/test_mixins.py                       | 42 +++++------
 src/test/test_outcomes.py                     |  9 +--
 src/test/test_schema.py                       | 31 ++++----
 92 files changed, 1698 insertions(+), 256 deletions(-)

diff --git a/data/json/decision_points/cvss/attack_complexity_3.json b/data/json/decision_points/cvss/attack_complexity_3.json
index f71772ce..895283e4 100644
--- a/data/json/decision_points/cvss/attack_complexity_3.json
+++ b/data/json/decision_points/cvss/attack_complexity_3.json
@@ -1 +1,20 @@
-{"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."}, {"key": "H", "name": "High", "description": "A successful attack depends on conditions beyond the attacker's control."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "3.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AC",
+  "name": "Attack Complexity",
+  "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "A successful attack depends on conditions beyond the attacker's control."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_1.json b/data/json/decision_points/cvss/attack_complexity_3_0_1.json
index bfece6aa..86686214 100644
--- a/data/json/decision_points/cvss/attack_complexity_3_0_1.json
+++ b/data/json/decision_points/cvss/attack_complexity_3_0_1.json
@@ -1 +1,20 @@
-{"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AC", "name": "Attack Complexity", "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ", "values": [{"key": "L", "name": "Low", "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "}, {"key": "H", "name": "High", "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "3.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "AC",
+  "name": "Attack Complexity",
+  "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/attack_requirements_1.json b/data/json/decision_points/cvss/attack_requirements_1.json
index 77b1e496..0a7d65f8 100644
--- a/data/json/decision_points/cvss/attack_requirements_1.json
+++ b/data/json/decision_points/cvss/attack_requirements_1.json
@@ -1 +1,20 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AT", "name": "Attack Requirements", "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.", "values": [{"key": "N", "name": "None", "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."}, {"key": "P", "name": "Present", "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AT",
+  "name": "Attack Requirements",
+  "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+    },
+    {
+      "key": "P",
+      "name": "Present",
+      "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/attack_vector_3.json b/data/json/decision_points/cvss/attack_vector_3.json
index 4138eb79..43f2ca06 100644
--- a/data/json/decision_points/cvss/attack_vector_3.json
+++ b/data/json/decision_points/cvss/attack_vector_3.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "3.0.0", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. ", "values": [{"key": "P", "name": "Physical", "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."}, {"key": "L", "name": "Local", "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."}, {"key": "A", "name": "Adjacent", "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."}, {"key": "N", "name": "Network", "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "3.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AV",
+  "name": "Attack Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
+  "values": [
+    {
+      "key": "P",
+      "name": "Physical",
+      "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+    },
+    {
+      "key": "L",
+      "name": "Local",
+      "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+    },
+    {
+      "key": "A",
+      "name": "Adjacent",
+      "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+    },
+    {
+      "key": "N",
+      "name": "Network",
+      "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/attack_vector_3_0_1.json b/data/json/decision_points/cvss/attack_vector_3_0_1.json
index e8f2fb92..22006bd9 100644
--- a/data/json/decision_points/cvss/attack_vector_3_0_1.json
+++ b/data/json/decision_points/cvss/attack_vector_3_0_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "3.0.1", "schemaVersion": "1-0-1", "key": "AV", "name": "Attack Vector", "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.", "values": [{"key": "P", "name": "Physical", "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."}, {"key": "L", "name": "Local", "description": "The vulnerable system is not bound to the network stack and the attacker\u2019s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."}, {"key": "A", "name": "Adjacent", "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."}, {"key": "N", "name": "Network", "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed \u201cremotely exploitable\u201d and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "3.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "AV",
+  "name": "Attack Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+  "values": [
+    {
+      "key": "P",
+      "name": "Physical",
+      "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+    },
+    {
+      "key": "L",
+      "name": "Local",
+      "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+    },
+    {
+      "key": "A",
+      "name": "Adjacent",
+      "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+    },
+    {
+      "key": "N",
+      "name": "Network",
+      "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/authentication_1.json b/data/json/decision_points/cvss/authentication_1.json
index e125e865..059f7f59 100644
--- a/data/json/decision_points/cvss/authentication_1.json
+++ b/data/json/decision_points/cvss/authentication_1.json
@@ -1 +1,20 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.", "values": [{"key": "N", "name": "Not Required", "description": "Authentication is not required to access or exploit the vulnerability."}, {"key": "R", "name": "Required", "description": "Authentication is required to access and exploit the vulnerability."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "Au",
+  "name": "Authentication",
+  "description": "This metric measures whether or not an attacker needs to be authenticated to the target system in order to exploit the vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "Not Required",
+      "description": "Authentication is not required to access or exploit the vulnerability."
+    },
+    {
+      "key": "R",
+      "name": "Required",
+      "description": "Authentication is required to access and exploit the vulnerability."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/authentication_2.json b/data/json/decision_points/cvss/authentication_2.json
index 325df4fb..3550aecb 100644
--- a/data/json/decision_points/cvss/authentication_2.json
+++ b/data/json/decision_points/cvss/authentication_2.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "Au", "name": "Authentication", "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur.  The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.", "values": [{"key": "M", "name": "Multiple", "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."}, {"key": "S", "name": "Single", "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."}, {"key": "N", "name": "None", "description": "Authentication is not required to exploit the vulnerability."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "Au",
+  "name": "Authentication",
+  "description": "This metric measures the number of times an attacker must authenticate to a target in order to exploit a vulnerability. This metric does not gauge the strength or complexity of the authentication process, only that an attacker is required to provide credentials before an exploit may occur.  The possible values for this metric are listed in Table 3. The fewer authentication instances that are required, the higher the vulnerability score.",
+  "values": [
+    {
+      "key": "M",
+      "name": "Multiple",
+      "description": "Exploiting the vulnerability requires that the attacker authenticate two or more times, even if the same credentials are used each time."
+    },
+    {
+      "key": "S",
+      "name": "Single",
+      "description": "The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface)."
+    },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "Authentication is not required to exploit the vulnerability."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_impact_1.json b/data/json/decision_points/cvss/availability_impact_1.json
index 0666e517..07201d9f 100644
--- a/data/json/decision_points/cvss/availability_impact_1.json
+++ b/data/json/decision_points/cvss/availability_impact_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on availability."}, {"key": "P", "name": "Partial", "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."}, {"key": "C", "name": "Complete", "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "A",
+  "name": "Availability Impact",
+  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the target system.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "No impact on availability."
+    },
+    {
+      "key": "P",
+      "name": "Partial",
+      "description": "Considerable lag in or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete."
+    },
+    {
+      "key": "C",
+      "name": "Complete",
+      "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_impact_2.json b/data/json/decision_points/cvss/availability_impact_2.json
index b582e82d..98d6e493 100644
--- a/data/json/decision_points/cvss/availability_impact_2.json
+++ b/data/json/decision_points/cvss/availability_impact_2.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact to availability of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to the availability of the system."}, {"key": "L", "name": "Low", "description": "There is reduced performance or interruptions in resource availability."}, {"key": "H", "name": "High", "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "A",
+  "name": "Availability Impact",
+  "description": "This metric measures the impact to availability of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no impact to the availability of the system."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "There is reduced performance or interruptions in resource availability."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_impact_2_0_1.json b/data/json/decision_points/cvss/availability_impact_2_0_1.json
index 7c43bca6..1cc6921a 100644
--- a/data/json/decision_points/cvss/availability_impact_2_0_1.json
+++ b/data/json/decision_points/cvss/availability_impact_2_0_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "A", "name": "Availability Impact", "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to availability within the Vulnerable System."}, {"key": "L", "name": "Low", "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."}, {"key": "H", "name": "High", "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "2.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "A",
+  "name": "Availability Impact",
+  "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no impact to availability within the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_requirement_1.json b/data/json/decision_points/cvss/availability_requirement_1.json
index bf9732ba..9f436294 100644
--- a/data/json/decision_points/cvss/availability_requirement_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AR",
+  "name": "Availability Requirement",
+  "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "ND",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_requirement_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1.json
index 73b25c1a..c1719568 100644
--- a/data/json/decision_points/cvss/availability_requirement_1_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.1.0",
+  "schemaVersion": "1-0-1",
+  "key": "AR",
+  "name": "Availability Requirement",
+  "description": "This metric measures the impact to the availability of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1_1.json
index f808db1c..80f909c5 100644
--- a/data/json/decision_points/cvss/availability_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_1_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "AR", "name": "Availability Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Availability.", "values": [{"key": "L", "name": "Low", "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.1.1",
+  "schemaVersion": "1-0-1",
+  "key": "AR",
+  "name": "Availability Requirement",
+  "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Availability.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of availability is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of availability is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of availability is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/collateral_damage_potential_1.json b/data/json/decision_points/cvss/collateral_damage_potential_1.json
index 0b24042d..a2f3f630 100644
--- a/data/json/decision_points/cvss/collateral_damage_potential_1.json
+++ b/data/json/decision_points/cvss/collateral_damage_potential_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CDP", "name": "Collateral Damage Potential", "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.", "values": [{"key": "N", "name": "None", "description": "There is no potential for physical or property damage."}, {"key": "L", "name": "Low", "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."}, {"key": "M", "name": "Medium", "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."}, {"key": "H", "name": "High", "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "CDP",
+  "name": "Collateral Damage Potential",
+  "description": "This metric measures the potential for a loss in physical equipment, property damage or loss of life or limb.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no potential for physical or property damage."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "A successful exploit of this vulnerability may result in light physical or property damage or loss. The system itself may be damaged or destroyed."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/collateral_damage_potential_2.json b/data/json/decision_points/cvss/collateral_damage_potential_2.json
index cc97cc2c..26af28f9 100644
--- a/data/json/decision_points/cvss/collateral_damage_potential_2.json
+++ b/data/json/decision_points/cvss/collateral_damage_potential_2.json
@@ -1 +1,35 @@
-{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "CDP", "name": "Collateral Damage Potential", "description": "This metric measures the potential for loss of life or physical assets.", "values": [{"key": "N", "name": "None", "description": "There is no potential for loss of life, physical assets, productivity or revenue."}, {"key": "LM", "name": "Low-Medium", "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."}, {"key": "MH", "name": "Medium-High", "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."}, {"key": "H", "name": "High", "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "CDP",
+  "name": "Collateral Damage Potential",
+  "description": "This metric measures the potential for loss of life or physical assets.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no potential for loss of life, physical assets, productivity or revenue."
+    },
+    {
+      "key": "LM",
+      "name": "Low-Medium",
+      "description": "A successful exploit of this vulnerability may result in moderate physical or property damage or loss."
+    },
+    {
+      "key": "MH",
+      "name": "Medium-High",
+      "description": "A successful exploit of this vulnerability may result in significant physical or property damage or loss."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
+    },
+    {
+      "key": "ND",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_impact_1.json b/data/json/decision_points/cvss/confidentiality_impact_1.json
index 67e90005..feaed5b0 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_1.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on confidentiality."}, {"key": "P", "name": "Partial", "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."}, {"key": "C", "name": "Complete", "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "C",
+  "name": "Confidentiality Impact",
+  "description": "This metric measures the impact on confidentiality of a successful exploit of the vulnerability on the target system.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "No impact on confidentiality."
+    },
+    {
+      "key": "P",
+      "name": "Partial",
+      "description": "There is considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained."
+    },
+    {
+      "key": "C",
+      "name": "Complete",
+      "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_impact_2.json b/data/json/decision_points/cvss/confidentiality_impact_2.json
index 13029660..f56c8f62 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_2.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_2.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no loss of confidentiality within the impacted component."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."}, {"key": "H", "name": "High", "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "C",
+  "name": "Confidentiality Impact",
+  "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no loss of confidentiality within the impacted component."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
index 683a7830..ce5046e2 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "C", "name": "Confidentiality Impact", "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.", "values": [{"key": "N", "name": "None", "description": "There is no loss of confidentiality within the impacted component."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."}, {"key": "H", "name": "High", "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "2.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "C",
+  "name": "Confidentiality Impact",
+  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no loss of confidentiality within the impacted component."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1.json
index 4470ee41..64966a4b 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "CR",
+  "name": "Confidentiality Requirement",
+  "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "ND",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1.json
index 7b909bc1..bedacd44 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.1.0",
+  "schemaVersion": "1-0-1",
+  "key": "CR",
+  "name": "Confidentiality Requirement",
+  "description": "This metric measures the impact to the confidentiality of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
index 016d932b..eecf2cac 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.1.1", "schemaVersion": "1-0-1", "key": "CR", "name": "Confidentiality Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Confidentiality.", "values": [{"key": "L", "name": "Low", "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.1.1",
+  "schemaVersion": "1-0-1",
+  "key": "CR",
+  "name": "Confidentiality Requirement",
+  "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of confidentiality is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of confidentiality is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of confidentiality is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/exploitability_1.json b/data/json/decision_points/cvss/exploitability_1.json
index fdeac3d9..a4251052 100644
--- a/data/json/decision_points/cvss/exploitability_1.json
+++ b/data/json/decision_points/cvss/exploitability_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "E", "name": "Exploitability", "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "values": [{"key": "U", "name": "Unproven", "description": "No exploit code is yet available or an exploit method is entirely theoretical."}, {"key": "P", "name": "Proof of Concept", "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."}, {"key": "F", "name": "Functional", "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."}, {"key": "H", "name": "High", "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "E",
+  "name": "Exploitability",
+  "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
+  "values": [
+    {
+      "key": "U",
+      "name": "Unproven",
+      "description": "No exploit code is yet available or an exploit method is entirely theoretical."
+    },
+    {
+      "key": "P",
+      "name": "Proof of Concept",
+      "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+    },
+    {
+      "key": "F",
+      "name": "Functional",
+      "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/exploitability_1_1.json b/data/json/decision_points/cvss/exploitability_1_1.json
index 65792b8c..a66619c8 100644
--- a/data/json/decision_points/cvss/exploitability_1_1.json
+++ b/data/json/decision_points/cvss/exploitability_1_1.json
@@ -1 +1,35 @@
-{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "E", "name": "Exploitability", "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.", "values": [{"key": "U", "name": "Unproven", "description": "No exploit code is yet available or an exploit method is entirely theoretical."}, {"key": "P", "name": "Proof of Concept", "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."}, {"key": "F", "name": "Functional", "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."}, {"key": "H", "name": "High", "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.1.0",
+  "schemaVersion": "1-0-1",
+  "key": "E",
+  "name": "Exploitability",
+  "description": "This metric measures the current state of exploit technique or code availability and suggests a likelihood of exploitation.",
+  "values": [
+    {
+      "key": "U",
+      "name": "Unproven",
+      "description": "No exploit code is yet available or an exploit method is entirely theoretical."
+    },
+    {
+      "key": "P",
+      "name": "Proof of Concept",
+      "description": "Proof of concept exploit code or an attack demonstration that is not practically applicable to deployed systems is available. The code or technique is not functional in all situations and may require substantial hand tuning by a skilled attacker for use against deployed systems."
+    },
+    {
+      "key": "F",
+      "name": "Functional",
+      "description": "Functional exploit code is available. The code works in most situations where the vulnerability is exploitable."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
+    },
+    {
+      "key": "ND",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/impact_bias_1.json b/data/json/decision_points/cvss/impact_bias_1.json
index 2d6b4f51..2a49fde0 100644
--- a/data/json/decision_points/cvss/impact_bias_1.json
+++ b/data/json/decision_points/cvss/impact_bias_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "IB", "name": "Impact Bias", "description": "This metric measures the impact bias of the vulnerability.", "values": [{"key": "N", "name": "Normal", "description": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."}, {"key": "C", "name": "Confidentiality", "description": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."}, {"key": "I", "name": "Integrity", "description": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."}, {"key": "A", "name": "Availability", "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "IB",
+  "name": "Impact Bias",
+  "description": "This metric measures the impact bias of the vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "Normal",
+      "description": "Confidentiality Impact, Integrity Impact, and Availability Impact are all assigned the same weight."
+    },
+    {
+      "key": "C",
+      "name": "Confidentiality",
+      "description": "Confidentiality impact is assigned greater weight than Integrity Impact or Availability Impact."
+    },
+    {
+      "key": "I",
+      "name": "Integrity",
+      "description": "Integrity Impact is assigned greater weight than Confidentiality Impact or Availability Impact."
+    },
+    {
+      "key": "A",
+      "name": "Availability",
+      "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_impact_1.json b/data/json/decision_points/cvss/integrity_impact_1.json
index daf6d35c..bb9d0b30 100644
--- a/data/json/decision_points/cvss/integrity_impact_1.json
+++ b/data/json/decision_points/cvss/integrity_impact_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.", "values": [{"key": "N", "name": "None", "description": "No impact on integrity."}, {"key": "P", "name": "Partial", "description": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."}, {"key": "C", "name": "Complete", "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "I",
+  "name": "Integrity Impact",
+  "description": "This metric measures the impact on integrity a successful exploit of the vulnerability will have on the target system.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "No impact on integrity."
+    },
+    {
+      "key": "P",
+      "name": "Partial",
+      "description": "Considerable breach in integrity. Modification of critical system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope."
+    },
+    {
+      "key": "C",
+      "name": "Complete",
+      "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_impact_2.json b/data/json/decision_points/cvss/integrity_impact_2.json
index 58da5c1b..9bc278ad 100644
--- a/data/json/decision_points/cvss/integrity_impact_2.json
+++ b/data/json/decision_points/cvss/integrity_impact_2.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no impact to the integrity of the system."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "I",
+  "name": "Integrity Impact",
+  "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no impact to the integrity of the system."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of integrity, or a complete loss of protection."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_impact_2_0_1.json b/data/json/decision_points/cvss/integrity_impact_2_0_1.json
index d689989e..95671937 100644
--- a/data/json/decision_points/cvss/integrity_impact_2_0_1.json
+++ b/data/json/decision_points/cvss/integrity_impact_2_0_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "2.0.1", "schemaVersion": "1-0-1", "key": "I", "name": "Integrity Impact", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.", "values": [{"key": "N", "name": "None", "description": "There is no loss of integrity within the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "2.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "I",
+  "name": "Integrity Impact",
+  "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no loss of integrity within the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of integrity, or a complete loss of protection."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_requirement_1.json b/data/json/decision_points/cvss/integrity_requirement_1.json
index 8d24a7e1..33ef7161 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "IR",
+  "name": "Integrity Requirement",
+  "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "ND",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1.json
index 25dad33b..405b1500 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.1.0",
+  "schemaVersion": "1-0-1",
+  "key": "IR",
+  "name": "Integrity Requirement",
+  "description": "This metric measures the impact to the integrity of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json
index 9e83e2c2..9f54fe28 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_1_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "IR", "name": "Integrity Requirement", "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst\u2019s organization, measured in terms of Confidentiality.", "values": [{"key": "L", "name": "Low", "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "M", "name": "Medium", "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "H", "name": "High", "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "IR",
+  "name": "Integrity Requirement",
+  "description": "This metric enables the consumer to customize the assessment depending on the importance of the affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Loss of integrity is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Loss of integrity is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Loss of integrity is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/privileges_required_1.json b/data/json/decision_points/cvss/privileges_required_1.json
index cc4dc58e..003960ee 100644
--- a/data/json/decision_points/cvss/privileges_required_1.json
+++ b/data/json/decision_points/cvss/privileges_required_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "PR", "name": "Privileges Required", "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.", "values": [{"key": "H", "name": "High", "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."}, {"key": "L", "name": "Low", "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."}, {"key": "N", "name": "None", "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "PR",
+  "name": "Privileges Required",
+  "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
+  "values": [
+    {
+      "key": "H",
+      "name": "High",
+      "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+    },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/privileges_required_1_0_1.json b/data/json/decision_points/cvss/privileges_required_1_0_1.json
index 8fcdde86..e46eb67d 100644
--- a/data/json/decision_points/cvss/privileges_required_1_0_1.json
+++ b/data/json/decision_points/cvss/privileges_required_1_0_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "1.0.1", "schemaVersion": "1-0-1", "key": "PR", "name": "Privileges Required", "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.", "values": [{"key": "H", "name": "High", "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system\u2019s settings and files."}, {"key": "L", "name": "Low", "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."}, {"key": "N", "name": "None", "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "PR",
+  "name": "Privileges Required",
+  "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+  "values": [
+    {
+      "key": "H",
+      "name": "High",
+      "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+    },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/remediation_level_1.json b/data/json/decision_points/cvss/remediation_level_1.json
index 78c08b16..a71b3444 100644
--- a/data/json/decision_points/cvss/remediation_level_1.json
+++ b/data/json/decision_points/cvss/remediation_level_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RL", "name": "Remediation Level", "description": "This metric measures the remediation status of a vulnerability.", "values": [{"key": "OF", "name": "Official Fix", "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."}, {"key": "TF", "name": "Temporary Fix", "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."}, {"key": "W", "name": "Workaround", "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."}, {"key": "U", "name": "Unavailable", "description": "There is either no solution available or it is impossible to apply."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "RL",
+  "name": "Remediation Level",
+  "description": "This metric measures the remediation status of a vulnerability.",
+  "values": [
+    {
+      "key": "OF",
+      "name": "Official Fix",
+      "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+    },
+    {
+      "key": "TF",
+      "name": "Temporary Fix",
+      "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+    },
+    {
+      "key": "W",
+      "name": "Workaround",
+      "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+    },
+    {
+      "key": "U",
+      "name": "Unavailable",
+      "description": "There is either no solution available or it is impossible to apply."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/remediation_level_1_1.json b/data/json/decision_points/cvss/remediation_level_1_1.json
index 3354c3a5..0855a3fb 100644
--- a/data/json/decision_points/cvss/remediation_level_1_1.json
+++ b/data/json/decision_points/cvss/remediation_level_1_1.json
@@ -1 +1,35 @@
-{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "RL", "name": "Remediation Level", "description": "This metric measures the remediation status of a vulnerability.", "values": [{"key": "OF", "name": "Official Fix", "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."}, {"key": "TF", "name": "Temporary Fix", "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."}, {"key": "W", "name": "Workaround", "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."}, {"key": "U", "name": "Unavailable", "description": "There is either no solution available or it is impossible to apply."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.1.0",
+  "schemaVersion": "1-0-1",
+  "key": "RL",
+  "name": "Remediation Level",
+  "description": "This metric measures the remediation status of a vulnerability.",
+  "values": [
+    {
+      "key": "OF",
+      "name": "Official Fix",
+      "description": "A complete vendor solution is available. Either the vendor has issued the final, official patch which eliminates the vulnerability or an upgrade that is not vulnerable is available."
+    },
+    {
+      "key": "TF",
+      "name": "Temporary Fix",
+      "description": "There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool or official workaround."
+    },
+    {
+      "key": "W",
+      "name": "Workaround",
+      "description": "There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate against the vulnerability. When it is generally accepted that these unofficial fixes are adequate in plugging the hole for the mean time and no official remediation is available, this value can be set."
+    },
+    {
+      "key": "U",
+      "name": "Unavailable",
+      "description": "There is either no solution available or it is impossible to apply."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/report_confidence_1.json b/data/json/decision_points/cvss/report_confidence_1.json
index 2383385c..01fc795f 100644
--- a/data/json/decision_points/cvss/report_confidence_1.json
+++ b/data/json/decision_points/cvss/report_confidence_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "UC", "name": "Unconfirmed", "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."}, {"key": "UR", "name": "Uncorroborated", "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."}, {"key": "C", "name": "Confirmed", "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "RC",
+  "name": "Report Confidence",
+  "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+  "values": [
+    {
+      "key": "UC",
+      "name": "Unconfirmed",
+      "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+    },
+    {
+      "key": "UR",
+      "name": "Uncorroborated",
+      "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+    },
+    {
+      "key": "C",
+      "name": "Confirmed",
+      "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/report_confidence_1_1.json b/data/json/decision_points/cvss/report_confidence_1_1.json
index 859ae0ae..be9759a7 100644
--- a/data/json/decision_points/cvss/report_confidence_1_1.json
+++ b/data/json/decision_points/cvss/report_confidence_1_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "UC", "name": "Unconfirmed", "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."}, {"key": "UR", "name": "Uncorroborated", "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."}, {"key": "C", "name": "Confirmed", "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."}, {"key": "ND", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.1.0",
+  "schemaVersion": "1-0-1",
+  "key": "RC",
+  "name": "Report Confidence",
+  "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+  "values": [
+    {
+      "key": "UC",
+      "name": "Unconfirmed",
+      "description": "A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report."
+    },
+    {
+      "key": "UR",
+      "name": "Uncorroborated",
+      "description": "Multiple non-official sources; possibily including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity."
+    },
+    {
+      "key": "C",
+      "name": "Confirmed",
+      "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
+    },
+    {
+      "key": "ND",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/report_confidence_2.json b/data/json/decision_points/cvss/report_confidence_2.json
index f35f1bc9..794d8da4 100644
--- a/data/json/decision_points/cvss/report_confidence_2.json
+++ b/data/json/decision_points/cvss/report_confidence_2.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "RC", "name": "Report Confidence", "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.", "values": [{"key": "U", "name": "Unknown", "description": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."}, {"key": "R", "name": "Reasonable", "description": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."}, {"key": "C", "name": "Confirmed", "description": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "RC",
+  "name": "Report Confidence",
+  "description": "This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.",
+  "values": [
+    {
+      "key": "U",
+      "name": "Unknown",
+      "description": "There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described."
+    },
+    {
+      "key": "R",
+      "name": "Reasonable",
+      "description": "Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this)."
+    },
+    {
+      "key": "C",
+      "name": "Confirmed",
+      "description": "Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify the assertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/scope_1.json b/data/json/decision_points/cvss/scope_1.json
index 640ae6da..9dbdef2e 100644
--- a/data/json/decision_points/cvss/scope_1.json
+++ b/data/json/decision_points/cvss/scope_1.json
@@ -1 +1,20 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "S", "name": "Scope", "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges", "values": [{"key": "U", "name": "Unchanged", "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."}, {"key": "C", "name": "Changed", "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "S",
+  "name": "Scope",
+  "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
+  "values": [
+    {
+      "key": "U",
+      "name": "Unchanged",
+      "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+    },
+    {
+      "key": "C",
+      "name": "Changed",
+      "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/subsequent_availability_impact_1.json b/data/json/decision_points/cvss/subsequent_availability_impact_1.json
index 88822ee1..76d1190c 100644
--- a/data/json/decision_points/cvss/subsequent_availability_impact_1.json
+++ b/data/json/decision_points/cvss/subsequent_availability_impact_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SA", "name": "Subsequent Availability Impact", "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.", "values": [{"key": "N", "name": "None", "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."}, {"key": "H", "name": "High", "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "SA",
+  "name": "Subsequent Availability Impact",
+  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json b/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json
index 4e08a1a0..ff897172 100644
--- a/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json
+++ b/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SC", "name": "Confidentiality Impact to the Subsequent System", "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.", "values": [{"key": "N", "name": "Negligible", "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."}, {"key": "H", "name": "High", "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "SC",
+  "name": "Confidentiality Impact to the Subsequent System",
+  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+  "values": [
+    {
+      "key": "N",
+      "name": "Negligible",
+      "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/subsequent_integrity_impact_1.json b/data/json/decision_points/cvss/subsequent_integrity_impact_1.json
index 59181634..a6baf936 100644
--- a/data/json/decision_points/cvss/subsequent_integrity_impact_1.json
+++ b/data/json/decision_points/cvss/subsequent_integrity_impact_1.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "SI", "name": "Integrity Impact to the Subsequent System", "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.", "values": [{"key": "N", "name": "None", "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."}, {"key": "L", "name": "Low", "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."}, {"key": "H", "name": "High", "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "SI",
+  "name": "Integrity Impact to the Subsequent System",
+  "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/target_distribution_1.json b/data/json/decision_points/cvss/target_distribution_1.json
index 40f0b191..7cbaccec 100644
--- a/data/json/decision_points/cvss/target_distribution_1.json
+++ b/data/json/decision_points/cvss/target_distribution_1.json
@@ -1 +1,30 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "TD", "name": "Target Distribution", "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "values": [{"key": "N", "name": "None", "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."}, {"key": "L", "name": "Low", "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."}, {"key": "M", "name": "Medium", "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."}, {"key": "H", "name": "High", "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "TD",
+  "name": "Target Distribution",
+  "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/target_distribution_1_1.json b/data/json/decision_points/cvss/target_distribution_1_1.json
index c61af269..45d295da 100644
--- a/data/json/decision_points/cvss/target_distribution_1_1.json
+++ b/data/json/decision_points/cvss/target_distribution_1_1.json
@@ -1 +1,35 @@
-{"namespace": "cvss", "version": "1.1.0", "schemaVersion": "1-0-1", "key": "TD", "name": "Target Distribution", "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.", "values": [{"key": "N", "name": "None", "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."}, {"key": "L", "name": "Low", "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."}, {"key": "M", "name": "Medium", "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."}, {"key": "H", "name": "High", "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."}, {"key": "X", "name": "Not Defined", "description": "This metric value is not defined. See CVSS documentation for details."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.1.0",
+  "schemaVersion": "1-0-1",
+  "key": "TD",
+  "name": "Target Distribution",
+  "description": "This metric measures the relative size of the field of target systems susceptible to the vulnerability. It is meant as an environment-specific indicator in order to approximate the percentage of systems within the environment that could be affected by the vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Targets exist inside the environment, but on a small scale. Between 1% - 15% of the total environment is at risk."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Targets exist inside the environment, but on a medium scale. Between 16% - 49% of the total environment is at risk."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/user_interaction_1.json b/data/json/decision_points/cvss/user_interaction_1.json
index afc55331..8c378db1 100644
--- a/data/json/decision_points/cvss/user_interaction_1.json
+++ b/data/json/decision_points/cvss/user_interaction_1.json
@@ -1 +1,20 @@
-{"namespace": "cvss", "version": "1.0.0", "schemaVersion": "1-0-1", "key": "UI", "name": "User Interaction", "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.", "values": [{"key": "R", "name": "Required", "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."}, {"key": "N", "name": "None", "description": "The vulnerable system can be exploited without interaction from any user."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "UI",
+  "name": "User Interaction",
+  "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
+  "values": [
+    {
+      "key": "R",
+      "name": "Required",
+      "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+    },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The vulnerable system can be exploited without interaction from any user."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/decision_points/cvss/user_interaction_2.json b/data/json/decision_points/cvss/user_interaction_2.json
index 0f2f1640..98b997d5 100644
--- a/data/json/decision_points/cvss/user_interaction_2.json
+++ b/data/json/decision_points/cvss/user_interaction_2.json
@@ -1 +1,25 @@
-{"namespace": "cvss", "version": "2.0.0", "schemaVersion": "1-0-1", "key": "UI", "name": "User Interaction", "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.", "values": [{"key": "A", "name": "Active", "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker\u2019s payload, or the user\u2019s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."}, {"key": "P", "name": "Passive", "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker\u2019s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."}, {"key": "N", "name": "None", "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."}]}
\ No newline at end of file
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "UI",
+  "name": "User Interaction",
+  "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+  "values": [
+    {
+      "key": "A",
+      "name": "Active",
+      "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+    },
+    {
+      "key": "P",
+      "name": "Passive",
+      "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+    },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/outcomes/CISA.json b/data/json/outcomes/CISA.json
index 779e4112..c4ebbd2a 100644
--- a/data/json/outcomes/CISA.json
+++ b/data/json/outcomes/CISA.json
@@ -1 +1,28 @@
-{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "CISA Levels", "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.", "outcomes": [{"key": "T", "name": "Track", "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."}, {"key": "T*", "name": "Track*", "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."}, {"key": "A", "name": "Attend", "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."}, {"key": "A", "name": "Act", "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."}]}
\ No newline at end of file
+{
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "name": "CISA Levels",
+  "description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
+  "outcomes": [
+    {
+      "key": "T",
+      "name": "Track",
+      "description": "The vulnerability does not require action at this time. The organization would continue to track the vulnerability and reassess it if new information becomes available. CISA recommends remediating Track vulnerabilities within standard update timelines."
+    },
+    {
+      "key": "T*",
+      "name": "Track*",
+      "description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
+    },
+    {
+      "key": "A",
+      "name": "Attend",
+      "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
+    },
+    {
+      "key": "A",
+      "name": "Act",
+      "description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/outcomes/COORDINATE.json b/data/json/outcomes/COORDINATE.json
index 19ad020f..67a4d9fa 100644
--- a/data/json/outcomes/COORDINATE.json
+++ b/data/json/outcomes/COORDINATE.json
@@ -1 +1,23 @@
-{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Decline, Track, Coordinate", "description": "The coordinate outcome group.", "outcomes": [{"key": "D", "name": "Decline", "description": "Decline"}, {"key": "T", "name": "Track", "description": "Track"}, {"key": "C", "name": "Coordinate", "description": "Coordinate"}]}
\ No newline at end of file
+{
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "name": "Decline, Track, Coordinate",
+  "description": "The coordinate outcome group.",
+  "outcomes": [
+    {
+      "key": "D",
+      "name": "Decline",
+      "description": "Decline"
+    },
+    {
+      "key": "T",
+      "name": "Track",
+      "description": "Track"
+    },
+    {
+      "key": "C",
+      "name": "Coordinate",
+      "description": "Coordinate"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/outcomes/CVSS.json b/data/json/outcomes/CVSS.json
index ee9cec55..5d3d3bd2 100644
--- a/data/json/outcomes/CVSS.json
+++ b/data/json/outcomes/CVSS.json
@@ -1 +1,28 @@
-{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "CVSS Levels", "description": "The CVSS outcome group.", "outcomes": [{"key": "L", "name": "Low", "description": "Low"}, {"key": "M", "name": "Medium", "description": "Medium"}, {"key": "H", "name": "High", "description": "High"}, {"key": "C", "name": "Critical", "description": "Critical"}]}
\ No newline at end of file
+{
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "name": "CVSS Levels",
+  "description": "The CVSS outcome group.",
+  "outcomes": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Low"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "Medium"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "High"
+    },
+    {
+      "key": "C",
+      "name": "Critical",
+      "description": "Critical"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/outcomes/DSOI.json b/data/json/outcomes/DSOI.json
index 8cc15f4b..8e16b6f6 100644
--- a/data/json/outcomes/DSOI.json
+++ b/data/json/outcomes/DSOI.json
@@ -1 +1,28 @@
-{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Defer, Scheduled, Out-of-Cycle, Immediate", "description": "The original SSVC outcome group.", "outcomes": [{"key": "D", "name": "Defer", "description": "Defer"}, {"key": "S", "name": "Scheduled", "description": "Scheduled"}, {"key": "O", "name": "Out-of-Cycle", "description": "Out-of-Cycle"}, {"key": "I", "name": "Immediate", "description": "Immediate"}]}
\ No newline at end of file
+{
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "name": "Defer, Scheduled, Out-of-Cycle, Immediate",
+  "description": "The original SSVC outcome group.",
+  "outcomes": [
+    {
+      "key": "D",
+      "name": "Defer",
+      "description": "Defer"
+    },
+    {
+      "key": "S",
+      "name": "Scheduled",
+      "description": "Scheduled"
+    },
+    {
+      "key": "O",
+      "name": "Out-of-Cycle",
+      "description": "Out-of-Cycle"
+    },
+    {
+      "key": "I",
+      "name": "Immediate",
+      "description": "Immediate"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/outcomes/EISENHOWER.json b/data/json/outcomes/EISENHOWER.json
index 0bf7844e..40d98902 100644
--- a/data/json/outcomes/EISENHOWER.json
+++ b/data/json/outcomes/EISENHOWER.json
@@ -1 +1,28 @@
-{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Do, Schedule, Delegate, Delete", "description": "The Eisenhower outcome group.", "outcomes": [{"key": "D", "name": "Delete", "description": "Delete"}, {"key": "G", "name": "Delegate", "description": "Delegate"}, {"key": "S", "name": "Schedule", "description": "Schedule"}, {"key": "O", "name": "Do", "description": "Do"}]}
\ No newline at end of file
+{
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "name": "Do, Schedule, Delegate, Delete",
+  "description": "The Eisenhower outcome group.",
+  "outcomes": [
+    {
+      "key": "D",
+      "name": "Delete",
+      "description": "Delete"
+    },
+    {
+      "key": "G",
+      "name": "Delegate",
+      "description": "Delegate"
+    },
+    {
+      "key": "S",
+      "name": "Schedule",
+      "description": "Schedule"
+    },
+    {
+      "key": "O",
+      "name": "Do",
+      "description": "Do"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/outcomes/MOSCOW.json b/data/json/outcomes/MOSCOW.json
index e4f466be..3156c47d 100644
--- a/data/json/outcomes/MOSCOW.json
+++ b/data/json/outcomes/MOSCOW.json
@@ -1 +1,28 @@
-{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Must, Should, Could, Won't", "description": "The Moscow outcome group.", "outcomes": [{"key": "W", "name": "Won't", "description": "Won't"}, {"key": "C", "name": "Could", "description": "Could"}, {"key": "S", "name": "Should", "description": "Should"}, {"key": "M", "name": "Must", "description": "Must"}]}
\ No newline at end of file
+{
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "name": "Must, Should, Could, Won't",
+  "description": "The Moscow outcome group.",
+  "outcomes": [
+    {
+      "key": "W",
+      "name": "Won't",
+      "description": "Won't"
+    },
+    {
+      "key": "C",
+      "name": "Could",
+      "description": "Could"
+    },
+    {
+      "key": "S",
+      "name": "Should",
+      "description": "Should"
+    },
+    {
+      "key": "M",
+      "name": "Must",
+      "description": "Must"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/outcomes/PUBLISH.json b/data/json/outcomes/PUBLISH.json
index 355a56a2..fd656624 100644
--- a/data/json/outcomes/PUBLISH.json
+++ b/data/json/outcomes/PUBLISH.json
@@ -1 +1,18 @@
-{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Publish, Do Not Publish", "description": "The publish outcome group.", "outcomes": [{"key": "N", "name": "Do Not Publish", "description": "Do Not Publish"}, {"key": "P", "name": "Publish", "description": "Publish"}]}
\ No newline at end of file
+{
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "name": "Publish, Do Not Publish",
+  "description": "The publish outcome group.",
+  "outcomes": [
+    {
+      "key": "N",
+      "name": "Do Not Publish",
+      "description": "Do Not Publish"
+    },
+    {
+      "key": "P",
+      "name": "Publish",
+      "description": "Publish"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/outcomes/THE_PARANOIDS.json b/data/json/outcomes/THE_PARANOIDS.json
index 121804e7..f19fb83d 100644
--- a/data/json/outcomes/THE_PARANOIDS.json
+++ b/data/json/outcomes/THE_PARANOIDS.json
@@ -1 +1,38 @@
-{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "theParanoids", "description": "PrioritizedRiskRemediation outcome group based on TheParanoids.", "outcomes": [{"key": "5", "name": "Track 5", "description": "Track"}, {"key": "4", "name": "Track Closely 4", "description": "Track Closely"}, {"key": "3", "name": "Attend 3", "description": "Attend"}, {"key": "2", "name": "Attend 2", "description": "Attend"}, {"key": "1", "name": "Act 1", "description": "Act"}, {"key": "0", "name": "Act ASAP 0", "description": "Act ASAP"}]}
\ No newline at end of file
+{
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "name": "theParanoids",
+  "description": "PrioritizedRiskRemediation outcome group based on TheParanoids.",
+  "outcomes": [
+    {
+      "key": "5",
+      "name": "Track 5",
+      "description": "Track"
+    },
+    {
+      "key": "4",
+      "name": "Track Closely 4",
+      "description": "Track Closely"
+    },
+    {
+      "key": "3",
+      "name": "Attend 3",
+      "description": "Attend"
+    },
+    {
+      "key": "2",
+      "name": "Attend 2",
+      "description": "Attend"
+    },
+    {
+      "key": "1",
+      "name": "Act 1",
+      "description": "Act"
+    },
+    {
+      "key": "0",
+      "name": "Act ASAP 0",
+      "description": "Act ASAP"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/outcomes/VALUE_COMPLEXITY.json b/data/json/outcomes/VALUE_COMPLEXITY.json
index e7f03c44..b60d42f8 100644
--- a/data/json/outcomes/VALUE_COMPLEXITY.json
+++ b/data/json/outcomes/VALUE_COMPLEXITY.json
@@ -1 +1,28 @@
-{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Value, Complexity", "description": "The Value/Complexity outcome group.", "outcomes": [{"key": "D", "name": "Drop", "description": "Drop"}, {"key": "R", "name": "Reconsider Later", "description": "Reconsider Later"}, {"key": "E", "name": "Easy Win", "description": "Easy Win"}, {"key": "F", "name": "Do First", "description": "Do First"}]}
\ No newline at end of file
+{
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "name": "Value, Complexity",
+  "description": "The Value/Complexity outcome group.",
+  "outcomes": [
+    {
+      "key": "D",
+      "name": "Drop",
+      "description": "Drop"
+    },
+    {
+      "key": "R",
+      "name": "Reconsider Later",
+      "description": "Reconsider Later"
+    },
+    {
+      "key": "E",
+      "name": "Easy Win",
+      "description": "Easy Win"
+    },
+    {
+      "key": "F",
+      "name": "Do First",
+      "description": "Do First"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/data/json/outcomes/YES_NO.json b/data/json/outcomes/YES_NO.json
index ad840aaa..1a6dcdff 100644
--- a/data/json/outcomes/YES_NO.json
+++ b/data/json/outcomes/YES_NO.json
@@ -1 +1,18 @@
-{"version": "1.0.0", "schemaVersion": "1-0-1", "name": "Yes, No", "description": "The Yes/No outcome group.", "outcomes": [{"key": "N", "name": "No", "description": "No"}, {"key": "Y", "name": "Yes", "description": "Yes"}]}
\ No newline at end of file
+{
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "name": "Yes, No",
+  "description": "The Yes/No outcome group.",
+  "outcomes": [
+    {
+      "key": "N",
+      "name": "No",
+      "description": "No"
+    },
+    {
+      "key": "Y",
+      "name": "Yes",
+      "description": "Yes"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/requirements.txt b/requirements.txt
index cd9c038d..1bee6066 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,9 +7,9 @@ mkdocs-material-extensions==1.3.1
 mkdocstrings==0.27.0
 mkdocstrings-python==1.13.0
 mkdocs-print-site-plugin==2.6.0
-dataclasses-json==0.6.7
 thefuzz==0.22.1
 pandas==2.2.3
 scikit-learn==1.6.1
 jsonschema==4.23.0
 networkx==3.4.2
+pydantic==2.10.3
diff --git a/src/cvss_to_json.py b/src/cvss_to_json.py
index 63a23465..df739988 100644
--- a/src/cvss_to_json.py
+++ b/src/cvss_to_json.py
@@ -1,22 +1,57 @@
 #!/usr/bin/python3"
-mods = ["attack_complexity", "attack_requirements", "attack_vector",
-        "authentication", "availability_impact", "availability_requirement",
-        "collateral_damage_potential", "confidentiality_impact",
-        "confidentiality_requirement", "exploitability", "helpers",
-        "impact_bias", "integrity_impact", "integrity_requirement",
-        "privileges_required", "remediation_level", "report_confidence",
-        "scope", "subsequent_availability_impact",
-        "subsequent_confidentiality_impact", "subsequent_integrity_impact",
-        "target_distribution", "user_interaction"]
-for mod in mods:
-    module = getattr(__import__('ssvc.decision_points.cvss', fromlist=[mod]),
-                     mod)
-    for dp in dir(module):
-        if dp.upper().find(mod.upper()) > -1:
-        #user_interaction USER_INTERACTION_2
-            print(mod, dp)
-            sdp = getattr(module, dp)
-            with open(f"../data/json/decision_points/cvss/{dp.lower()}.json", "w") as f:
-                f.write(sdp.to_json())
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
 
-    
+mods = [
+    "attack_complexity",
+    "attack_requirements",
+    "attack_vector",
+    "authentication",
+    "availability_impact",
+    "availability_requirement",
+    "collateral_damage_potential",
+    "confidentiality_impact",
+    "confidentiality_requirement",
+    "exploitability",
+    "helpers",
+    "impact_bias",
+    "integrity_impact",
+    "integrity_requirement",
+    "privileges_required",
+    "remediation_level",
+    "report_confidence",
+    "scope",
+    "subsequent_availability_impact",
+    "subsequent_confidentiality_impact",
+    "subsequent_integrity_impact",
+    "target_distribution",
+    "user_interaction",
+]
+
+
+def main():
+    for mod in mods:
+        module = getattr(__import__("ssvc.decision_points.cvss", fromlist=[mod]), mod)
+        for dp in dir(module):
+            if dp.upper().find(mod.upper()) > -1:
+                # user_interaction USER_INTERACTION_2
+                print(mod, dp)
+                sdp = getattr(module, dp)
+                with open(
+                    f"../data/json/decision_points/cvss/{dp.lower()}.json", "w"
+                ) as f:
+                    f.write(sdp.model_dump_json(indent=2))
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/outcomes_to_json.py b/src/outcomes_to_json.py
index 6a1925a3..192c8169 100644
--- a/src/outcomes_to_json.py
+++ b/src/outcomes_to_json.py
@@ -1,11 +1,29 @@
 #!/usr/bin/python3
+
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
 from ssvc.outcomes import groups
 from ssvc.outcomes.base import OutcomeGroup
 
-for x in dir(groups):
- outcome = getattr(groups,x);
- if type(outcome) == OutcomeGroup:
-  with open(f"../data/json/outcomes/{x}.json","w") as f:
-   f.write(outcome.to_json())
 
- 
+def main():
+    for x in dir(groups):
+        outcome = getattr(groups, x)
+        if type(outcome) == OutcomeGroup:
+            with open(f"../data/json/outcomes/{x}.json", "w") as f:
+                f.write(outcome.model_dump_json(indent=2))
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py
index 69b27017..c363a06f 100644
--- a/src/ssvc/_mixins.py
+++ b/src/ssvc/_mixins.py
@@ -17,17 +17,14 @@
 #  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
-from dataclasses import dataclass, field
 from typing import Optional
 
-from dataclasses_json import config, dataclass_json
+from pydantic import BaseModel, ConfigDict
 
 from . import _schemaVersion
 
 
-@dataclass_json
-@dataclass(kw_only=True)
-class _Versioned:
+class _Versioned(BaseModel):
     """
     Mixin class for versioned SSVC objects.
     """
@@ -36,9 +33,7 @@ class _Versioned:
     schemaVersion: str = _schemaVersion
 
 
-@dataclass_json
-@dataclass(kw_only=True)
-class _Namespaced:
+class _Namespaced(BaseModel):
     """
     Mixin class for namespaced SSVC objects.
     """
@@ -46,9 +41,7 @@ class _Namespaced:
     namespace: str = "ssvc"
 
 
-@dataclass_json
-@dataclass(kw_only=True)
-class _Keyed:
+class _Keyed(BaseModel):
     """
     Mixin class for keyed SSVC objects.
     """
@@ -60,21 +53,17 @@ def exclude_if_none(value):
     return value is None
 
 
-@dataclass_json
-@dataclass(kw_only=True)
-class _Commented:
+class _Commented(BaseModel):
     """
     Mixin class for commented SSVC objects.
     """
 
-    _comment: Optional[str] = field(
-        default=None, metadata=config(exclude=exclude_if_none)
-    )
+    _comment: Optional[str] = None
 
+    model_config = ConfigDict(json_encoders={Optional[str]: exclude_if_none})
 
-@dataclass_json
-@dataclass(kw_only=True)
-class _Base:
+
+class _Base(BaseModel):
     """
     Base class for SSVC objects.
     """
diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py
index 2c85c2e6..b7726c3e 100644
--- a/src/ssvc/decision_points/base.py
+++ b/src/ssvc/decision_points/base.py
@@ -18,10 +18,8 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 import logging
-from dataclasses import dataclass
-from typing import Iterable
 
-from dataclasses_json import dataclass_json
+from pydantic import BaseModel
 
 from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned
 
@@ -58,27 +56,18 @@ def _reset_registered():
     REGISTERED_DECISION_POINTS = []
 
 
-@dataclass_json
-@dataclass(kw_only=True)
-class SsvcDecisionPointValue(_Base, _Keyed):
+class SsvcDecisionPointValue(_Base, _Keyed, BaseModel):
     """
     Models a single value option for a decision point.
     """
 
 
-@dataclass_json
-@dataclass(kw_only=True)
-class SsvcDecisionPoint(
-    _Base,
-    _Keyed,
-    _Versioned,
-    _Namespaced,
-):
+class SsvcDecisionPoint(_Base, _Keyed, _Versioned, _Namespaced, BaseModel):
     """
     Models a single decision point as a list of values.
     """
 
-    values: Iterable[SsvcDecisionPointValue] = ()
+    values: list[SsvcDecisionPointValue] = []
 
     def __iter__(self):
         """
@@ -86,13 +75,12 @@ def __iter__(self):
         """
         return iter(self.values)
 
-    def __post_init__(self):
+    def __init__(self, **data):
+        super().__init__(**data)
         register(self)
 
-        if isinstance(self.values[0], dict):
-            self.values = tuple(
-                SsvcDecisionPointValue.from_dict(v) for v in self.values
-            )
+    def __post_init__(self):
+        register(self)
 
 
 def main():
@@ -116,7 +104,7 @@ def main():
         version="1.0.0",
     )
 
-    print(dp.to_json(indent=2))
+    print(dp.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/critical_software.py b/src/ssvc/decision_points/critical_software.py
index eeab7283..b7b3042f 100644
--- a/src/ssvc/decision_points/critical_software.py
+++ b/src/ssvc/decision_points/critical_software.py
@@ -42,7 +42,7 @@
 
 
 def main():
-    print(CRITICAL_SOFTWARE_1.to_json(indent=2))
+    print(CRITICAL_SOFTWARE_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/base.py b/src/ssvc/decision_points/cvss/base.py
index e8868087..9a935991 100644
--- a/src/ssvc/decision_points/cvss/base.py
+++ b/src/ssvc/decision_points/cvss/base.py
@@ -2,8 +2,6 @@
 """
 Provides a base class for modeling CVSS vector metrics as SSVC decision points.
 """
-
-
 #  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
@@ -17,16 +15,12 @@
 #  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
-from dataclasses import dataclass
-
-from dataclasses_json import dataclass_json
+from pydantic import BaseModel
 
 from ssvc.decision_points.base import SsvcDecisionPoint
 
 
-@dataclass_json
-@dataclass(kw_only=True)
-class CvssDecisionPoint(SsvcDecisionPoint):
+class CvssDecisionPoint(SsvcDecisionPoint, BaseModel):
     """
     Models a single CVSS decision point as a list of values.
     """
diff --git a/src/ssvc/decision_points/cvss/eq_sets.py b/src/ssvc/decision_points/cvss/eq_sets.py
index e00a37ee..0e12c2ea 100644
--- a/src/ssvc/decision_points/cvss/eq_sets.py
+++ b/src/ssvc/decision_points/cvss/eq_sets.py
@@ -184,7 +184,7 @@
 
 def main():
     for dp in [EQ1, EQ2, EQ3, EQ4, EQ5, EQ6]:
-        print(dp.to_json(indent=2))
+        print(dp.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py
index a4c60c7b..3dfb81ed 100644
--- a/src/ssvc/decision_points/helpers.py
+++ b/src/ssvc/decision_points/helpers.py
@@ -134,10 +134,14 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]:
 
     # did the value keys change?
     for name in intersection:
-        v1 = {value["name"]: value["key"] for value in dp1.to_dict()["values"]}
+        v1 = {
+            value["name"]: value["key"] for value in dp1.model_dump()["values"]
+        }
         v1 = v1[name]
 
-        v2 = {value["name"]: value["key"] for value in dp2.to_dict()["values"]}
+        v2 = {
+            value["name"]: value["key"] for value in dp2.model_dump()["values"]
+        }
         v2 = v2[name]
 
         if v1 != v2:
@@ -154,13 +158,13 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]:
     for name in intersection:
         v1 = {
             value["name"]: value["description"]
-            for value in dp1.to_dict()["values"]
+            for value in dp1.model_dump()["values"]
         }
         v1 = v1[name]
 
         v2 = {
             value["name"]: value["description"]
-            for value in dp2.to_dict()["values"]
+            for value in dp2.model_dump()["values"]
         }
         v2 = v2[name]
 
@@ -225,7 +229,7 @@ def print_versions_and_diffs(versions: Sequence[SsvcDecisionPoint]) -> None:
         None
     """
     for version in versions:
-        print(version.to_json(indent=2))
+        print(version.model_dump_json(indent=2))
     show_diffs(versions)
 
 
diff --git a/src/ssvc/decision_points/high_value_asset.py b/src/ssvc/decision_points/high_value_asset.py
index 476c1848..66cb145b 100644
--- a/src/ssvc/decision_points/high_value_asset.py
+++ b/src/ssvc/decision_points/high_value_asset.py
@@ -42,7 +42,7 @@
 
 
 def main():
-    print(HIGH_VALUE_ASSET_1.to_json(indent=2))
+    print(HIGH_VALUE_ASSET_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/in_kev.py b/src/ssvc/decision_points/in_kev.py
index 2eccb516..2b10690c 100644
--- a/src/ssvc/decision_points/in_kev.py
+++ b/src/ssvc/decision_points/in_kev.py
@@ -42,7 +42,7 @@
 
 
 def main():
-    print(IN_KEV_1.to_json(indent=2))
+    print(IN_KEV_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/report_credibility.py b/src/ssvc/decision_points/report_credibility.py
index 621de7dd..40c168b1 100644
--- a/src/ssvc/decision_points/report_credibility.py
+++ b/src/ssvc/decision_points/report_credibility.py
@@ -43,7 +43,7 @@
 
 
 def main():
-    print(REPORT_CREDIBILITY_1.to_json(indent=2))
+    print(REPORT_CREDIBILITY_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/report_public.py b/src/ssvc/decision_points/report_public.py
index a3232121..fa2e4f59 100644
--- a/src/ssvc/decision_points/report_public.py
+++ b/src/ssvc/decision_points/report_public.py
@@ -42,7 +42,7 @@
 
 
 def main():
-    print(REPORT_PUBLIC_1.to_json(indent=2))
+    print(REPORT_PUBLIC_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_cardinality.py b/src/ssvc/decision_points/supplier_cardinality.py
index 4eb6d078..6cb2d330 100644
--- a/src/ssvc/decision_points/supplier_cardinality.py
+++ b/src/ssvc/decision_points/supplier_cardinality.py
@@ -44,7 +44,7 @@
 
 
 def main():
-    print(SUPPLIER_CARDINALITY_1.to_json(indent=2))
+    print(SUPPLIER_CARDINALITY_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_contacted.py b/src/ssvc/decision_points/supplier_contacted.py
index 87147f5f..3f185521 100644
--- a/src/ssvc/decision_points/supplier_contacted.py
+++ b/src/ssvc/decision_points/supplier_contacted.py
@@ -44,7 +44,7 @@
 
 
 def main():
-    print(SUPPLIER_CONTACTED_1.to_json(indent=2))
+    print(SUPPLIER_CONTACTED_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_engagement.py b/src/ssvc/decision_points/supplier_engagement.py
index 5c44249d..a3904d6b 100644
--- a/src/ssvc/decision_points/supplier_engagement.py
+++ b/src/ssvc/decision_points/supplier_engagement.py
@@ -45,7 +45,7 @@
 
 
 def main():
-    print(SUPPLIER_ENGAGEMENT_1.to_json(indent=2))
+    print(SUPPLIER_ENGAGEMENT_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_involvement.py b/src/ssvc/decision_points/supplier_involvement.py
index 09796f8f..a24aa8bf 100644
--- a/src/ssvc/decision_points/supplier_involvement.py
+++ b/src/ssvc/decision_points/supplier_involvement.py
@@ -52,7 +52,7 @@
 
 
 def main():
-    print(SUPPLIER_INVOLVEMENT_1.to_json(indent=2))
+    print(SUPPLIER_INVOLVEMENT_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/system_exposure.py b/src/ssvc/decision_points/system_exposure.py
index 131171cf..f0827083 100644
--- a/src/ssvc/decision_points/system_exposure.py
+++ b/src/ssvc/decision_points/system_exposure.py
@@ -79,8 +79,8 @@
 
 
 def main():
-    print(SYSTEM_EXPOSURE_1.to_json(indent=2))
-    print(SYSTEM_EXPOSURE_1_0_1.to_json(indent=2))
+    print(SYSTEM_EXPOSURE_1.model_dump_json(indent=2))
+    print(SYSTEM_EXPOSURE_1_0_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/technical_impact.py b/src/ssvc/decision_points/technical_impact.py
index ffa5d2cb..ae247bea 100644
--- a/src/ssvc/decision_points/technical_impact.py
+++ b/src/ssvc/decision_points/technical_impact.py
@@ -44,7 +44,7 @@
 
 
 def main():
-    print(TECHNICAL_IMPACT_1.to_json(indent=2))
+    print(TECHNICAL_IMPACT_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/value_density.py b/src/ssvc/decision_points/value_density.py
index f491314b..1daaed86 100644
--- a/src/ssvc/decision_points/value_density.py
+++ b/src/ssvc/decision_points/value_density.py
@@ -44,7 +44,7 @@
 
 
 def main():
-    print(VALUE_DENSITY_1.to_json(indent=2))
+    print(VALUE_DENSITY_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/doctools.py b/src/ssvc/doctools.py
index 58fd3c28..8130aeb6 100644
--- a/src/ssvc/doctools.py
+++ b/src/ssvc/doctools.py
@@ -247,7 +247,7 @@ def dump_json(
     with EnsureDirExists(jsondir):
         try:
             with open(json_file, "x") as f:
-                f.write(dp.to_json(indent=2))
+                f.write(dp.model_dump_json(indent=2))
         except FileExistsError:
             logger.warning(
                 f"File {json_file} already exists, use --overwrite to replace"
diff --git a/src/ssvc/dp_groups/base.py b/src/ssvc/dp_groups/base.py
index 8ef826d5..f2c0b530 100644
--- a/src/ssvc/dp_groups/base.py
+++ b/src/ssvc/dp_groups/base.py
@@ -17,23 +17,18 @@
 #  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
-from dataclasses import dataclass
-from typing import Iterable
-
-from dataclasses_json import dataclass_json
+from pydantic import BaseModel
 
 from ssvc._mixins import _Base, _Versioned
 from ssvc.decision_points.base import SsvcDecisionPoint
 
 
-@dataclass_json
-@dataclass(kw_only=True)
-class SsvcDecisionPointGroup(_Base, _Versioned):
+class SsvcDecisionPointGroup(_Base, _Versioned, BaseModel):
     """
     Models a group of decision points.
     """
 
-    decision_points: Iterable[SsvcDecisionPoint]
+    decision_points: list[SsvcDecisionPoint]
 
     def __iter__(self):
         """
@@ -45,11 +40,13 @@ def __len__(self):
         """
         Allow len() to be called on the group.
         """
-        return len(self.decision_points)
+        dplist = list(self.decision_points)
+        l = len(dplist)
+        return l
 
 
 def get_all_decision_points_from(
-    *groups: Iterable[SsvcDecisionPointGroup],
+    *groups: list[SsvcDecisionPointGroup],
 ) -> list[SsvcDecisionPoint]:
     """
     Given a list of SsvcDecisionPointGroup objects, return a list of all
diff --git a/src/ssvc/dp_groups/cvss/collections.py b/src/ssvc/dp_groups/cvss/collections.py
index d0d32f73..a8e8a271 100644
--- a/src/ssvc/dp_groups/cvss/collections.py
+++ b/src/ssvc/dp_groups/cvss/collections.py
@@ -375,7 +375,7 @@ def main():
         CVSSv4,
     ]:
         print(f"## {group.name} v{group.version}")
-        print(group.to_json(indent=2))
+        print(group.model_dump_json(indent=2))
         print()
 
 
diff --git a/src/ssvc/dp_groups/ssvc/collections.py b/src/ssvc/dp_groups/ssvc/collections.py
index be24c7ec..c7b2b527 100644
--- a/src/ssvc/dp_groups/ssvc/collections.py
+++ b/src/ssvc/dp_groups/ssvc/collections.py
@@ -60,7 +60,7 @@
 
 def main():
     for dpg in [SSVCv1, SSVCv2, SSVCv2_1]:
-        print(dpg.to_json(indent=2))
+        print(dpg.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/dp_groups/ssvc/coordinator_publication.py b/src/ssvc/dp_groups/ssvc/coordinator_publication.py
index 6289c661..35423fd9 100644
--- a/src/ssvc/dp_groups/ssvc/coordinator_publication.py
+++ b/src/ssvc/dp_groups/ssvc/coordinator_publication.py
@@ -45,7 +45,7 @@
 
 
 def main():
-    print(COORDINATOR_PUBLICATION_1.to_json(indent=2))
+    print(COORDINATOR_PUBLICATION_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/dp_groups/ssvc/coordinator_triage.py b/src/ssvc/dp_groups/ssvc/coordinator_triage.py
index 7266fbea..2fedb785 100644
--- a/src/ssvc/dp_groups/ssvc/coordinator_triage.py
+++ b/src/ssvc/dp_groups/ssvc/coordinator_triage.py
@@ -66,7 +66,7 @@
 
 
 def main():
-    print(COORDINATOR_TRIAGE_1.to_json(indent=2))
+    print(COORDINATOR_TRIAGE_1.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/dp_groups/ssvc/deployer.py b/src/ssvc/dp_groups/ssvc/deployer.py
index 20df6e6d..76218acd 100644
--- a/src/ssvc/dp_groups/ssvc/deployer.py
+++ b/src/ssvc/dp_groups/ssvc/deployer.py
@@ -124,9 +124,9 @@
 
 
 def main():
-    print(PATCH_APPLIER_1.to_json(indent=2))
-    print(DEPLOYER_2.to_json(indent=2))
-    print(DEPLOYER_3.to_json(indent=2))
+    print(PATCH_APPLIER_1.model_dump_json(indent=2))
+    print(DEPLOYER_2.model_dump_json(indent=2))
+    print(DEPLOYER_3.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/dp_groups/ssvc/supplier.py b/src/ssvc/dp_groups/ssvc/supplier.py
index dc313dd4..05fb092c 100644
--- a/src/ssvc/dp_groups/ssvc/supplier.py
+++ b/src/ssvc/dp_groups/ssvc/supplier.py
@@ -91,8 +91,8 @@
 
 
 def main():
-    print(PATCH_DEVELOPER_1.to_json(indent=2))
-    print(SUPPLIER_2.to_json(indent=2))
+    print(PATCH_DEVELOPER_1.model_dump_json(indent=2))
+    print(SUPPLIER_2.model_dump_json(indent=2))
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/outcomes/base.py b/src/ssvc/outcomes/base.py
index 3436dce3..11eaf873 100644
--- a/src/ssvc/outcomes/base.py
+++ b/src/ssvc/outcomes/base.py
@@ -15,30 +15,23 @@
 #  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
-from dataclasses import dataclass
-from typing import Iterable
-
-from dataclasses_json import dataclass_json
+from pydantic import BaseModel
 
 from ssvc._mixins import _Base, _Keyed, _Versioned
 
 
-@dataclass_json
-@dataclass(kw_only=True)
-class OutcomeValue(_Base, _Keyed):
+class OutcomeValue(_Base, _Keyed, BaseModel):
     """
     Models a single value option for an SSVC outcome.
     """
 
 
-@dataclass_json
-@dataclass(kw_only=True)
-class OutcomeGroup(_Base, _Versioned):
+class OutcomeGroup(_Base, _Versioned, BaseModel):
     """
     Models an outcome group.
     """
 
-    outcomes: Iterable[OutcomeValue]
+    outcomes: list[OutcomeValue]
 
     def __iter__(self):
         """
@@ -50,6 +43,8 @@ def __len__(self):
         """
         Allow len() to be called on the group.
         """
-        return len(self.outcomes)
+        olist = list(self.outcomes)
+        l = len(olist)
+        return l
 
     # register all instances
diff --git a/src/ssvc/policy_generator.py b/src/ssvc/policy_generator.py
index 9779bf81..85ce86b9 100644
--- a/src/ssvc/policy_generator.py
+++ b/src/ssvc/policy_generator.py
@@ -19,7 +19,6 @@
 import itertools
 import logging
 import math
-from typing import List, Tuple
 
 import networkx as nx
 import pandas as pd
@@ -48,7 +47,7 @@ def __init__(
         self,
         dp_group: SsvcDecisionPointGroup = None,
         outcomes: OutcomeGroup = None,
-        outcome_weights: List[float] = None,
+        outcome_weights: list[float] = None,
         validate: bool = False,
     ):
         """
@@ -87,17 +86,15 @@ def __init__(
             # validate that the outcome weights sum to 1.0
             total = sum(outcome_weights)
             if not math.isclose(total, 1.0):
-                raise ValueError(
-                    f"Outcome weights must sum to 1.0, but sum to {total}"
-                )
+                raise ValueError(f"Outcome weights must sum to 1.0, but sum to {total}")
 
             self.outcome_weights = outcome_weights
         logger.debug(f"Outcome weights: {self.outcome_weights}")
 
         self.policy: pd.DataFrame = None
         self.G: nx.DiGraph = nx.DiGraph()
-        self.top: Tuple[int] = None
-        self.bottom: Tuple[int] = None
+        self.top: tuple[int] = None
+        self.bottom: tuple[int] = None
 
         self._enumerated_vec = None
         self._check_valid_paths = validate
@@ -205,9 +202,7 @@ def _assign_outcomes(self):
         logger.debug(f"Layer count: {len(layers)}")
         logger.debug(f"Layer sizes: {[len(layer) for layer in layers]}")
 
-        outcome_counts = [
-            round(node_count * weight) for weight in self.outcome_weights
-        ]
+        outcome_counts = [round(node_count * weight) for weight in self.outcome_weights]
 
         toposort = list(nx.topological_sort(self.G))
         logger.debug(f"Toposort: {toposort[:4]}...{toposort[-4:]}")
@@ -296,15 +291,11 @@ def _confirm_topological_order(self, node_order: list) -> None:
         # all nodes must be in the graph
         for node in node_order:
             if node not in self.G.nodes:
-                raise ValueError(
-                    f"Node order contains node {node} not in the graph"
-                )
+                raise ValueError(f"Node order contains node {node} not in the graph")
 
         for node in self.G.nodes:
             if node not in node_order:
-                raise ValueError(
-                    f"Graph contains node {node} not in the node order"
-                )
+                raise ValueError(f"Graph contains node {node} not in the node order")
 
         node_idx = {node: i for i, node in enumerate(node_order)}
 
diff --git a/src/ssvc_v2.py b/src/ssvc_v2.py
index 5e084e1a..01f041bf 100644
--- a/src/ssvc_v2.py
+++ b/src/ssvc_v2.py
@@ -18,6 +18,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 import os
+
 import pandas as pd
 
 DATAPATH = "../data/csvs"
@@ -107,21 +108,21 @@ def main():
     df = lookup("coord_triage", query)
     print(query)
     print(df)
-    print(outcome_dist(df).round(decimals=3).to_dict())
+    print(outcome_dist(df).round(decimals=3).model_dump())
 
     print()
     query = {"Value added": "precedence"}
     df = lookup("coord_pub", query)
     print(query)
     print(df)
-    print(outcome_dist(df).round(decimals=3).to_dict())
+    print(outcome_dist(df).round(decimals=3).model_dump())
 
     print()
     query = {"Public-Safety Impact": "minimal"}
     df = lookup("supplier", query)
     print(query)
     print(df)
-    print(outcome_dist(df).round(decimals=3).to_dict())
+    print(outcome_dist(df).round(decimals=3).model_dump())
 
 
 if __name__ == "__main__":
diff --git a/src/test/test_doctools.py b/src/test/test_doctools.py
index f5036cd0..2e2083c7 100644
--- a/src/test/test_doctools.py
+++ b/src/test/test_doctools.py
@@ -42,7 +42,7 @@
 
 class MyTestCase(unittest.TestCase):
     def setUp(self) -> None:
-        self.dp = SsvcDecisionPoint.from_dict(_dp_dict)
+        self.dp = SsvcDecisionPoint.model_validate(_dp_dict)
 
         # create a temp working dir
         self.tempdir = tempfile.TemporaryDirectory()
@@ -187,7 +187,7 @@ def test_dump_json(self):
 
         # file is loadable json
         d = json.load(open(json_file))
-        for k, v in dp.to_dict().items():
+        for k, v in dp.model_dump().items():
             self.assertEqual(v, d[k])
 
         # should not overwrite the file
diff --git a/src/test/test_dp_base.py b/src/test/test_dp_base.py
index a5bf3567..7fa233d9 100644
--- a/src/test/test_dp_base.py
+++ b/src/test/test_dp_base.py
@@ -95,25 +95,25 @@ def test_ssvc_decision_point(self):
 
     def test_ssvc_value_json_roundtrip(self):
         for i, obj in enumerate(self.values):
-            json = obj.to_json()
+            json = obj.model_dump_json()
             self.assertIsInstance(json, str)
             self.assertGreater(len(json), 0)
 
-            obj2 = base.SsvcDecisionPointValue.from_json(json)
+            obj2 = base.SsvcDecisionPointValue.model_validate_json(json)
             self.assertEqual(obj, obj2)
 
     def test_ssvc_decision_point_json_roundtrip(self):
         obj = self.dp
 
-        json = obj.to_json()
+        json = obj.model_dump_json()
         self.assertIsInstance(json, str)
         self.assertGreater(len(json), 0)
 
-        obj2 = base.SsvcDecisionPoint.from_json(json)
+        obj2 = base.SsvcDecisionPoint.model_validate_json(json)
 
         # the objects should be equal
         self.assertEqual(obj, obj2)
-        self.assertEqual(obj.to_dict(), obj2.to_dict())
+        self.assertEqual(obj.model_dump(), obj2.model_dump())
 
 
 if __name__ == "__main__":
diff --git a/src/test/test_dp_groups.py b/src/test/test_dp_groups.py
index df3c04ac..e4c2397e 100644
--- a/src/test/test_dp_groups.py
+++ b/src/test/test_dp_groups.py
@@ -65,7 +65,8 @@ def test_len(self):
             decision_points=self.dps,
         )
 
-        self.assertEqual(len(self.dps), len(g.decision_points))
+        self.assertGreater(len(self.dps), 0)
+        self.assertEqual(len(self.dps), len(list(g.decision_points)))
         self.assertEqual(len(self.dps), len(g))
 
     def test_json_roundtrip(self):
@@ -77,12 +78,12 @@ def test_json_roundtrip(self):
         )
 
         # serialize the group to json
-        g_json = g.to_json()
+        g_json = g.model_dump_json()
 
         # deserialize the json to a new group
-        g2 = dpg.SsvcDecisionPointGroup.from_json(g_json)
+        g2 = dpg.SsvcDecisionPointGroup.model_validate_json(g_json)
         # assert that the new group is the same as the old group
-        self.assertEqual(g.to_dict(), g2.to_dict())
+        self.assertEqual(g_json, g2.model_dump_json())
 
 
 if __name__ == "__main__":
diff --git a/src/test/test_mixins.py b/src/test/test_mixins.py
index b3751177..f86ae5c1 100644
--- a/src/test/test_mixins.py
+++ b/src/test/test_mixins.py
@@ -12,11 +12,10 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 import unittest
-from dataclasses import dataclass
 
-from dataclasses_json import dataclass_json
+from pydantic import BaseModel, ValidationError
 
-from ssvc._mixins import _Base, _Keyed, _Versioned, _Namespaced
+from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned
 
 
 class TestMixins(unittest.TestCase):
@@ -29,34 +28,33 @@ def test_ssvc_base_create(self):
         self.assertEqual(obj.description, "baz")
 
         # empty
-        self.assertRaises(TypeError, _Base)
+        self.assertRaises(ValidationError, _Base)
         # no name
-        self.assertRaises(TypeError, _Base, description="baz")
+        self.assertRaises(ValidationError, _Base, description="baz")
         # no description
-        self.assertRaises(TypeError, _Base, name="foo")
+        self.assertRaises(ValidationError, _Base, name="foo")
 
     def test_json_roundtrip(self):
         obj = self.obj
-        json = obj.to_json()
+        json = obj.model_dump_json()
         # is it a string?
         self.assertIsInstance(json, str)
         # does it look right?
-        self.assertEqual(json, '{"name": "foo", "description": "baz"}')
+        self.assertEqual(json, '{"name":"foo","description":"baz"}')
 
         # modify the raw json string
         json = json.replace("foo", "quux")
-        self.assertEqual(json, '{"name": "quux", "description": "baz"}')
+        self.assertEqual(json, '{"name":"quux","description":"baz"}')
 
         # does it load?
-        obj2 = _Base.from_json(json)
+        obj2 = _Base.model_validate_json(json)
         self.assertEqual(obj2.name, "quux")
         self.assertEqual(obj2.description, "baz")
 
     def test_asdict_roundtrip(self):
-        from dataclasses import asdict
 
         obj = self.obj
-        d = asdict(obj)
+        d = obj.model_dump()
 
         self.assertIsInstance(d, dict)
         self.assertEqual(d["name"], "foo")
@@ -88,7 +86,7 @@ def test_keyed_create(self):
         obj = _Keyed(key="foo")
         self.assertEqual(obj.key, "foo")
 
-        self.assertRaises(TypeError, _Keyed)
+        self.assertRaises(ValidationError, _Keyed)
 
     def test_mixin_combos(self):
         # We need to test all the combinations
@@ -122,9 +120,7 @@ def test_mixin_combos(self):
                 args = {k: v for x in combo for k, v in x["args"].items()}
 
                 # create an object with the mixins
-                @dataclass_json
-                @dataclass(kw_only=True)
-                class Foo(_Base, *classes):
+                class Foo(_Base, *classes, BaseModel):
                     pass
 
                 # make sure it breaks if we leave out a required arg
@@ -136,10 +132,10 @@ class Foo(_Base, *classes):
                         # expect success
                         obj = Foo(name="foo", description="baz", **args_copy)
                         # make sure the key is defaulted
-                        self.assertEqual(getattr(Foo, k), getattr(obj, k))
+                        self.assertIsNotNone(getattr(obj, k))
                     else:
                         self.assertRaises(
-                            TypeError,
+                            ValidationError,
                             Foo,
                             name="foo",
                             description="baz",
@@ -155,19 +151,19 @@ class Foo(_Base, *classes):
                     self.assertEqual(getattr(obj, k), v)
 
                 # test json roundtrip
-                json = obj.to_json()
+                json = obj.model_dump_json()
                 # is it a string?
                 self.assertIsInstance(json, str)
                 # does it look right?
-                self.assertIn('"name": "foo"', json)
-                self.assertIn('"description": "baz"', json)
+                self.assertIn('"name":"foo"', json)
+                self.assertIn('"description":"baz"', json)
                 for k, v in args.items():
-                    self.assertIn(f'"{k}": "{v}"', json)
+                    self.assertIn(f'"{k}":"{v}"', json)
                 # change the name and description
                 json = json.replace("foo", "quux")
                 json = json.replace("baz", "fizz")
                 # does it load?
-                obj2 = Foo.from_json(json)
+                obj2 = Foo.model_validate_json(json)
                 self.assertEqual(obj2.name, "quux")
                 self.assertEqual(obj2.description, "fizz")
                 # make sure the args are set
diff --git a/src/test/test_outcomes.py b/src/test/test_outcomes.py
index 698991b3..4f5738e9 100644
--- a/src/test/test_outcomes.py
+++ b/src/test/test_outcomes.py
@@ -27,8 +27,6 @@ def test_outcome_value(self):
             self.assertEqual(ov.description, x)
 
     def test_outcome_group(self):
-        ALPHABET
-
         values = []
         for x in ALPHABET:
             values.append(OutcomeValue(key=x, name=x, description=x))
@@ -42,10 +40,11 @@ def test_outcome_group(self):
 
         self.assertEqual(len(og), len(ALPHABET))
 
+        og_outcomes = list(og.outcomes)
         for i, letter in enumerate(ALPHABET):
-            self.assertEqual(og.outcomes[i].key, letter)
-            self.assertEqual(og.outcomes[i].name, letter)
-            self.assertEqual(og.outcomes[i].description, letter)
+            self.assertEqual(og_outcomes[i].key, letter)
+            self.assertEqual(og_outcomes[i].name, letter)
+            self.assertEqual(og_outcomes[i].description, letter)
 
 
 if __name__ == "__main__":
diff --git a/src/test/test_schema.py b/src/test/test_schema.py
index db08923c..65568501 100644
--- a/src/test/test_schema.py
+++ b/src/test/test_schema.py
@@ -32,7 +32,6 @@
     CVSSv3,
     CVSSv4,
 )  # noqa
-
 # importing these causes the decision points to register themselves
 from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1  # noqa
 
@@ -55,7 +54,6 @@ def retrieve_local(uri: str) -> Resource:
     return Resource.from_contents(schema)
 
 
-
 registry = Registry(retrieve=retrieve_local)
 
 
@@ -90,19 +88,17 @@ def test_decision_point_validation(self):
 
         for dp in decision_points:
             exp = None
-            as_json = dp.to_json()
+            as_json = dp.model_dump_json()
             loaded = json.loads(as_json)
 
             try:
-                Draft202012Validator(
-                    {"$ref": schema_url}, registry=registry
-                ).validate(loaded)
+                Draft202012Validator({"$ref": schema_url}, registry=registry).validate(
+                    loaded
+                )
             except jsonschema.exceptions.ValidationError as e:
                 exp = e
 
-            self.assertIsNone(
-                exp, f"Validation failed for {dp.name} {dp.version}"
-            )
+            self.assertIsNone(exp, f"Validation failed for {dp.name} {dp.version}")
             self.logger.debug(
                 f"Validation passed for Decision Point ({dp.namespace}) {dp.name} v{dp.version}"
             )
@@ -111,23 +107,26 @@ def test_decision_point_group_validation(self):
         schema_url = "https://certcc.github.io/SSVC/data/schema/current/Decision_Point_Group.schema.json"
         for dpg in self.dpgs:
             exp = None
-            as_json = dpg.to_json()
+            as_json = dpg.model_dump_json()
             loaded = json.loads(as_json)
 
             try:
-                Draft202012Validator(
-                    {"$ref": schema_url}, registry=registry
-                ).validate(loaded)
+                Draft202012Validator({"$ref": schema_url}, registry=registry).validate(
+                    loaded
+                )
             except jsonschema.exceptions.ValidationError as e:
                 exp = e
 
-            self.assertIsNone(
-                exp, f"Validation failed for {dpg.name} {dpg.version}"
-            )
+            self.assertIsNone(exp, f"Validation failed for {dpg.name} {dpg.version}")
             self.logger.debug(
                 f"Validation passed for Decision Point Group {dpg.name} v{dpg.version}"
             )
 
+    @unittest.skip("Test not implemented")
+    def test_outcome_group_schema_validation(self):
+        # TODO: Implement test
+        self.fail()
+
 
 if __name__ == "__main__":
     unittest.main()

From 4bab3d50f6512efcb1ece64d2ab79afe52d7f49d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 27 Jan 2025 11:11:20 -0500
Subject: [PATCH 08/31] Bump mkdocs-bibtex from 3.0.0 to 4.1.0 (#675)

Bumps [mkdocs-bibtex](https://github.com/shyamd/mkdocs-bibtex) from 3.0.0 to 4.1.0.
- [Release notes](https://github.com/shyamd/mkdocs-bibtex/releases)
- [Commits](https://github.com/shyamd/mkdocs-bibtex/compare/v3.0.0...v4.1.0)

---
updated-dependencies:
- dependency-name: mkdocs-bibtex
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 1bee6066..fe39a3a8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
 mkdocs==1.6.1
-mkdocs-bibtex==3.0.0
+mkdocs-bibtex==4.1.0
 mkdocs-include-markdown-plugin==7.1.2
 mkdocs-table-reader-plugin==3.1.0
 mkdocs-material==9.5.50

From 16015f27dff29b129d77f3ed5a709b641daf9429 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 27 Jan 2025 11:11:49 -0500
Subject: [PATCH 09/31] Bump pydantic from 2.10.3 to 2.10.6 (#676)

Bumps [pydantic](https://github.com/pydantic/pydantic) from 2.10.3 to 2.10.6.
- [Release notes](https://github.com/pydantic/pydantic/releases)
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md)
- [Commits](https://github.com/pydantic/pydantic/compare/v2.10.3...v2.10.6)

---
updated-dependencies:
- dependency-name: pydantic
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index fe39a3a8..d60b8c43 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -12,4 +12,4 @@ pandas==2.2.3
 scikit-learn==1.6.1
 jsonschema==4.23.0
 networkx==3.4.2
-pydantic==2.10.3
+pydantic==2.10.6

From fce5b70a7075bde6fd48faf346af48320cdf99b6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 3 Feb 2025 15:45:43 -0500
Subject: [PATCH 10/31] Bump the mkdocs group with 2 updates (#677)

---
 requirements.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index d60b8c43..9a40cadd 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,9 +2,9 @@ mkdocs==1.6.1
 mkdocs-bibtex==4.1.0
 mkdocs-include-markdown-plugin==7.1.2
 mkdocs-table-reader-plugin==3.1.0
-mkdocs-material==9.5.50
+mkdocs-material==9.6.2
 mkdocs-material-extensions==1.3.1
-mkdocstrings==0.27.0
+mkdocstrings==0.28.0
 mkdocstrings-python==1.13.0
 mkdocs-print-site-plugin==2.6.0
 thefuzz==0.22.1

From 9b86ef1f9a983f4a8611e09e29d1d2030ed4e351 Mon Sep 17 00:00:00 2001
From: sei-renae <kmetcalf@cert.org>
Date: Mon, 10 Feb 2025 10:36:41 -0500
Subject: [PATCH 11/31] Update module docstrings (#679)

* Standardize docstrings to define what the program does, add missing license wording, and format blank lines around header docstrings.

* Undo a deleted line
---
 src/ssvc/decision_points/automatable.py          | 5 ++---
 src/ssvc/decision_points/base.py                 | 5 ++---
 src/ssvc/decision_points/critical_software.py    | 1 +
 src/ssvc/decision_points/helpers.py              | 1 +
 src/ssvc/decision_points/high_value_asset.py     | 1 +
 src/ssvc/decision_points/human_impact.py         | 1 +
 src/ssvc/decision_points/mission_impact.py       | 5 ++---
 src/ssvc/decision_points/mission_prevalence.py   | 6 ++++++
 src/ssvc/decision_points/public_safety_impact.py | 1 +
 src/ssvc/decision_points/public_value_added.py   | 1 +
 src/ssvc/decision_points/report_credibility.py   | 1 +
 src/ssvc/decision_points/report_public.py        | 1 +
 src/ssvc/decision_points/safety_impact.py        | 1 +
 src/ssvc/decision_points/supplier_cardinality.py | 5 ++---
 src/ssvc/decision_points/supplier_contacted.py   | 4 +---
 src/ssvc/decision_points/supplier_engagement.py  | 5 ++---
 src/ssvc/decision_points/supplier_involvement.py | 4 +---
 src/ssvc/decision_points/system_exposure.py      | 5 ++---
 src/ssvc/decision_points/technical_impact.py     | 8 ++++----
 src/ssvc/decision_points/utility.py              | 5 +++++
 src/ssvc/decision_points/value_density.py        | 7 +++----
 21 files changed, 41 insertions(+), 32 deletions(-)

diff --git a/src/ssvc/decision_points/automatable.py b/src/ssvc/decision_points/automatable.py
index 061ee27c..a1745321 100644
--- a/src/ssvc/decision_points/automatable.py
+++ b/src/ssvc/decision_points/automatable.py
@@ -1,8 +1,7 @@
 #!/usr/bin/env python
+
 """
-file: automatable
-author: adh
-created_at: 9/21/23 10:37 AM
+Provides the Automatable decision point and its values.
 """
 #  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py
index b7726c3e..869e3263 100644
--- a/src/ssvc/decision_points/base.py
+++ b/src/ssvc/decision_points/base.py
@@ -1,8 +1,7 @@
 #!/usr/bin/env python
+
 """
-file: decisionpoints
-author: adh
-created_at: 9/20/23 10:07 AM
+Defines the formatting for SSVC Decision Points.
 """
 #  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
diff --git a/src/ssvc/decision_points/critical_software.py b/src/ssvc/decision_points/critical_software.py
index b7b3042f..7fc28a4c 100644
--- a/src/ssvc/decision_points/critical_software.py
+++ b/src/ssvc/decision_points/critical_software.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+
 """
 Provides an SSVC decision point for critical software designation.
 """
diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py
index 3dfb81ed..1a93505a 100644
--- a/src/ssvc/decision_points/helpers.py
+++ b/src/ssvc/decision_points/helpers.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+
 """
 Provides helper functions for working with SSVC decision points.
 """
diff --git a/src/ssvc/decision_points/high_value_asset.py b/src/ssvc/decision_points/high_value_asset.py
index 66cb145b..b483b7e3 100644
--- a/src/ssvc/decision_points/high_value_asset.py
+++ b/src/ssvc/decision_points/high_value_asset.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+
 """
 Models a high value asset as a decision point.
 """
diff --git a/src/ssvc/decision_points/human_impact.py b/src/ssvc/decision_points/human_impact.py
index 72fd105f..1b178d92 100644
--- a/src/ssvc/decision_points/human_impact.py
+++ b/src/ssvc/decision_points/human_impact.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+
 """
 Provides the Human Impact decision point and its values.
 """
diff --git a/src/ssvc/decision_points/mission_impact.py b/src/ssvc/decision_points/mission_impact.py
index ebedb6ae..d98f4208 100644
--- a/src/ssvc/decision_points/mission_impact.py
+++ b/src/ssvc/decision_points/mission_impact.py
@@ -1,8 +1,7 @@
 #!/usr/bin/env python
+
 """
-file: mission_impact
-author: adh
-created_at: 9/21/23 10:20 AM
+Provides the Mission Impact decision point and its values.
 """
 
 #  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
diff --git a/src/ssvc/decision_points/mission_prevalence.py b/src/ssvc/decision_points/mission_prevalence.py
index 98691625..6fb697e8 100644
--- a/src/ssvc/decision_points/mission_prevalence.py
+++ b/src/ssvc/decision_points/mission_prevalence.py
@@ -1,3 +1,9 @@
+#!/usr/bin/env python
+
+"""
+Provides the Mission Prevalence decision point and its values."
+"""
+
 #  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
diff --git a/src/ssvc/decision_points/public_safety_impact.py b/src/ssvc/decision_points/public_safety_impact.py
index 6b5ff26e..f057a39c 100644
--- a/src/ssvc/decision_points/public_safety_impact.py
+++ b/src/ssvc/decision_points/public_safety_impact.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+
 """
 Provides the Public Safety Impact decision point and its values.
 """
diff --git a/src/ssvc/decision_points/public_value_added.py b/src/ssvc/decision_points/public_value_added.py
index 1028726c..cec1b200 100644
--- a/src/ssvc/decision_points/public_value_added.py
+++ b/src/ssvc/decision_points/public_value_added.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+
 """
 This module provides the Public Value Added decision point for the Stakeholder Specific Vulnerability Categorization (SSVC) framework.
 """
diff --git a/src/ssvc/decision_points/report_credibility.py b/src/ssvc/decision_points/report_credibility.py
index 40c168b1..3fbcdd51 100644
--- a/src/ssvc/decision_points/report_credibility.py
+++ b/src/ssvc/decision_points/report_credibility.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+
 """
 Provides the SSVC Report Credibility Decision Point
 """
diff --git a/src/ssvc/decision_points/report_public.py b/src/ssvc/decision_points/report_public.py
index fa2e4f59..815d296c 100644
--- a/src/ssvc/decision_points/report_public.py
+++ b/src/ssvc/decision_points/report_public.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+
 """
 Provides the SSVC Report Public Decision Point
 """
diff --git a/src/ssvc/decision_points/safety_impact.py b/src/ssvc/decision_points/safety_impact.py
index 21405db8..110d053c 100644
--- a/src/ssvc/decision_points/safety_impact.py
+++ b/src/ssvc/decision_points/safety_impact.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python
+
 """
 Provides the Safety Impact decision point and its values.
 """
diff --git a/src/ssvc/decision_points/supplier_cardinality.py b/src/ssvc/decision_points/supplier_cardinality.py
index 6cb2d330..e0c9ecfb 100644
--- a/src/ssvc/decision_points/supplier_cardinality.py
+++ b/src/ssvc/decision_points/supplier_cardinality.py
@@ -1,8 +1,7 @@
 #!/usr/bin/env python
+
 """
-file: supplier_cardinality
-author: adh
-created_at: 9/21/23 11:20 AM
+Provides the Supplier Cardinality decision point and its values.
 """
 #  Copyright (c) 2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
diff --git a/src/ssvc/decision_points/supplier_contacted.py b/src/ssvc/decision_points/supplier_contacted.py
index 3f185521..1d07aa00 100644
--- a/src/ssvc/decision_points/supplier_contacted.py
+++ b/src/ssvc/decision_points/supplier_contacted.py
@@ -1,8 +1,6 @@
 #!/usr/bin/env python
 """
-file: supplier_contacted
-author: adh
-created_at: 9/21/23 11:17 AM
+Provides the Supplier Engagement decision point and its values.
 """
 #  Copyright (c) 2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
diff --git a/src/ssvc/decision_points/supplier_engagement.py b/src/ssvc/decision_points/supplier_engagement.py
index a3904d6b..94f94097 100644
--- a/src/ssvc/decision_points/supplier_engagement.py
+++ b/src/ssvc/decision_points/supplier_engagement.py
@@ -1,8 +1,7 @@
 #!/usr/bin/env python
+
 """
-file: supplier_engagement
-author: adh
-created_at: 9/21/23 11:22 AM
+Provides the Supplier Engagement decision point and its values.
 """
 
 #  Copyright (c) 2025 Carnegie Mellon University and Contributors.
diff --git a/src/ssvc/decision_points/supplier_involvement.py b/src/ssvc/decision_points/supplier_involvement.py
index a24aa8bf..e7712e27 100644
--- a/src/ssvc/decision_points/supplier_involvement.py
+++ b/src/ssvc/decision_points/supplier_involvement.py
@@ -1,8 +1,6 @@
 #!/usr/bin/env python
 """
-file: supplier_involvement
-author: adh
-created_at: 9/21/23 11:28 AM
+Provides the Supplier Involvement decision point and its values.
 """
 
 #  Copyright (c) 2025 Carnegie Mellon University and Contributors.
diff --git a/src/ssvc/decision_points/system_exposure.py b/src/ssvc/decision_points/system_exposure.py
index f0827083..12a7a10b 100644
--- a/src/ssvc/decision_points/system_exposure.py
+++ b/src/ssvc/decision_points/system_exposure.py
@@ -1,8 +1,7 @@
 #!/usr/bin/env python
+
 """
-file: exposure
-author: adh
-created_at: 9/21/23 10:16 AM
+Provides the System Exposure decision point and its values.
 """
 #  Copyright (c) 2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
diff --git a/src/ssvc/decision_points/technical_impact.py b/src/ssvc/decision_points/technical_impact.py
index ae247bea..6f8133a6 100644
--- a/src/ssvc/decision_points/technical_impact.py
+++ b/src/ssvc/decision_points/technical_impact.py
@@ -1,10 +1,10 @@
 #!/usr/bin/env python
+
 """
-file: technical_impact
-author: adh
-created_at: 9/21/23 9:49 AM
+Provides the Technical Impact decision point and its values.
 """
-#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+
+#  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/decision_points/utility.py b/src/ssvc/decision_points/utility.py
index 4ebd9648..d20f05a3 100644
--- a/src/ssvc/decision_points/utility.py
+++ b/src/ssvc/decision_points/utility.py
@@ -1,4 +1,9 @@
 #!/usr/bin/env python
+
+"""
+Provides the Utility decision point and its values.
+"""
+
 #  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
diff --git a/src/ssvc/decision_points/value_density.py b/src/ssvc/decision_points/value_density.py
index 1daaed86..d13a606f 100644
--- a/src/ssvc/decision_points/value_density.py
+++ b/src/ssvc/decision_points/value_density.py
@@ -1,10 +1,9 @@
 #!/usr/bin/env python
 """
-file: value_density
-author: adh
-created_at: 9/21/23 10:01 AM
+Provides the Value Density decision point and its values.
 """
-#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+
+#  Copyright (c) 2024-2025  Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is

From 480ca0953062fc32d69b7c0afb1ffff4f48f89a6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 10 Feb 2025 11:02:12 -0500
Subject: [PATCH 12/31] Bump the mkdocs group with 3 updates (#680)

Bumps the mkdocs group with 3 updates: [mkdocs-include-markdown-plugin](https://github.com/mondeja/mkdocs-include-markdown-plugin), [mkdocs-material](https://github.com/squidfunk/mkdocs-material) and [mkdocstrings-python](https://github.com/mkdocstrings/python).


Updates `mkdocs-include-markdown-plugin` from 7.1.2 to 7.1.4
- [Release notes](https://github.com/mondeja/mkdocs-include-markdown-plugin/releases)
- [Commits](https://github.com/mondeja/mkdocs-include-markdown-plugin/compare/v7.1.2...v7.1.4)

Updates `mkdocs-material` from 9.6.2 to 9.6.3
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.6.2...9.6.3)

Updates `mkdocstrings-python` from 1.13.0 to 1.14.6
- [Release notes](https://github.com/mkdocstrings/python/releases)
- [Changelog](https://github.com/mkdocstrings/python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/mkdocstrings/python/compare/1.13.0...1.14.6)

---
updated-dependencies:
- dependency-name: mkdocs-include-markdown-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mkdocs
- dependency-name: mkdocs-material
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mkdocs
- dependency-name: mkdocstrings-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: mkdocs
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 requirements.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 9a40cadd..673e8f88 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,11 +1,11 @@
 mkdocs==1.6.1
 mkdocs-bibtex==4.1.0
-mkdocs-include-markdown-plugin==7.1.2
+mkdocs-include-markdown-plugin==7.1.4
 mkdocs-table-reader-plugin==3.1.0
-mkdocs-material==9.6.2
+mkdocs-material==9.6.3
 mkdocs-material-extensions==1.3.1
 mkdocstrings==0.28.0
-mkdocstrings-python==1.13.0
+mkdocstrings-python==1.14.6
 mkdocs-print-site-plugin==2.6.0
 thefuzz==0.22.1
 pandas==2.2.3

From 337b21a2964f209d98afe09d4bbfd94329f38ef2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 17 Feb 2025 15:17:20 -0500
Subject: [PATCH 13/31] Bump the mkdocs group with 4 updates (#682)

Bumps the mkdocs group with 4 updates: [mkdocs-bibtex](https://github.com/shyamd/mkdocs-bibtex), [mkdocs-material](https://github.com/squidfunk/mkdocs-material), [mkdocstrings](https://github.com/mkdocstrings/mkdocstrings) and [mkdocstrings-python](https://github.com/mkdocstrings/python).


Updates `mkdocs-bibtex` from 4.1.0 to 4.2.1
- [Release notes](https://github.com/shyamd/mkdocs-bibtex/releases)
- [Commits](https://github.com/shyamd/mkdocs-bibtex/compare/v4.1.0...v4.2.1)

Updates `mkdocs-material` from 9.6.3 to 9.6.4
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.6.3...9.6.4)

Updates `mkdocstrings` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/mkdocstrings/mkdocstrings/releases)
- [Changelog](https://github.com/mkdocstrings/mkdocstrings/blob/main/CHANGELOG.md)
- [Commits](https://github.com/mkdocstrings/mkdocstrings/compare/0.28.0...0.28.1)

Updates `mkdocstrings-python` from 1.14.6 to 1.16.0
- [Release notes](https://github.com/mkdocstrings/python/releases)
- [Changelog](https://github.com/mkdocstrings/python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/mkdocstrings/python/compare/1.14.6...1.16.0)

---
updated-dependencies:
- dependency-name: mkdocs-bibtex
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: mkdocs
- dependency-name: mkdocs-material
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mkdocs
- dependency-name: mkdocstrings
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mkdocs
- dependency-name: mkdocstrings-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: mkdocs
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 requirements.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 673e8f88..9328527c 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,11 +1,11 @@
 mkdocs==1.6.1
-mkdocs-bibtex==4.1.0
+mkdocs-bibtex==4.2.1
 mkdocs-include-markdown-plugin==7.1.4
 mkdocs-table-reader-plugin==3.1.0
-mkdocs-material==9.6.3
+mkdocs-material==9.6.4
 mkdocs-material-extensions==1.3.1
-mkdocstrings==0.28.0
-mkdocstrings-python==1.14.6
+mkdocstrings==0.28.1
+mkdocstrings-python==1.16.0
 mkdocs-print-site-plugin==2.6.0
 thefuzz==0.22.1
 pandas==2.2.3

From 256cfcf94c4cd52ccf8a0f3eeec2d9ced7ff20b5 Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <ahouseholder@users.noreply.github.com>
Date: Tue, 18 Feb 2025 15:27:54 -0500
Subject: [PATCH 14/31] Convert site to use inline python instead of relying on
 manual script to generate decision point examples (#683)

* add markdown-exec plugin and doc_helpers in prep for inlining examples

* add consistent VERSIONS and LATEST to decision point modules

* use inline python to generate examples

* replace markdown includes with inline python

* remove generated static examples

now provided at site build time using inline python

* regenerate some json examples based on recent changes to python

* update doctools.py to only generate the .json example files

inline examples are now down with inline python in markdown

* roll cvss decision point generation into doctools.py

* make cvss decision points consistent with VERSIONS and LATEST names

* add end-of-file newlines

* add / fix unit tests

* update cvss supplementals

* reorder urgency to be low-to-high

* fix pydantic type error (`list` instead of `tuple`)
---
 .../decision_points/automatable_2_0_0.json    |   2 +-
 .../cvss/access_complexity_1_0_0.json         |  20 +++
 .../cvss/access_complexity_2_0_0.json         |  25 +++
 .../cvss/access_vector_1_0_0.json             |  20 +++
 .../cvss/access_vector_2_0_0.json             |  25 +++
 ...ty_3.json => attack_complexity_3_0_0.json} |   2 +-
 .../cvss/attack_complexity_3_0_1.json         |   2 +-
 ..._1.json => attack_requirements_1_0_0.json} |   2 +-
 ...vector_3.json => attack_vector_3_0_0.json} |   2 +-
 .../cvss/attack_vector_3_0_1.json             |   2 +-
 ...ation_1.json => authentication_1_0_0.json} |   2 +-
 ...ation_2.json => authentication_2_0_0.json} |   2 +-
 .../cvss/automatable_1_0_0.json               |  20 +++
 ..._1.json => availability_impact_1_0_0.json} |   2 +-
 ..._2.json => availability_impact_2_0_0.json} |   2 +-
 .../cvss/availability_impact_2_0_1.json       |   2 +-
 ...on => availability_requirement_1_0_0.json} |   2 +-
 ...on => availability_requirement_1_1_0.json} |   2 +-
 .../cvss/availability_requirement_1_1_1.json  |   2 +-
 ...=> collateral_damage_potential_1_0_0.json} |   2 +-
 ...=> collateral_damage_potential_2_0_0.json} |   2 +-
 ...json => confidentiality_impact_1_0_0.json} |   2 +-
 ...json => confidentiality_impact_2_0_0.json} |   2 +-
 .../cvss/confidentiality_impact_2_0_1.json    |   2 +-
 ...mpact_to_the_subsequent_system_1_0_0.json} |   2 +-
 ...=> confidentiality_requirement_1_0_0.json} |   2 +-
 ...=> confidentiality_requirement_1_1_0.json} |   2 +-
 .../confidentiality_requirement_1_1_1.json    |   2 +-
 .../cvss/equivalence_set_1_1_0_0.json         |  25 +++
 .../cvss/equivalence_set_2_1_0_0.json         |  20 +++
 .../cvss/equivalence_set_3_1_0_0.json         |  25 +++
 .../cvss/equivalence_set_4_1_0_0.json         |  25 +++
 .../cvss/equivalence_set_5_1_0_0.json         |  25 +++
 .../cvss/equivalence_set_6_1_0_0.json         |  20 +++
 .../cvss/exploit_code_maturity_1_2_0.json     |  35 +++++
 .../cvss/exploit_maturity_2_0_0.json          |  30 ++++
 ...ility_1.json => exploitability_1_0_0.json} |   2 +-
 ...ity_1_1.json => exploitability_1_1_0.json} |   2 +-
 ...act_bias_1.json => impact_bias_1_0_0.json} |   2 +-
 ...act_1.json => integrity_impact_1_0_0.json} |   2 +-
 ...act_2.json => integrity_impact_2_0_0.json} |   2 +-
 .../cvss/integrity_impact_2_0_1.json          |   2 +-
 ...mpact_to_the_subsequent_system_1_0_0.json} |   2 +-
 ....json => integrity_requirement_1_0_0.json} |   2 +-
 ....json => integrity_requirement_1_0_1.json} |   2 +-
 ....json => integrity_requirement_1_1_0.json} |   2 +-
 .../modified_attack_complexity_3_0_0.json     |  25 +++
 .../modified_attack_complexity_3_0_1.json     |  25 +++
 .../modified_attack_requirements_1_0_0.json   |  25 +++
 .../cvss/modified_attack_vector_3_0_0.json    |  35 +++++
 .../cvss/modified_attack_vector_3_0_1.json    |  35 +++++
 .../modified_availability_impact_2_0_0.json   |  30 ++++
 .../modified_availability_impact_2_0_1.json   |  30 ++++
 ...modified_confidentiality_impact_2_0_0.json |  30 ++++
 ...modified_confidentiality_impact_2_0_1.json |  30 ++++
 ...impact_to_the_subsequent_system_1_0_0.json |  30 ++++
 .../cvss/modified_integrity_impact_2_0_0.json |  30 ++++
 .../cvss/modified_integrity_impact_2_0_1.json |  30 ++++
 ...impact_to_the_subsequent_system_1_0_0.json |  35 +++++
 .../modified_privileges_required_1_0_0.json   |  30 ++++
 .../modified_privileges_required_1_0_1.json   |  30 ++++
 .../cvss/modified_scope_1_0_0.json            |  25 +++
 ..._subsequent_availability_impact_1_0_0.json |  30 ++++
 .../cvss/modified_user_interaction_1_0_0.json |  25 +++
 .../cvss/modified_user_interaction_2_0_0.json |  30 ++++
 ..._1.json => privileges_required_1_0_0.json} |   2 +-
 .../cvss/privileges_required_1_0_1.json       |   2 +-
 .../cvss/provider_urgency_1_0_0.json          |  35 +++++
 .../decision_points/cvss/recovery_1_0_0.json  |  30 ++++
 ...el_1.json => remediation_level_1_0_0.json} |   2 +-
 ..._1_1.json => remediation_level_1_1_0.json} |   2 +-
 ...ce_1.json => report_confidence_1_0_0.json} |   2 +-
 ..._1_1.json => report_confidence_1_1_0.json} |   2 +-
 ...ce_2.json => report_confidence_2_0_0.json} |   2 +-
 .../decision_points/cvss/safety_1_0_0.json    |  25 +++
 .../cvss/{scope_1.json => scope_1_0_0.json}   |   2 +-
 ...subsequent_availability_impact_1_0_0.json} |   2 +-
 ..._1.json => target_distribution_1_0_0.json} |   2 +-
 ..._1.json => target_distribution_1_1_0.json} |   2 +-
 ...ion_1.json => user_interaction_1_0_0.json} |   2 +-
 ...ion_2.json => user_interaction_2_0_0.json} |   2 +-
 .../cvss/value_density_1_0_0.json             |  25 +++
 .../vulnerability_response_effort_1_0_0.json  |  30 ++++
 .../decision_points/exploitation_1_0_0.json   |   2 +-
 .../decision_points/exploitation_1_1_0.json   |   2 +-
 .../decision_points/human_impact_2_0_0.json   |   2 +-
 .../decision_points/human_impact_2_0_1.json   |   2 +-
 .../mission_and_well-being_impact_1_0_0.json  |   2 +-
 .../decision_points/mission_impact_1_0_0.json |   4 +-
 .../decision_points/mission_impact_2_0_0.json |   4 +-
 .../public_safety_impact_2_0_0.json           |   2 +-
 .../public_safety_impact_2_0_1.json           |   2 +-
 .../public_value_added_1_0_0.json             |   2 +-
 .../public_well-being_impact_1_0_0.json       |   2 +-
 .../report_credibility_1_0_0.json             |   2 +-
 .../decision_points/report_public_1_0_0.json  |   2 +-
 .../decision_points/safety_impact_1_0_0.json  |   4 +-
 .../decision_points/safety_impact_2_0_0.json  |   4 +-
 .../supplier_cardinality_1_0_0.json           |   2 +-
 .../supplier_contacted_1_0_0.json             |   2 +-
 .../supplier_engagement_1_0_0.json            |   8 +-
 .../supplier_involvement_1_0_0.json           |   4 +-
 .../system_exposure_1_0_0.json                |   4 +-
 .../system_exposure_1_0_1.json                |   4 +-
 .../technical_impact_1_0_0.json               |   2 +-
 data/json/decision_points/utility_1_0_0.json  |   2 +-
 data/json/decision_points/utility_1_0_1.json  |   2 +-
 .../decision_points/value_density_1_0_0.json  |   4 +-
 .../json/decision_points/virulence_1_0_0.json |   2 +-
 .../_generated/decision_points/automatable.md |   1 -
 .../decision_points/automatable_2_0_0.md      |  17 --
 .../decision_points/exploitation.md           |   1 -
 .../decision_points/exploitation_1_0_0.md     |  18 ---
 .../decision_points/exploitation_1_1_0.md     |  18 ---
 .../decision_points/human_impact.md           |   1 -
 .../decision_points/human_impact_2_0_0.md     |  19 ---
 .../decision_points/human_impact_2_0_1.md     |  19 ---
 .../mission_and_well-being_impact.md          |   1 -
 .../mission_and_well-being_impact_1_0_0.md    |  18 ---
 .../decision_points/mission_impact.md         |   1 -
 .../decision_points/mission_impact_1_0_0.md   |  20 ---
 .../decision_points/mission_impact_2_0_0.md   |  19 ---
 .../decision_points/public_safety_impact.md   |   1 -
 .../public_safety_impact_2_0_0.md             |  17 --
 .../public_safety_impact_2_0_1.md             |  17 --
 .../decision_points/public_value_added.md     |   1 -
 .../public_value_added_1_0_0.md               |  18 ---
 .../public_well-being_impact.md               |   1 -
 .../public_well-being_impact_1_0_0.md         |  18 ---
 .../decision_points/report_credibility.md     |   1 -
 .../report_credibility_1_0_0.md               |  17 --
 .../decision_points/report_public.md          |   1 -
 .../decision_points/report_public_1_0_0.md    |  17 --
 .../decision_points/safety_impact.md          |   1 -
 .../decision_points/safety_impact_1_0_0.md    |  20 ---
 .../decision_points/safety_impact_2_0_0.md    |  19 ---
 .../decision_points/supplier_cardinality.md   |   1 -
 .../supplier_cardinality_1_0_0.md             |  17 --
 .../decision_points/supplier_contacted.md     |   1 -
 .../supplier_contacted_1_0_0.md               |  17 --
 .../decision_points/supplier_engagement.md    |   1 -
 .../supplier_engagement_1_0_0.md              |  17 --
 .../decision_points/supplier_involvement.md   |   1 -
 .../supplier_involvement_1_0_0.md             |  18 ---
 .../decision_points/system_exposure.md        |   1 -
 .../decision_points/system_exposure_1_0_0.md  |  18 ---
 .../decision_points/system_exposure_1_0_1.md  |  18 ---
 .../decision_points/technical_impact.md       |   1 -
 .../decision_points/technical_impact_1_0_0.md |  17 --
 docs/_generated/decision_points/utility.md    |   1 -
 .../decision_points/utility_1_0_0.md          |  18 ---
 .../decision_points/utility_1_0_1.md          |  18 ---
 .../decision_points/value_density.md          |   1 -
 .../decision_points/value_density_1_0_0.md    |  17 --
 docs/_generated/decision_points/virulence.md  |   1 -
 .../decision_points/virulence_1_0_0.md        |  17 --
 docs/howto/acuity_ramp.md                     |  32 +++-
 docs/howto/bootstrap/use.md                   |  21 ++-
 docs/howto/coordination_triage_decision.md    |  20 ++-
 docs/howto/deployer_tree.md                   |  14 +-
 docs/howto/publication_decision.md            |  12 +-
 docs/howto/supplier_tree.md                   |  15 +-
 docs/reference/decision_points/automatable.md |  18 ++-
 .../reference/decision_points/exploitation.md |  20 ++-
 .../reference/decision_points/human_impact.md |  17 +-
 .../decision_points/mission_impact.md         |  17 +-
 .../decision_points/public_safety_impact.md   |  17 +-
 .../decision_points/public_value_added.md     |   8 +-
 .../decision_points/report_credibility.md     |   8 +-
 .../decision_points/report_public.md          |   7 +-
 .../decision_points/safety_impact.md          |  18 ++-
 .../decision_points/supplier_cardinality.md   |   7 +-
 .../decision_points/supplier_contacted.md     |   7 +-
 .../decision_points/supplier_engagement.md    |   7 +-
 .../decision_points/supplier_involvement.md   |   7 +-
 .../decision_points/system_exposure.md        |  18 ++-
 .../decision_points/technical_impact.md       |   7 +-
 docs/reference/decision_points/utility.md     |  17 +-
 .../decision_points/value_density.md          |   7 +-
 mkdocs.yml                                    |   1 +
 requirements.txt                              |   1 +
 src/cvss_to_json.py                           |  57 -------
 src/ssvc/decision_points/automatable.py       |   8 +-
 src/ssvc/decision_points/critical_software.py |   6 +-
 .../decision_points/cvss/attack_complexity.py |   7 +-
 .../cvss/attack_requirements.py               |   7 +-
 .../decision_points/cvss/attack_vector.py     |   6 +-
 .../decision_points/cvss/authentication.py    |   9 +-
 .../cvss/availability_impact.py               |   9 +-
 .../cvss/availability_requirement.py          |   7 +-
 .../cvss/collateral_damage_potential.py       |   5 +-
 .../cvss/confidentiality_impact.py            |   7 +-
 .../cvss/confidentiality_requirement.py       |   7 +-
 .../decision_points/cvss/exploitability.py    |   7 +-
 src/ssvc/decision_points/cvss/helpers.py      |   4 +-
 src/ssvc/decision_points/cvss/impact_bias.py  |   7 +-
 .../decision_points/cvss/integrity_impact.py  |   5 +-
 .../cvss/integrity_requirement.py             |   7 +-
 .../cvss/privileges_required.py               |   5 +-
 .../decision_points/cvss/remediation_level.py |   5 +-
 .../decision_points/cvss/report_confidence.py |   7 +-
 src/ssvc/decision_points/cvss/scope.py        |   7 +-
 .../cvss/subsequent_availability_impact.py    |   7 +-
 .../cvss/subsequent_confidentiality_impact.py |   7 +-
 .../cvss/subsequent_integrity_impact.py       |   7 +-
 .../cvss/supplemental/automatable.py          |  31 ++--
 .../cvss/supplemental/provider_urgency.py     |  41 ++---
 .../cvss/supplemental/recovery.py             |  35 ++---
 .../cvss/supplemental/safety.py               |  29 ++--
 .../cvss/supplemental/value_density.py        |  29 ++--
 .../vulnerability_response_effort.py          |  45 +++---
 .../cvss/target_distribution.py               |   7 +-
 .../decision_points/cvss/user_interaction.py  |   5 +-
 src/ssvc/decision_points/exploitation.py      |   7 +-
 src/ssvc/decision_points/helpers.py           |  26 +---
 src/ssvc/decision_points/high_value_asset.py  |   5 +-
 src/ssvc/decision_points/human_impact.py      |  15 +-
 src/ssvc/decision_points/in_kev.py            |   6 +-
 src/ssvc/decision_points/mission_impact.py    |   7 +-
 .../decision_points/mission_prevalence.py     |   6 +-
 .../decision_points/public_safety_impact.py   |  14 +-
 .../decision_points/public_value_added.py     |   8 +-
 .../decision_points/report_credibility.py     |   6 +-
 src/ssvc/decision_points/report_public.py     |   6 +-
 src/ssvc/decision_points/safety_impact.py     |   8 +-
 .../decision_points/supplier_cardinality.py   |   6 +-
 .../decision_points/supplier_contacted.py     |   6 +-
 .../decision_points/supplier_engagement.py    |   6 +-
 .../decision_points/supplier_involvement.py   |   6 +-
 src/ssvc/decision_points/system_exposure.py   |   7 +-
 src/ssvc/decision_points/technical_impact.py  |   6 +-
 src/ssvc/decision_points/utility.py           |   7 +-
 src/ssvc/decision_points/value_density.py     |   8 +-
 src/ssvc/doc_helpers.py                       | 141 +++++++++++++++++
 src/ssvc/doctools.py                          | 145 +++---------------
 src/ssvc/dp_groups/base.py                    |   2 +-
 src/ssvc/dp_groups/cvss/collections.py        |   4 +-
 src/test/test_doc_helpers.py                  |  81 ++++++++++
 src/test/test_doctools.py                     |  88 ++---------
 239 files changed, 1898 insertions(+), 1173 deletions(-)
 create mode 100644 data/json/decision_points/cvss/access_complexity_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/access_complexity_2_0_0.json
 create mode 100644 data/json/decision_points/cvss/access_vector_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/access_vector_2_0_0.json
 rename data/json/decision_points/cvss/{attack_complexity_3.json => attack_complexity_3_0_0.json} (99%)
 rename data/json/decision_points/cvss/{attack_requirements_1.json => attack_requirements_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{attack_vector_3.json => attack_vector_3_0_0.json} (99%)
 rename data/json/decision_points/cvss/{authentication_1.json => authentication_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{authentication_2.json => authentication_2_0_0.json} (99%)
 create mode 100644 data/json/decision_points/cvss/automatable_1_0_0.json
 rename data/json/decision_points/cvss/{availability_impact_1.json => availability_impact_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{availability_impact_2.json => availability_impact_2_0_0.json} (99%)
 rename data/json/decision_points/cvss/{availability_requirement_1.json => availability_requirement_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{availability_requirement_1_1.json => availability_requirement_1_1_0.json} (99%)
 rename data/json/decision_points/cvss/{collateral_damage_potential_1.json => collateral_damage_potential_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{collateral_damage_potential_2.json => collateral_damage_potential_2_0_0.json} (99%)
 rename data/json/decision_points/cvss/{confidentiality_impact_1.json => confidentiality_impact_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{confidentiality_impact_2.json => confidentiality_impact_2_0_0.json} (99%)
 rename data/json/decision_points/cvss/{subsequent_confidentiality_impact_1.json => confidentiality_impact_to_the_subsequent_system_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{confidentiality_requirement_1.json => confidentiality_requirement_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{confidentiality_requirement_1_1.json => confidentiality_requirement_1_1_0.json} (99%)
 create mode 100644 data/json/decision_points/cvss/equivalence_set_1_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/equivalence_set_2_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/equivalence_set_3_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/equivalence_set_4_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/equivalence_set_5_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/equivalence_set_6_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json
 create mode 100644 data/json/decision_points/cvss/exploit_maturity_2_0_0.json
 rename data/json/decision_points/cvss/{exploitability_1.json => exploitability_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{exploitability_1_1.json => exploitability_1_1_0.json} (99%)
 rename data/json/decision_points/cvss/{impact_bias_1.json => impact_bias_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{integrity_impact_1.json => integrity_impact_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{integrity_impact_2.json => integrity_impact_2_0_0.json} (99%)
 rename data/json/decision_points/cvss/{subsequent_integrity_impact_1.json => integrity_impact_to_the_subsequent_system_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{integrity_requirement_1.json => integrity_requirement_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{integrity_requirement_1_1_1.json => integrity_requirement_1_0_1.json} (99%)
 rename data/json/decision_points/cvss/{integrity_requirement_1_1.json => integrity_requirement_1_1_0.json} (99%)
 create mode 100644 data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json
 create mode 100644 data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_attack_vector_3_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_attack_vector_3_0_1.json
 create mode 100644 data/json/decision_points/cvss/modified_availability_impact_2_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_availability_impact_2_0_1.json
 create mode 100644 data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_confidentiality_impact_2_0_1.json
 create mode 100644 data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_integrity_impact_2_0_1.json
 create mode 100644 data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_privileges_required_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_privileges_required_1_0_1.json
 create mode 100644 data/json/decision_points/cvss/modified_scope_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_subsequent_availability_impact_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_user_interaction_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/modified_user_interaction_2_0_0.json
 rename data/json/decision_points/cvss/{privileges_required_1.json => privileges_required_1_0_0.json} (99%)
 create mode 100644 data/json/decision_points/cvss/provider_urgency_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/recovery_1_0_0.json
 rename data/json/decision_points/cvss/{remediation_level_1.json => remediation_level_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{remediation_level_1_1.json => remediation_level_1_1_0.json} (99%)
 rename data/json/decision_points/cvss/{report_confidence_1.json => report_confidence_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{report_confidence_1_1.json => report_confidence_1_1_0.json} (99%)
 rename data/json/decision_points/cvss/{report_confidence_2.json => report_confidence_2_0_0.json} (99%)
 create mode 100644 data/json/decision_points/cvss/safety_1_0_0.json
 rename data/json/decision_points/cvss/{scope_1.json => scope_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{subsequent_availability_impact_1.json => subsequent_availability_impact_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{target_distribution_1.json => target_distribution_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{target_distribution_1_1.json => target_distribution_1_1_0.json} (99%)
 rename data/json/decision_points/cvss/{user_interaction_1.json => user_interaction_1_0_0.json} (99%)
 rename data/json/decision_points/cvss/{user_interaction_2.json => user_interaction_2_0_0.json} (99%)
 create mode 100644 data/json/decision_points/cvss/value_density_1_0_0.json
 create mode 100644 data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json
 delete mode 120000 docs/_generated/decision_points/automatable.md
 delete mode 100644 docs/_generated/decision_points/automatable_2_0_0.md
 delete mode 120000 docs/_generated/decision_points/exploitation.md
 delete mode 100644 docs/_generated/decision_points/exploitation_1_0_0.md
 delete mode 100644 docs/_generated/decision_points/exploitation_1_1_0.md
 delete mode 120000 docs/_generated/decision_points/human_impact.md
 delete mode 100644 docs/_generated/decision_points/human_impact_2_0_0.md
 delete mode 100644 docs/_generated/decision_points/human_impact_2_0_1.md
 delete mode 120000 docs/_generated/decision_points/mission_and_well-being_impact.md
 delete mode 100644 docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/mission_impact.md
 delete mode 100644 docs/_generated/decision_points/mission_impact_1_0_0.md
 delete mode 100644 docs/_generated/decision_points/mission_impact_2_0_0.md
 delete mode 120000 docs/_generated/decision_points/public_safety_impact.md
 delete mode 100644 docs/_generated/decision_points/public_safety_impact_2_0_0.md
 delete mode 100644 docs/_generated/decision_points/public_safety_impact_2_0_1.md
 delete mode 120000 docs/_generated/decision_points/public_value_added.md
 delete mode 100644 docs/_generated/decision_points/public_value_added_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/public_well-being_impact.md
 delete mode 100644 docs/_generated/decision_points/public_well-being_impact_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/report_credibility.md
 delete mode 100644 docs/_generated/decision_points/report_credibility_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/report_public.md
 delete mode 100644 docs/_generated/decision_points/report_public_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/safety_impact.md
 delete mode 100644 docs/_generated/decision_points/safety_impact_1_0_0.md
 delete mode 100644 docs/_generated/decision_points/safety_impact_2_0_0.md
 delete mode 120000 docs/_generated/decision_points/supplier_cardinality.md
 delete mode 100644 docs/_generated/decision_points/supplier_cardinality_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/supplier_contacted.md
 delete mode 100644 docs/_generated/decision_points/supplier_contacted_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/supplier_engagement.md
 delete mode 100644 docs/_generated/decision_points/supplier_engagement_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/supplier_involvement.md
 delete mode 100644 docs/_generated/decision_points/supplier_involvement_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/system_exposure.md
 delete mode 100644 docs/_generated/decision_points/system_exposure_1_0_0.md
 delete mode 100644 docs/_generated/decision_points/system_exposure_1_0_1.md
 delete mode 120000 docs/_generated/decision_points/technical_impact.md
 delete mode 100644 docs/_generated/decision_points/technical_impact_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/utility.md
 delete mode 100644 docs/_generated/decision_points/utility_1_0_0.md
 delete mode 100644 docs/_generated/decision_points/utility_1_0_1.md
 delete mode 120000 docs/_generated/decision_points/value_density.md
 delete mode 100644 docs/_generated/decision_points/value_density_1_0_0.md
 delete mode 120000 docs/_generated/decision_points/virulence.md
 delete mode 100644 docs/_generated/decision_points/virulence_1_0_0.md
 delete mode 100644 src/cvss_to_json.py
 create mode 100644 src/ssvc/doc_helpers.py
 create mode 100644 src/test/test_doc_helpers.py

diff --git a/data/json/decision_points/automatable_2_0_0.json b/data/json/decision_points/automatable_2_0_0.json
index 90ac4a09..a44086f9 100644
--- a/data/json/decision_points/automatable_2_0_0.json
+++ b/data/json/decision_points/automatable_2_0_0.json
@@ -17,4 +17,4 @@
       "description": "Attackers can reliably automate steps 1-4 of the kill chain."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/access_complexity_1_0_0.json b/data/json/decision_points/cvss/access_complexity_1_0_0.json
new file mode 100644
index 00000000..30e88f11
--- /dev/null
+++ b/data/json/decision_points/cvss/access_complexity_1_0_0.json
@@ -0,0 +1,20 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AC",
+  "name": "Access Complexity",
+  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Specialized access conditions exist; for example: the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (nondefault configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail)"
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/access_complexity_2_0_0.json b/data/json/decision_points/cvss/access_complexity_2_0_0.json
new file mode 100644
index 00000000..09c795fc
--- /dev/null
+++ b/data/json/decision_points/cvss/access_complexity_2_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AC",
+  "name": "Access Complexity",
+  "description": "This metric measures the complexity of the attack required to exploit the vulnerability once an attacker has gained access to the target system.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Specialized access conditions or extenuating circumstances do not exist."
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "The access conditions are somewhat specialized."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Specialized access conditions exist."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/access_vector_1_0_0.json b/data/json/decision_points/cvss/access_vector_1_0_0.json
new file mode 100644
index 00000000..beee709d
--- /dev/null
+++ b/data/json/decision_points/cvss/access_vector_1_0_0.json
@@ -0,0 +1,20 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AV",
+  "name": "Access Vector",
+  "description": "This metric measures whether or not the vulnerability is exploitable locally or remotely.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Local",
+      "description": "The vulnerability is only exploitable locally (i.e., it requires physical access or authenticated login to the target system)"
+    },
+    {
+      "key": "R",
+      "name": "Remote",
+      "description": "The vulnerability is exploitable remotely."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/access_vector_2_0_0.json b/data/json/decision_points/cvss/access_vector_2_0_0.json
new file mode 100644
index 00000000..9f68fb5a
--- /dev/null
+++ b/data/json/decision_points/cvss/access_vector_2_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AV",
+  "name": "Access Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Local",
+      "description": "A vulnerability exploitable with only local access requires the attacker to have either physical access to the vulnerable system or a local (shell) account."
+    },
+    {
+      "key": "A",
+      "name": "Adjacent Network",
+      "description": "A vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software."
+    },
+    {
+      "key": "N",
+      "name": "Network",
+      "description": "A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed 'remotely exploitable'."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/attack_complexity_3.json b/data/json/decision_points/cvss/attack_complexity_3_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/attack_complexity_3.json
rename to data/json/decision_points/cvss/attack_complexity_3_0_0.json
index 895283e4..b9dd8584 100644
--- a/data/json/decision_points/cvss/attack_complexity_3.json
+++ b/data/json/decision_points/cvss/attack_complexity_3_0_0.json
@@ -17,4 +17,4 @@
       "description": "A successful attack depends on conditions beyond the attacker's control."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/attack_complexity_3_0_1.json b/data/json/decision_points/cvss/attack_complexity_3_0_1.json
index 86686214..7f49cf1d 100644
--- a/data/json/decision_points/cvss/attack_complexity_3_0_1.json
+++ b/data/json/decision_points/cvss/attack_complexity_3_0_1.json
@@ -17,4 +17,4 @@
       "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/attack_requirements_1.json b/data/json/decision_points/cvss/attack_requirements_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/attack_requirements_1.json
rename to data/json/decision_points/cvss/attack_requirements_1_0_0.json
index 0a7d65f8..4232fa7b 100644
--- a/data/json/decision_points/cvss/attack_requirements_1.json
+++ b/data/json/decision_points/cvss/attack_requirements_1_0_0.json
@@ -17,4 +17,4 @@
       "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/attack_vector_3.json b/data/json/decision_points/cvss/attack_vector_3_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/attack_vector_3.json
rename to data/json/decision_points/cvss/attack_vector_3_0_0.json
index 43f2ca06..612e5c72 100644
--- a/data/json/decision_points/cvss/attack_vector_3.json
+++ b/data/json/decision_points/cvss/attack_vector_3_0_0.json
@@ -27,4 +27,4 @@
       "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/attack_vector_3_0_1.json b/data/json/decision_points/cvss/attack_vector_3_0_1.json
index 22006bd9..fbf31693 100644
--- a/data/json/decision_points/cvss/attack_vector_3_0_1.json
+++ b/data/json/decision_points/cvss/attack_vector_3_0_1.json
@@ -27,4 +27,4 @@
       "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/authentication_1.json b/data/json/decision_points/cvss/authentication_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/authentication_1.json
rename to data/json/decision_points/cvss/authentication_1_0_0.json
index 059f7f59..0e2f41e7 100644
--- a/data/json/decision_points/cvss/authentication_1.json
+++ b/data/json/decision_points/cvss/authentication_1_0_0.json
@@ -17,4 +17,4 @@
       "description": "Authentication is required to access and exploit the vulnerability."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/authentication_2.json b/data/json/decision_points/cvss/authentication_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/authentication_2.json
rename to data/json/decision_points/cvss/authentication_2_0_0.json
index 3550aecb..98a1037b 100644
--- a/data/json/decision_points/cvss/authentication_2.json
+++ b/data/json/decision_points/cvss/authentication_2_0_0.json
@@ -22,4 +22,4 @@
       "description": "Authentication is not required to exploit the vulnerability."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/automatable_1_0_0.json b/data/json/decision_points/cvss/automatable_1_0_0.json
new file mode 100644
index 00000000..9601b871
--- /dev/null
+++ b/data/json/decision_points/cvss/automatable_1_0_0.json
@@ -0,0 +1,20 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "AU",
+  "name": "Automatable",
+  "description": "The \"Automatable\" metric captures the answer to the question \"Can an attacker automate exploitation events for this vulnerability across multiple targets?\" based on steps 1-4 of the kill chain.",
+  "values": [
+    {
+      "key": "N",
+      "name": "No",
+      "description": "Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation."
+    },
+    {
+      "key": "Y",
+      "name": "Yes",
+      "description": "Attackers can reliably automate all 4 steps of the kill chain. These steps are reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is \"wormable\")."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/availability_impact_1.json b/data/json/decision_points/cvss/availability_impact_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/availability_impact_1.json
rename to data/json/decision_points/cvss/availability_impact_1_0_0.json
index 07201d9f..4c2b59e3 100644
--- a/data/json/decision_points/cvss/availability_impact_1.json
+++ b/data/json/decision_points/cvss/availability_impact_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "Total shutdown of the affected resource. The attacker can render the resource completely unavailable."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/availability_impact_2.json b/data/json/decision_points/cvss/availability_impact_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/availability_impact_2.json
rename to data/json/decision_points/cvss/availability_impact_2_0_0.json
index 98d6e493..f3b37b02 100644
--- a/data/json/decision_points/cvss/availability_impact_2.json
+++ b/data/json/decision_points/cvss/availability_impact_2_0_0.json
@@ -22,4 +22,4 @@
       "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/availability_impact_2_0_1.json b/data/json/decision_points/cvss/availability_impact_2_0_1.json
index 1cc6921a..e815d46a 100644
--- a/data/json/decision_points/cvss/availability_impact_2_0_1.json
+++ b/data/json/decision_points/cvss/availability_impact_2_0_1.json
@@ -22,4 +22,4 @@
       "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/availability_requirement_1.json b/data/json/decision_points/cvss/availability_requirement_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/availability_requirement_1.json
rename to data/json/decision_points/cvss/availability_requirement_1_0_0.json
index 9f436294..cbffe72a 100644
--- a/data/json/decision_points/cvss/availability_requirement_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_0_0.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/availability_requirement_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/availability_requirement_1_1.json
rename to data/json/decision_points/cvss/availability_requirement_1_1_0.json
index c1719568..66dec4d4 100644
--- a/data/json/decision_points/cvss/availability_requirement_1_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_1_0.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/availability_requirement_1_1_1.json b/data/json/decision_points/cvss/availability_requirement_1_1_1.json
index 80f909c5..9e4a94fe 100644
--- a/data/json/decision_points/cvss/availability_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/availability_requirement_1_1_1.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/collateral_damage_potential_1.json b/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/collateral_damage_potential_1.json
rename to data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json
index a2f3f630..b650ad2f 100644
--- a/data/json/decision_points/cvss/collateral_damage_potential_1.json
+++ b/data/json/decision_points/cvss/collateral_damage_potential_1_0_0.json
@@ -27,4 +27,4 @@
       "description": "A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. The range of effect may be over a wide area."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/collateral_damage_potential_2.json b/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/collateral_damage_potential_2.json
rename to data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json
index 26af28f9..c08f0fe8 100644
--- a/data/json/decision_points/cvss/collateral_damage_potential_2.json
+++ b/data/json/decision_points/cvss/collateral_damage_potential_2_0_0.json
@@ -32,4 +32,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_impact_1.json b/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/confidentiality_impact_1.json
rename to data/json/decision_points/cvss/confidentiality_impact_1_0_0.json
index feaed5b0..f8e633e6 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_1.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "A total compromise of critical system information. A complete loss of system protection resulting in all critical system files being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc)."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_impact_2.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/confidentiality_impact_2.json
rename to data/json/decision_points/cvss/confidentiality_impact_2_0_0.json
index f56c8f62..5d8f0826 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_2.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_0.json
@@ -22,4 +22,4 @@
       "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
index ce5046e2..4c72a5d5 100644
--- a/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_2_0_1.json
@@ -22,4 +22,4 @@
       "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json b/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json
rename to data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json
index ff897172..741722cd 100644
--- a/data/json/decision_points/cvss/subsequent_confidentiality_impact_1.json
+++ b/data/json/decision_points/cvss/confidentiality_impact_to_the_subsequent_system_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/confidentiality_requirement_1.json
rename to data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json
index 64966a4b..988ee409 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_0_0.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/confidentiality_requirement_1_1.json
rename to data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json
index bedacd44..2c508587 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_0.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
index eecf2cac..2e1ef437 100644
--- a/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/confidentiality_requirement_1_1_1.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json
new file mode 100644
index 00000000..9046163e
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_1_1_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "EQ1",
+  "name": "Equivalence Set 1",
+  "description": "AV/PR/UI with 3 levels specified in Table 24",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "2: AV:P or not(AV:N or PR:N or UI:N)"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "0: AV:N and PR:N and UI:N"
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json
new file mode 100644
index 00000000..f9fa06e5
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_2_1_0_0.json
@@ -0,0 +1,20 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "EQ2",
+  "name": "Equivalence Set 2",
+  "description": "AC/AT with 2 levels specified in Table 25",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "1: not (AC:L and AT:N)"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "0: AC:L and AT:N"
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json
new file mode 100644
index 00000000..a617a8f4
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_3_1_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "EQ3",
+  "name": "Equivalence Set 3",
+  "description": "VC/VI/VA with 3 levels specified in Table 26",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "2: not (VC:H or VI:H or VA:H)"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "0: VC:H and VI:H"
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json
new file mode 100644
index 00000000..761d6ec8
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_4_1_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "EQ4",
+  "name": "Equivalence Set 4",
+  "description": "SC/SI/SA with 3 levels specified in Table 27",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "0: MSI:S or MSA:S"
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json
new file mode 100644
index 00000000..1f1b7eec
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_5_1_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "EQ5",
+  "name": "Equivalence Set 5",
+  "description": "E with 3 levels specified in Table 28",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "2: E:U"
+    },
+    {
+      "key": "M",
+      "name": "Medium",
+      "description": "1: E:P"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "0: E:A"
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json b/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json
new file mode 100644
index 00000000..599ec3b1
--- /dev/null
+++ b/data/json/decision_points/cvss/equivalence_set_6_1_0_0.json
@@ -0,0 +1,20 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "EQ6",
+  "name": "Equivalence Set 6",
+  "description": "VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)"
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)"
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json b/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json
new file mode 100644
index 00000000..a900808a
--- /dev/null
+++ b/data/json/decision_points/cvss/exploit_code_maturity_1_2_0.json
@@ -0,0 +1,35 @@
+{
+  "namespace": "cvss",
+  "version": "1.2.0",
+  "schemaVersion": "1-0-1",
+  "key": "E",
+  "name": "Exploit Code Maturity",
+  "description": "measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation",
+  "values": [
+    {
+      "key": "U",
+      "name": "Unproven",
+      "description": "No exploit code is available, or an exploit is theoretical."
+    },
+    {
+      "key": "POC",
+      "name": "Proof-of-Concept",
+      "description": "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker."
+    },
+    {
+      "key": "F",
+      "name": "Functional",
+      "description": "Functional exploit code is available. The code works in most situations where the vulnerability exists."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/exploit_maturity_2_0_0.json b/data/json/decision_points/cvss/exploit_maturity_2_0_0.json
new file mode 100644
index 00000000..879891f6
--- /dev/null
+++ b/data/json/decision_points/cvss/exploit_maturity_2_0_0.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "E",
+  "name": "Exploit Maturity",
+  "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
+  "values": [
+    {
+      "key": "U",
+      "name": "Unreported",
+      "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+    },
+    {
+      "key": "P",
+      "name": "Proof-of-Concept",
+      "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+    },
+    {
+      "key": "A",
+      "name": "Attacked",
+      "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/exploitability_1.json b/data/json/decision_points/cvss/exploitability_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/exploitability_1.json
rename to data/json/decision_points/cvss/exploitability_1_0_0.json
index a4251052..be804085 100644
--- a/data/json/decision_points/cvss/exploitability_1.json
+++ b/data/json/decision_points/cvss/exploitability_1_0_0.json
@@ -27,4 +27,4 @@
       "description": "Either the vulnerability is exploitable by functional mobile autonomous code or no exploit is required (manual trigger) and the details for the manual technique are widely available. The code works in every situation where the vulnerability is exploitable and/or is actively being delivered via a mobile autonomous agent (a worm or virus)."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/exploitability_1_1.json b/data/json/decision_points/cvss/exploitability_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/exploitability_1_1.json
rename to data/json/decision_points/cvss/exploitability_1_1_0.json
index a66619c8..f2d07e9d 100644
--- a/data/json/decision_points/cvss/exploitability_1_1.json
+++ b/data/json/decision_points/cvss/exploitability_1_1_0.json
@@ -32,4 +32,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/impact_bias_1.json b/data/json/decision_points/cvss/impact_bias_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/impact_bias_1.json
rename to data/json/decision_points/cvss/impact_bias_1_0_0.json
index 2a49fde0..97039be4 100644
--- a/data/json/decision_points/cvss/impact_bias_1.json
+++ b/data/json/decision_points/cvss/impact_bias_1_0_0.json
@@ -27,4 +27,4 @@
       "description": "Availability Impact is assigned greater weight than Confidentiality Impact or Integrity Impact."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_impact_1.json b/data/json/decision_points/cvss/integrity_impact_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/integrity_impact_1.json
rename to data/json/decision_points/cvss/integrity_impact_1_0_0.json
index bb9d0b30..cf1dcc9b 100644
--- a/data/json/decision_points/cvss/integrity_impact_1.json
+++ b/data/json/decision_points/cvss/integrity_impact_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_impact_2.json b/data/json/decision_points/cvss/integrity_impact_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/integrity_impact_2.json
rename to data/json/decision_points/cvss/integrity_impact_2_0_0.json
index 9bc278ad..48102023 100644
--- a/data/json/decision_points/cvss/integrity_impact_2.json
+++ b/data/json/decision_points/cvss/integrity_impact_2_0_0.json
@@ -22,4 +22,4 @@
       "description": "There is a total loss of integrity, or a complete loss of protection."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_impact_2_0_1.json b/data/json/decision_points/cvss/integrity_impact_2_0_1.json
index 95671937..59579fbd 100644
--- a/data/json/decision_points/cvss/integrity_impact_2_0_1.json
+++ b/data/json/decision_points/cvss/integrity_impact_2_0_1.json
@@ -22,4 +22,4 @@
       "description": "There is a total loss of integrity, or a complete loss of protection."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/subsequent_integrity_impact_1.json b/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/subsequent_integrity_impact_1.json
rename to data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json
index a6baf936..ab4089b3 100644
--- a/data/json/decision_points/cvss/subsequent_integrity_impact_1.json
+++ b/data/json/decision_points/cvss/integrity_impact_to_the_subsequent_system_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_requirement_1.json b/data/json/decision_points/cvss/integrity_requirement_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/integrity_requirement_1.json
rename to data/json/decision_points/cvss/integrity_requirement_1_0_0.json
index 33ef7161..73d07de1 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_0_0.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_0_1.json
similarity index 99%
rename from data/json/decision_points/cvss/integrity_requirement_1_1_1.json
rename to data/json/decision_points/cvss/integrity_requirement_1_0_1.json
index 9f54fe28..4c8e1762 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1_1_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_0_1.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/integrity_requirement_1_1.json b/data/json/decision_points/cvss/integrity_requirement_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/integrity_requirement_1_1.json
rename to data/json/decision_points/cvss/integrity_requirement_1_1_0.json
index 405b1500..5515b3b4 100644
--- a/data/json/decision_points/cvss/integrity_requirement_1_1.json
+++ b/data/json/decision_points/cvss/integrity_requirement_1_1_0.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json b/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json
new file mode 100644
index 00000000..09fa2cab
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_attack_complexity_3_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "3.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MAC",
+  "name": "Modified Attack Complexity",
+  "description": "This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "A successful attack depends on conditions beyond the attacker's control."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json b/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json
new file mode 100644
index 00000000..9ddd5581
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_attack_complexity_3_0_1.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "3.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "MAC",
+  "name": "Modified Attack Complexity",
+  "description": "This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. ",
+  "values": [
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. "
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json b/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json
new file mode 100644
index 00000000..be523348
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_attack_requirements_1_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MAT",
+  "name": "Modified Attack Requirements",
+  "description": "This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The successful attack does not depend on the deployment and execution conditions of the vulnerable system. The attacker can expect to be able to reach the vulnerability and execute the exploit under all or most instances of the vulnerability."
+    },
+    {
+      "key": "P",
+      "name": "Present",
+      "description": "The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json b/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json
new file mode 100644
index 00000000..afb49892
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_attack_vector_3_0_0.json
@@ -0,0 +1,35 @@
+{
+  "namespace": "cvss",
+  "version": "3.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MAV",
+  "name": "Modified Attack Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible. ",
+  "values": [
+    {
+      "key": "P",
+      "name": "Physical",
+      "description": "A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack [1]) or persistent."
+    },
+    {
+      "key": "L",
+      "name": "Local",
+      "description": "A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file."
+    },
+    {
+      "key": "A",
+      "name": "Adjacent",
+      "description": "A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11), or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router)."
+    },
+    {
+      "key": "N",
+      "name": "Network",
+      "description": "A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed 'remotely exploitable' and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json b/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json
new file mode 100644
index 00000000..32f378f7
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_attack_vector_3_0_1.json
@@ -0,0 +1,35 @@
+{
+  "namespace": "cvss",
+  "version": "3.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "MAV",
+  "name": "Modified Attack Vector",
+  "description": "This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.",
+  "values": [
+    {
+      "key": "P",
+      "name": "Physical",
+      "description": "The attack requires the attacker to physically touch or manipulate the vulnerable system. Physical interaction may be brief (e.g., evil maid attack1) or persistent."
+    },
+    {
+      "key": "L",
+      "name": "Local",
+      "description": "The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document)."
+    },
+    {
+      "key": "A",
+      "name": "Adjacent",
+      "description": "The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone)."
+    },
+    {
+      "key": "N",
+      "name": "Network",
+      "description": "The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json b/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json
new file mode 100644
index 00000000..861be583
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_availability_impact_2_0_0.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MA",
+  "name": "Modified Availability Impact",
+  "description": "This metric measures the impact to availability of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no impact to the availability of the system."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "There is reduced performance or interruptions in resource availability."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_availability_impact_2_0_1.json b/data/json/decision_points/cvss/modified_availability_impact_2_0_1.json
new file mode 100644
index 00000000..793c5579
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_availability_impact_2_0_1.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "MA",
+  "name": "Modified Availability Impact",
+  "description": "This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no impact to availability within the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the Vulnerable System are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the Vulnerable System."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json
new file mode 100644
index 00000000..5920006a
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_0.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MC",
+  "name": "Modified Confidentiality Impact",
+  "description": "This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no loss of confidentiality within the impacted component."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_1.json b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_1.json
new file mode 100644
index 00000000..027f96a0
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_confidentiality_impact_2_0_1.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "MC",
+  "name": "Modified Confidentiality Impact",
+  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no loss of confidentiality within the impacted component."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json
new file mode 100644
index 00000000..1abda292
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_confidentiality_impact_to_the_subsequent_system_1_0_0.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MSC",
+  "name": "Modified Confidentiality Impact to the Subsequent System",
+  "description": "This metric measures the impact to the confidentiality of the information managed by the system due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The resulting score is greatest when the loss to the system is highest.",
+  "values": [
+    {
+      "key": "N",
+      "name": "Negligible",
+      "description": "There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the Subsequent System."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of confidentiality, resulting in all resources within the Subsequent System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json
new file mode 100644
index 00000000..359fb804
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_integrity_impact_2_0_0.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MI",
+  "name": "Modified Integrity Impact",
+  "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no impact to the integrity of the system."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of integrity, or a complete loss of protection."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_2_0_1.json b/data/json/decision_points/cvss/modified_integrity_impact_2_0_1.json
new file mode 100644
index 00000000..a02b0fe3
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_integrity_impact_2_0_1.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "MI",
+  "name": "Modified Integrity Impact",
+  "description": "This metric measures the impact to integrity of a successfully exploited vulnerability.",
+  "values": [
+    {
+      "key": "N",
+      "name": "None",
+      "description": "There is no loss of integrity within the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Vulnerable System."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of integrity, or a complete loss of protection."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json
new file mode 100644
index 00000000..ec3d57b3
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_integrity_impact_to_the_subsequent_system_1_0_0.json
@@ -0,0 +1,35 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MSI",
+  "name": "Modified Integrity Impact to the Subsequent System",
+  "description": "This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of a system is impacted when an attacker causes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging). The resulting score is greatest when the consequence to the system is highest.",
+  "values": [
+    {
+      "key": "N",
+      "name": "Negligible",
+      "description": "There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact to the Subsequent System."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Subsequent System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Subsequent System."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    },
+    {
+      "key": "S",
+      "name": "Safety",
+      "description": "The Safety metric value measures the impact regarding the Safety of a human actor or participant that can be predictably injured as a result of the vulnerability being exploited."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json b/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json
new file mode 100644
index 00000000..b31ad194
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_privileges_required_1_0_0.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MPR",
+  "name": "Modified Privileges Required",
+  "description": "This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.",
+  "values": [
+    {
+      "key": "H",
+      "name": "High",
+      "description": "The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources."
+    },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json b/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json
new file mode 100644
index 00000000..92297091
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_privileges_required_1_0_1.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.1",
+  "schemaVersion": "1-0-1",
+  "key": "MPR",
+  "name": "Modified Privileges Required",
+  "description": "This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.",
+  "values": [
+    {
+      "key": "H",
+      "name": "High",
+      "description": "The attacker is authorized with (i.e., requires) privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "The attacker is authorized with (i.e., requires) privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources."
+    },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_scope_1_0_0.json b/data/json/decision_points/cvss/modified_scope_1_0_0.json
new file mode 100644
index 00000000..21d82cba
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_scope_1_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MS",
+  "name": "Modified Scope",
+  "description": "the ability for a vulnerability in one software component to impact resources beyond its means, or privileges",
+  "values": [
+    {
+      "key": "U",
+      "name": "Unchanged",
+      "description": "An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same."
+    },
+    {
+      "key": "C",
+      "name": "Changed",
+      "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_subsequent_availability_impact_1_0_0.json b/data/json/decision_points/cvss/modified_subsequent_availability_impact_1_0_0.json
new file mode 100644
index 00000000..d8f83c65
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_subsequent_availability_impact_1_0_0.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MSA",
+  "name": "Modified Subsequent Availability Impact",
+  "description": "This metric measures the impact on availability a successful exploit of the vulnerability will have on the Subsequent System.",
+  "values": [
+    {
+      "key": "N",
+      "name": "Negligible",
+      "description": "There is no impact to availability within the Subsequent System or all availability impact is constrained to the Vulnerable System."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json b/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json
new file mode 100644
index 00000000..cea0d0c0
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_user_interaction_1_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MUI",
+  "name": "Modified User Interaction",
+  "description": "This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.",
+  "values": [
+    {
+      "key": "R",
+      "name": "Required",
+      "description": "Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited."
+    },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The vulnerable system can be exploited without interaction from any user."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json b/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json
new file mode 100644
index 00000000..a4242ca6
--- /dev/null
+++ b/data/json/decision_points/cvss/modified_user_interaction_2_0_0.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "2.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "MUI",
+  "name": "Modified User Interaction",
+  "description": "This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. The resulting score is greatest when no user interaction is required.",
+  "values": [
+    {
+      "key": "A",
+      "name": "Active",
+      "description": "Successful exploitation of this vulnerability requires a targeted user to perform specific, conscious interactions with the vulnerable system and the attacker’s payload, or the user’s interactions would actively subvert protection mechanisms which would lead to exploitation of the vulnerability."
+    },
+    {
+      "key": "P",
+      "name": "Passive",
+      "description": "Successful exploitation of this vulnerability requires limited interaction by the targeted user with the vulnerable system and the attacker’s payload. These interactions would be considered involuntary and do not require that the user actively subvert protections built into the vulnerable system."
+    },
+    {
+      "key": "N",
+      "name": "None",
+      "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
+    },
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/privileges_required_1.json b/data/json/decision_points/cvss/privileges_required_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/privileges_required_1.json
rename to data/json/decision_points/cvss/privileges_required_1_0_0.json
index 003960ee..e7a14402 100644
--- a/data/json/decision_points/cvss/privileges_required_1.json
+++ b/data/json/decision_points/cvss/privileges_required_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/privileges_required_1_0_1.json b/data/json/decision_points/cvss/privileges_required_1_0_1.json
index e46eb67d..79c6c94a 100644
--- a/data/json/decision_points/cvss/privileges_required_1_0_1.json
+++ b/data/json/decision_points/cvss/privileges_required_1_0_1.json
@@ -22,4 +22,4 @@
       "description": "The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/provider_urgency_1_0_0.json b/data/json/decision_points/cvss/provider_urgency_1_0_0.json
new file mode 100644
index 00000000..0e277cca
--- /dev/null
+++ b/data/json/decision_points/cvss/provider_urgency_1_0_0.json
@@ -0,0 +1,35 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "U",
+  "name": "Provider Urgency",
+  "description": "Many vendors currently provide supplemental severity ratings to consumers via product security advisories. Other vendors publish Qualitative Severity Ratings from the CVSS Specification Document in their advisories. To facilitate a standardized method to incorporate additional provider-supplied assessment, an optional \"pass-through\" Supplemental Metric called Provider Urgency is available.",
+  "values": [
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    },
+    {
+      "key": "C",
+      "name": "Clear",
+      "description": "Provider has assessed the impact of this vulnerability as having no urgency (Informational)."
+    },
+    {
+      "key": "G",
+      "name": "Green",
+      "description": "Provider has assessed the impact of this vulnerability as having a reduced urgency."
+    },
+    {
+      "key": "A",
+      "name": "Amber",
+      "description": "Provider has assessed the impact of this vulnerability as having a moderate urgency."
+    },
+    {
+      "key": "R",
+      "name": "Red",
+      "description": "Provider has assessed the impact of this vulnerability as having the highest urgency."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/recovery_1_0_0.json b/data/json/decision_points/cvss/recovery_1_0_0.json
new file mode 100644
index 00000000..8a4beda9
--- /dev/null
+++ b/data/json/decision_points/cvss/recovery_1_0_0.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "R",
+  "name": "Recovery",
+  "description": "The Recovery metric describes the resilience of a system to recover services, in terms of performance and availability, after an attack has been performed.",
+  "values": [
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    },
+    {
+      "key": "A",
+      "name": "Automatic",
+      "description": "The system recovers services automatically after an attack has been performed."
+    },
+    {
+      "key": "U",
+      "name": "User",
+      "description": "The system requires manual intervention by the user to recover services, after an attack has been performed."
+    },
+    {
+      "key": "I",
+      "name": "Irrecoverable",
+      "description": "The system services are irrecoverable by the user, after an attack has been performed."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/remediation_level_1.json b/data/json/decision_points/cvss/remediation_level_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/remediation_level_1.json
rename to data/json/decision_points/cvss/remediation_level_1_0_0.json
index a71b3444..11f9384f 100644
--- a/data/json/decision_points/cvss/remediation_level_1.json
+++ b/data/json/decision_points/cvss/remediation_level_1_0_0.json
@@ -27,4 +27,4 @@
       "description": "There is either no solution available or it is impossible to apply."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/remediation_level_1_1.json b/data/json/decision_points/cvss/remediation_level_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/remediation_level_1_1.json
rename to data/json/decision_points/cvss/remediation_level_1_1_0.json
index 0855a3fb..ccaa439c 100644
--- a/data/json/decision_points/cvss/remediation_level_1_1.json
+++ b/data/json/decision_points/cvss/remediation_level_1_1_0.json
@@ -32,4 +32,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/report_confidence_1.json b/data/json/decision_points/cvss/report_confidence_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/report_confidence_1.json
rename to data/json/decision_points/cvss/report_confidence_1_0_0.json
index 01fc795f..85940cf0 100644
--- a/data/json/decision_points/cvss/report_confidence_1.json
+++ b/data/json/decision_points/cvss/report_confidence_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "Vendor or author of the affected technology has acknowledged that the vulnerability exists. This value may also be set when existence of a vulnerability is confirmed with absolute confidence through some other event, such as publication of functional proof of concept exploit code or widespread exploitation."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/report_confidence_1_1.json b/data/json/decision_points/cvss/report_confidence_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/report_confidence_1_1.json
rename to data/json/decision_points/cvss/report_confidence_1_1_0.json
index be9759a7..691f1e87 100644
--- a/data/json/decision_points/cvss/report_confidence_1_1.json
+++ b/data/json/decision_points/cvss/report_confidence_1_1_0.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/report_confidence_2.json b/data/json/decision_points/cvss/report_confidence_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/report_confidence_2.json
rename to data/json/decision_points/cvss/report_confidence_2_0_0.json
index 794d8da4..502e1291 100644
--- a/data/json/decision_points/cvss/report_confidence_2.json
+++ b/data/json/decision_points/cvss/report_confidence_2_0_0.json
@@ -27,4 +27,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/safety_1_0_0.json b/data/json/decision_points/cvss/safety_1_0_0.json
new file mode 100644
index 00000000..a72a7cd6
--- /dev/null
+++ b/data/json/decision_points/cvss/safety_1_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "S",
+  "name": "Safety",
+  "description": "The Safety decision point is a measure of the potential for harm to humans or the environment.",
+  "values": [
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    },
+    {
+      "key": "P",
+      "name": "Present",
+      "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence categories of \"marginal,\" \"critical,\" or \"catastrophic.\""
+    },
+    {
+      "key": "N",
+      "name": "Negligible",
+      "description": "Consequences of the vulnerability meet definition of IEC 61508 consequence category \"negligible.\""
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/scope_1.json b/data/json/decision_points/cvss/scope_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/scope_1.json
rename to data/json/decision_points/cvss/scope_1_0_0.json
index 9dbdef2e..2ed72c80 100644
--- a/data/json/decision_points/cvss/scope_1.json
+++ b/data/json/decision_points/cvss/scope_1_0_0.json
@@ -17,4 +17,4 @@
       "description": "An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/subsequent_availability_impact_1.json b/data/json/decision_points/cvss/subsequent_availability_impact_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/subsequent_availability_impact_1.json
rename to data/json/decision_points/cvss/subsequent_availability_impact_1_0_0.json
index 76d1190c..a7ed8c04 100644
--- a/data/json/decision_points/cvss/subsequent_availability_impact_1.json
+++ b/data/json/decision_points/cvss/subsequent_availability_impact_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Subsequent System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed)."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/target_distribution_1.json b/data/json/decision_points/cvss/target_distribution_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/target_distribution_1.json
rename to data/json/decision_points/cvss/target_distribution_1_0_0.json
index 7cbaccec..1d86b7ca 100644
--- a/data/json/decision_points/cvss/target_distribution_1.json
+++ b/data/json/decision_points/cvss/target_distribution_1_0_0.json
@@ -27,4 +27,4 @@
       "description": "Targets exist inside the environment on a considerable scale. Between 50% - 100% of the total environment is considered at risk."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/target_distribution_1_1.json b/data/json/decision_points/cvss/target_distribution_1_1_0.json
similarity index 99%
rename from data/json/decision_points/cvss/target_distribution_1_1.json
rename to data/json/decision_points/cvss/target_distribution_1_1_0.json
index 45d295da..bc126152 100644
--- a/data/json/decision_points/cvss/target_distribution_1_1.json
+++ b/data/json/decision_points/cvss/target_distribution_1_1_0.json
@@ -32,4 +32,4 @@
       "description": "This metric value is not defined. See CVSS documentation for details."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/user_interaction_1.json b/data/json/decision_points/cvss/user_interaction_1_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/user_interaction_1.json
rename to data/json/decision_points/cvss/user_interaction_1_0_0.json
index 8c378db1..84f623ba 100644
--- a/data/json/decision_points/cvss/user_interaction_1.json
+++ b/data/json/decision_points/cvss/user_interaction_1_0_0.json
@@ -17,4 +17,4 @@
       "description": "The vulnerable system can be exploited without interaction from any user."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/user_interaction_2.json b/data/json/decision_points/cvss/user_interaction_2_0_0.json
similarity index 99%
rename from data/json/decision_points/cvss/user_interaction_2.json
rename to data/json/decision_points/cvss/user_interaction_2_0_0.json
index 98b997d5..7794cc14 100644
--- a/data/json/decision_points/cvss/user_interaction_2.json
+++ b/data/json/decision_points/cvss/user_interaction_2_0_0.json
@@ -22,4 +22,4 @@
       "description": "The vulnerable system can be exploited without interaction from any human user, other than the attacker."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/cvss/value_density_1_0_0.json b/data/json/decision_points/cvss/value_density_1_0_0.json
new file mode 100644
index 00000000..a4f06724
--- /dev/null
+++ b/data/json/decision_points/cvss/value_density_1_0_0.json
@@ -0,0 +1,25 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "V",
+  "name": "Value Density",
+  "description": "Value Density describes the resources that the attacker will gain control over with a single exploitation event. It has two possible values, diffuse and concentrated.",
+  "values": [
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    },
+    {
+      "key": "D",
+      "name": "Diffuse",
+      "description": "The vulnerable system has limited resources. That is, the resources that the attacker will gain control over with a single exploitation event are relatively small."
+    },
+    {
+      "key": "C",
+      "name": "Concentrated",
+      "description": "The vulnerable system is rich in resources. Heuristically, such systems are often the direct responsibility of \"system operators\" rather than users."
+    }
+  ]
+}
diff --git a/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json b/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json
new file mode 100644
index 00000000..71e2f3cc
--- /dev/null
+++ b/data/json/decision_points/cvss/vulnerability_response_effort_1_0_0.json
@@ -0,0 +1,30 @@
+{
+  "namespace": "cvss",
+  "version": "1.0.0",
+  "schemaVersion": "1-0-1",
+  "key": "RE",
+  "name": "Vulnerability Response Effort",
+  "description": "The intention of the Vulnerability Response Effort metric is to provide supplemental information on how difficult it is for consumers to provide an initial response to the impact of vulnerabilities for deployed products and services in their infrastructure. The consumer can then take this additional information on effort required into consideration when applying mitigations and/or scheduling remediation.",
+  "values": [
+    {
+      "key": "X",
+      "name": "Not Defined",
+      "description": "This metric value is not defined. See CVSS documentation for details."
+    },
+    {
+      "key": "L",
+      "name": "Low",
+      "description": "The effort required to respond to a vulnerability is low/trivial."
+    },
+    {
+      "key": "M",
+      "name": "Moderate",
+      "description": "The actions required to respond to a vulnerability require some effort on behalf of the consumer and could cause minimal service impact to implement."
+    },
+    {
+      "key": "H",
+      "name": "High",
+      "description": "The actions required to respond to a vulnerability are significant and/or difficult, and may possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling purposes including honoring any embargo on deployment of the selected response. Alternatively, response to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or replacement)."
+    }
+  ]
+}
diff --git a/data/json/decision_points/exploitation_1_0_0.json b/data/json/decision_points/exploitation_1_0_0.json
index d7099083..42242c30 100644
--- a/data/json/decision_points/exploitation_1_0_0.json
+++ b/data/json/decision_points/exploitation_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/exploitation_1_1_0.json b/data/json/decision_points/exploitation_1_1_0.json
index aed0a7af..f436738a 100644
--- a/data/json/decision_points/exploitation_1_1_0.json
+++ b/data/json/decision_points/exploitation_1_1_0.json
@@ -22,4 +22,4 @@
       "description": "Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/human_impact_2_0_0.json b/data/json/decision_points/human_impact_2_0_0.json
index ce7a8b4e..b9fec592 100644
--- a/data/json/decision_points/human_impact_2_0_0.json
+++ b/data/json/decision_points/human_impact_2_0_0.json
@@ -27,4 +27,4 @@
       "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/human_impact_2_0_1.json b/data/json/decision_points/human_impact_2_0_1.json
index fd21da49..9fd6ba91 100644
--- a/data/json/decision_points/human_impact_2_0_1.json
+++ b/data/json/decision_points/human_impact_2_0_1.json
@@ -27,4 +27,4 @@
       "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/mission_and_well-being_impact_1_0_0.json b/data/json/decision_points/mission_and_well-being_impact_1_0_0.json
index d63cda57..20c2ad3a 100644
--- a/data/json/decision_points/mission_and_well-being_impact_1_0_0.json
+++ b/data/json/decision_points/mission_and_well-being_impact_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/mission_impact_1_0_0.json b/data/json/decision_points/mission_impact_1_0_0.json
index 3ede44f1..3dd1a4ba 100644
--- a/data/json/decision_points/mission_impact_1_0_0.json
+++ b/data/json/decision_points/mission_impact_1_0_0.json
@@ -29,7 +29,7 @@
     {
       "key": "MF",
       "name": "Mission Failure",
-      "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails"
+      "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/mission_impact_2_0_0.json b/data/json/decision_points/mission_impact_2_0_0.json
index d1a578a3..51f392e9 100644
--- a/data/json/decision_points/mission_impact_2_0_0.json
+++ b/data/json/decision_points/mission_impact_2_0_0.json
@@ -24,7 +24,7 @@
     {
       "key": "MF",
       "name": "Mission Failure",
-      "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization\u2019s ability to deliver its overall mission fails"
+      "description": "Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/public_safety_impact_2_0_0.json b/data/json/decision_points/public_safety_impact_2_0_0.json
index 4cf25b4f..03eaa0d8 100644
--- a/data/json/decision_points/public_safety_impact_2_0_0.json
+++ b/data/json/decision_points/public_safety_impact_2_0_0.json
@@ -17,4 +17,4 @@
       "description": "Safety Impact:(Major OR Hazardous OR Catastrophic)"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/public_safety_impact_2_0_1.json b/data/json/decision_points/public_safety_impact_2_0_1.json
index 2f76bbff..e61afe04 100644
--- a/data/json/decision_points/public_safety_impact_2_0_1.json
+++ b/data/json/decision_points/public_safety_impact_2_0_1.json
@@ -17,4 +17,4 @@
       "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/public_value_added_1_0_0.json b/data/json/decision_points/public_value_added_1_0_0.json
index 772e5de0..a376f8bb 100644
--- a/data/json/decision_points/public_value_added_1_0_0.json
+++ b/data/json/decision_points/public_value_added_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "The publication would be the first publicly available, or be coincident with the first publicly available."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/public_well-being_impact_1_0_0.json b/data/json/decision_points/public_well-being_impact_1_0_0.json
index a963ea06..2b1c02bd 100644
--- a/data/json/decision_points/public_well-being_impact_1_0_0.json
+++ b/data/json/decision_points/public_well-being_impact_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed.  Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small  ecosystem collapse, etc.) are imposed on other parties.  Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse.  Psychological: N/A "
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/report_credibility_1_0_0.json b/data/json/decision_points/report_credibility_1_0_0.json
index f9ff77f7..06f2d323 100644
--- a/data/json/decision_points/report_credibility_1_0_0.json
+++ b/data/json/decision_points/report_credibility_1_0_0.json
@@ -17,4 +17,4 @@
       "description": "The report is credible."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/report_public_1_0_0.json b/data/json/decision_points/report_public_1_0_0.json
index 67151fd2..ba36050a 100644
--- a/data/json/decision_points/report_public_1_0_0.json
+++ b/data/json/decision_points/report_public_1_0_0.json
@@ -17,4 +17,4 @@
       "description": "No public report of the vulnerability exists."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/safety_impact_1_0_0.json b/data/json/decision_points/safety_impact_1_0_0.json
index e25fc5d3..7aadf352 100644
--- a/data/json/decision_points/safety_impact_1_0_0.json
+++ b/data/json/decision_points/safety_impact_1_0_0.json
@@ -24,7 +24,7 @@
     {
       "key": "H",
       "name": "Hazardous",
-      "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system\u2019s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+      "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
     },
     {
       "key": "C",
@@ -32,4 +32,4 @@
       "description": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/safety_impact_2_0_0.json b/data/json/decision_points/safety_impact_2_0_0.json
index 0c78a0e6..19d74d6b 100644
--- a/data/json/decision_points/safety_impact_2_0_0.json
+++ b/data/json/decision_points/safety_impact_2_0_0.json
@@ -19,7 +19,7 @@
     {
       "key": "R",
       "name": "Critical",
-      "description": "Any one or more of these conditions hold.<br/><br/>- *Physical harm*: Loss of life (IEC 61508 Critical).<br/>- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.<br/>- *System resiliency*: Parts of the cyber-physical system break; system\u2019s ability to recover lost functionality remains intact.<br/>- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.<br/>- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.<br/>- *Psychological*: N/A."
+      "description": "Any one or more of these conditions hold.<br/><br/>- *Physical harm*: Loss of life (IEC 61508 Critical).<br/>- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.<br/>- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.<br/>- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.<br/>- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.<br/>- *Psychological*: N/A."
     },
     {
       "key": "C",
@@ -27,4 +27,4 @@
       "description": "Any one or more of these conditions hold.<br/><br/>- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).<br/>- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).<br/>- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.<br/>- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.<br/>- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.<br/>- *Psychological*: N/A."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/supplier_cardinality_1_0_0.json b/data/json/decision_points/supplier_cardinality_1_0_0.json
index b4ad4c7c..0adc8300 100644
--- a/data/json/decision_points/supplier_cardinality_1_0_0.json
+++ b/data/json/decision_points/supplier_cardinality_1_0_0.json
@@ -17,4 +17,4 @@
       "description": "There are multiple suppliers of the vulnerable component."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/supplier_contacted_1_0_0.json b/data/json/decision_points/supplier_contacted_1_0_0.json
index 8eaf7976..2cceb5ed 100644
--- a/data/json/decision_points/supplier_contacted_1_0_0.json
+++ b/data/json/decision_points/supplier_contacted_1_0_0.json
@@ -17,4 +17,4 @@
       "description": "The supplier has been contacted."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/supplier_engagement_1_0_0.json b/data/json/decision_points/supplier_engagement_1_0_0.json
index 2f741598..ffd69c94 100644
--- a/data/json/decision_points/supplier_engagement_1_0_0.json
+++ b/data/json/decision_points/supplier_engagement_1_0_0.json
@@ -4,17 +4,17 @@
   "schemaVersion": "1-0-1",
   "key": "SE",
   "name": "Supplier Engagement",
-  "description": "Is the supplier responding to the reporter\u2019s contact effort and actively participating in the coordination effort?",
+  "description": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
   "values": [
     {
       "key": "A",
       "name": "Active",
-      "description": "The supplier is responding to the reporter\u2019s contact effort and actively participating in the coordination effort."
+      "description": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
     },
     {
       "key": "U",
       "name": "Unresponsive",
-      "description": "The supplier is not responding to the reporter\u2019s contact effort and not actively participating in the coordination effort."
+      "description": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/supplier_involvement_1_0_0.json b/data/json/decision_points/supplier_involvement_1_0_0.json
index e43b79c7..d9c5b433 100644
--- a/data/json/decision_points/supplier_involvement_1_0_0.json
+++ b/data/json/decision_points/supplier_involvement_1_0_0.json
@@ -4,7 +4,7 @@
   "schemaVersion": "1-0-1",
   "key": "SI",
   "name": "Supplier Involvement",
-  "description": "What is the state of the supplier\u2019s work on addressing the vulnerability?",
+  "description": "What is the state of the supplier’s work on addressing the vulnerability?",
   "values": [
     {
       "key": "FR",
@@ -22,4 +22,4 @@
       "description": "The supplier has not responded, declined to generate a remediation, or no longer exists."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/system_exposure_1_0_0.json b/data/json/decision_points/system_exposure_1_0_0.json
index 5b77eb1b..45671101 100644
--- a/data/json/decision_points/system_exposure_1_0_0.json
+++ b/data/json/decision_points/system_exposure_1_0_0.json
@@ -14,7 +14,7 @@
     {
       "key": "C",
       "name": "Controlled",
-      "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary\u2019s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+      "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
     },
     {
       "key": "U",
@@ -22,4 +22,4 @@
       "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/system_exposure_1_0_1.json b/data/json/decision_points/system_exposure_1_0_1.json
index d2fca848..a6b713d4 100644
--- a/data/json/decision_points/system_exposure_1_0_1.json
+++ b/data/json/decision_points/system_exposure_1_0_1.json
@@ -14,7 +14,7 @@
     {
       "key": "C",
       "name": "Controlled",
-      "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary\u2019s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
+      "description": "Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small."
     },
     {
       "key": "O",
@@ -22,4 +22,4 @@
       "description": "Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers)"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/technical_impact_1_0_0.json b/data/json/decision_points/technical_impact_1_0_0.json
index 6b9c8676..5f3c7375 100644
--- a/data/json/decision_points/technical_impact_1_0_0.json
+++ b/data/json/decision_points/technical_impact_1_0_0.json
@@ -17,4 +17,4 @@
       "description": "The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/utility_1_0_0.json b/data/json/decision_points/utility_1_0_0.json
index a54ebebd..033b00a3 100644
--- a/data/json/decision_points/utility_1_0_0.json
+++ b/data/json/decision_points/utility_1_0_0.json
@@ -22,4 +22,4 @@
       "description": "Virulence:Rapid and Value Density:Concentrated"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/utility_1_0_1.json b/data/json/decision_points/utility_1_0_1.json
index 53e39a8a..79091345 100644
--- a/data/json/decision_points/utility_1_0_1.json
+++ b/data/json/decision_points/utility_1_0_1.json
@@ -22,4 +22,4 @@
       "description": "Automatable:Yes AND Value Density:Concentrated"
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/value_density_1_0_0.json b/data/json/decision_points/value_density_1_0_0.json
index f0022b5e..725b53fe 100644
--- a/data/json/decision_points/value_density_1_0_0.json
+++ b/data/json/decision_points/value_density_1_0_0.json
@@ -14,7 +14,7 @@
     {
       "key": "C",
       "name": "Concentrated",
-      "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of \u201csystem operators\u201d rather than users."
+      "description": "The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/data/json/decision_points/virulence_1_0_0.json b/data/json/decision_points/virulence_1_0_0.json
index 98eee786..5d2200d9 100644
--- a/data/json/decision_points/virulence_1_0_0.json
+++ b/data/json/decision_points/virulence_1_0_0.json
@@ -17,4 +17,4 @@
       "description": "Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid."
     }
   ]
-}
\ No newline at end of file
+}
diff --git a/docs/_generated/decision_points/automatable.md b/docs/_generated/decision_points/automatable.md
deleted file mode 120000
index a8229e62..00000000
--- a/docs/_generated/decision_points/automatable.md
+++ /dev/null
@@ -1 +0,0 @@
-automatable_2_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/automatable_2_0_0.md b/docs/_generated/decision_points/automatable_2_0_0.md
deleted file mode 100644
index 20084953..00000000
--- a/docs/_generated/decision_points/automatable_2_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Automatable v2.0.0"
-
-=== "Text"
-
-    Can an attacker reliably automate creating exploitation events for this vulnerability?
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | No | Attackers cannot reliably automate steps 1-4 of the kill chain for this vulnerability. These steps are (1) reconnaissance, (2) weaponization, (3) delivery, and (4) exploitation. |
-    | Yes | Attackers can reliably automate steps 1-4 of the kill chain. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/automatable_2_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/exploitation.md b/docs/_generated/decision_points/exploitation.md
deleted file mode 120000
index 083c9359..00000000
--- a/docs/_generated/decision_points/exploitation.md
+++ /dev/null
@@ -1 +0,0 @@
-exploitation_1_1_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/exploitation_1_0_0.md b/docs/_generated/decision_points/exploitation_1_0_0.md
deleted file mode 100644
index a4ab75dd..00000000
--- a/docs/_generated/decision_points/exploitation_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Exploitation v1.0.0"
-
-=== "Text"
-
-    The present state of exploitation of the vulnerability.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | None | There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability. |
-    | PoC | One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as Metasploit or ExploitDB; or (4) the vulnerability has a well-known method of exploitation. |
-    | Active | Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/exploitation_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/exploitation_1_1_0.md b/docs/_generated/decision_points/exploitation_1_1_0.md
deleted file mode 100644
index 910b8080..00000000
--- a/docs/_generated/decision_points/exploitation_1_1_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Exploitation v1.1.0"
-
-=== "Text"
-
-    The present state of exploitation of the vulnerability.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | None | There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability. |
-    | Public PoC | One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation. |
-    | Active | Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/exploitation_1_1_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/human_impact.md b/docs/_generated/decision_points/human_impact.md
deleted file mode 120000
index 22faf37a..00000000
--- a/docs/_generated/decision_points/human_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-human_impact_2_0_1.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/human_impact_2_0_0.md b/docs/_generated/decision_points/human_impact_2_0_0.md
deleted file mode 100644
index 15ff4c86..00000000
--- a/docs/_generated/decision_points/human_impact_2_0_0.md
+++ /dev/null
@@ -1,19 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Human Impact v2.0.0"
-
-=== "Text"
-
-    Human Impact is a combination of Safety and Mission impacts.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Low | Safety Impact:(None OR Minor) AND Mission Impact:(None OR Degraded OR Crippled) |
-    | Medium | (Safety Impact:(None OR Minor) AND Mission Impact:MEF Failure) OR (Safety Impact:Major AND Mission Impact:(None OR Degraded OR Crippled)) |
-    | High | (Safety Impact:Hazardous AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Major AND Mission Impact:MEF Failure) |
-    | Very High | Safety Impact:Catastrophic OR Mission Impact:Mission Failure |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/human_impact_2_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/human_impact_2_0_1.md b/docs/_generated/decision_points/human_impact_2_0_1.md
deleted file mode 100644
index 122c1d7c..00000000
--- a/docs/_generated/decision_points/human_impact_2_0_1.md
+++ /dev/null
@@ -1,19 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Human Impact v2.0.1"
-
-=== "Text"
-
-    Human Impact is a combination of Safety and Mission impacts.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Low | Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled) |
-    | Medium | (Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled)) |
-    | High | (Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure) |
-    | Very High | Safety Impact:Catastrophic OR Mission Impact:Mission Failure |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/human_impact_2_0_1.json" %}
-    ```
diff --git a/docs/_generated/decision_points/mission_and_well-being_impact.md b/docs/_generated/decision_points/mission_and_well-being_impact.md
deleted file mode 120000
index ffa452e7..00000000
--- a/docs/_generated/decision_points/mission_and_well-being_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-mission_and_well-being_impact_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md b/docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md
deleted file mode 100644
index 7a8affcd..00000000
--- a/docs/_generated/decision_points/mission_and_well-being_impact_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Mission and Well-Being Impact v1.0.0"
-
-=== "Text"
-
-    Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Low | Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal |
-    | Medium | Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material) |
-    | High | Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible) |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/mission_and_well-being_impact_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/mission_impact.md b/docs/_generated/decision_points/mission_impact.md
deleted file mode 120000
index 938009ab..00000000
--- a/docs/_generated/decision_points/mission_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-mission_impact_2_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/mission_impact_1_0_0.md b/docs/_generated/decision_points/mission_impact_1_0_0.md
deleted file mode 100644
index e97cba5a..00000000
--- a/docs/_generated/decision_points/mission_impact_1_0_0.md
+++ /dev/null
@@ -1,20 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Mission Impact v1.0.0"
-
-=== "Text"
-
-    Impact on Mission Essential Functions of the Organization
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | None | Little to no impact |
-    | Non-Essential Degraded | Degradation of non-essential functions; chronic degradation would eventually harm essential functions |
-    | MEF Support Crippled | Activities that directly support essential functions are crippled; essential functions continue for a time |
-    | MEF Failure | Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time |
-    | Mission Failure | Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/mission_impact_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/mission_impact_2_0_0.md b/docs/_generated/decision_points/mission_impact_2_0_0.md
deleted file mode 100644
index 4738bf7a..00000000
--- a/docs/_generated/decision_points/mission_impact_2_0_0.md
+++ /dev/null
@@ -1,19 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Mission Impact v2.0.0"
-
-=== "Text"
-
-    Impact on Mission Essential Functions of the Organization
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Degraded | Little to no impact up to degradation of non-essential functions; chronic degradation would eventually harm essential functions |
-    | MEF Support Crippled | Activities that directly support essential functions are crippled; essential functions continue for a time |
-    | MEF Failure | Any one mission essential function fails for period of time longer than acceptable; overall mission of the organization degraded but can still be accomplished for a time |
-    | Mission Failure | Multiple or all mission essential functions fail; ability to recover those functions degraded; organization’s ability to deliver its overall mission fails |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/mission_impact_2_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/public_safety_impact.md b/docs/_generated/decision_points/public_safety_impact.md
deleted file mode 120000
index d2071e3b..00000000
--- a/docs/_generated/decision_points/public_safety_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-public_safety_impact_2_0_1.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/public_safety_impact_2_0_0.md b/docs/_generated/decision_points/public_safety_impact_2_0_0.md
deleted file mode 100644
index 4566df3b..00000000
--- a/docs/_generated/decision_points/public_safety_impact_2_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Public Safety Impact v2.0.0"
-
-=== "Text"
-
-    A coarse-grained representation of impact to public safety.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Minimal | Safety Impact:(None OR Minor) |
-    | Significant | Safety Impact:(Major OR Hazardous OR Catastrophic) |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/public_safety_impact_2_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/public_safety_impact_2_0_1.md b/docs/_generated/decision_points/public_safety_impact_2_0_1.md
deleted file mode 100644
index 1d561484..00000000
--- a/docs/_generated/decision_points/public_safety_impact_2_0_1.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Public Safety Impact v2.0.1"
-
-=== "Text"
-
-    A coarse-grained representation of impact to public safety.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Minimal | Safety Impact:Negligible |
-    | Significant | Safety Impact:(Marginal OR Critical OR Catastrophic) |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/public_safety_impact_2_0_1.json" %}
-    ```
diff --git a/docs/_generated/decision_points/public_value_added.md b/docs/_generated/decision_points/public_value_added.md
deleted file mode 120000
index b185dcb5..00000000
--- a/docs/_generated/decision_points/public_value_added.md
+++ /dev/null
@@ -1 +0,0 @@
-public_value_added_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/public_value_added_1_0_0.md b/docs/_generated/decision_points/public_value_added_1_0_0.md
deleted file mode 100644
index daa27817..00000000
--- a/docs/_generated/decision_points/public_value_added_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Public Value Added v1.0.0"
-
-=== "Text"
-
-    How much value would a publication from the coordinator benefit the broader community?
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Limited | Minimal value added to the existing public information because existing information is already high quality and in multiple outlets. |
-    | Ampliative | Amplifies and/or augments the existing public information about the vulnerability, for example, adds additional detail, addresses or corrects errors in other public information, draws further attention to the vulnerability, etc. |
-    | Precedence | The publication would be the first publicly available, or be coincident with the first publicly available. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/public_value_added_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/public_well-being_impact.md b/docs/_generated/decision_points/public_well-being_impact.md
deleted file mode 120000
index 52bbe1c7..00000000
--- a/docs/_generated/decision_points/public_well-being_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-public_well-being_impact_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/public_well-being_impact_1_0_0.md b/docs/_generated/decision_points/public_well-being_impact_1_0_0.md
deleted file mode 100644
index ae6c11e5..00000000
--- a/docs/_generated/decision_points/public_well-being_impact_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Public Well-Being Impact v1.0.0"
-
-=== "Text"
-
-    A coarse-grained representation of impact to public well-being.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Minimal | The effect is below the threshold for all aspects described in material.  |
-    | Material | Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people.  |
-    | Irreversible | Any one or more of these conditions hold. Physical harm: One or both of the following are true: (a) Multiple fatalities are likely.(b) The cyber-physical system, of which the vulnerable componen is a part, is likely lost or destroyed.  Environment: Extreme or serious externalities (immediate public health threat, environmental damage leading to small  ecosystem collapse, etc.) are imposed on other parties.  Financial: Social systems (elections, financial grid, etc.) supported by the software are destabilized and potentially collapse.  Psychological: N/A  |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/public_well-being_impact_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/report_credibility.md b/docs/_generated/decision_points/report_credibility.md
deleted file mode 120000
index 549fae08..00000000
--- a/docs/_generated/decision_points/report_credibility.md
+++ /dev/null
@@ -1 +0,0 @@
-report_credibility_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/report_credibility_1_0_0.md b/docs/_generated/decision_points/report_credibility_1_0_0.md
deleted file mode 100644
index 09f5d64d..00000000
--- a/docs/_generated/decision_points/report_credibility_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Report Credibility v1.0.0"
-
-=== "Text"
-
-    Is the report credible?
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Not Credible | The report is not credible. |
-    | Credible | The report is credible. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/report_credibility_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/report_public.md b/docs/_generated/decision_points/report_public.md
deleted file mode 120000
index 1bd15fd2..00000000
--- a/docs/_generated/decision_points/report_public.md
+++ /dev/null
@@ -1 +0,0 @@
-report_public_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/report_public_1_0_0.md b/docs/_generated/decision_points/report_public_1_0_0.md
deleted file mode 100644
index 997c8d5e..00000000
--- a/docs/_generated/decision_points/report_public_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Report Public v1.0.0"
-
-=== "Text"
-
-    Is a viable report of the details of the vulnerability already publicly available?
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Yes | A public report of the vulnerability exists. |
-    | No | No public report of the vulnerability exists. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/report_public_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/safety_impact.md b/docs/_generated/decision_points/safety_impact.md
deleted file mode 120000
index e3cfa4d7..00000000
--- a/docs/_generated/decision_points/safety_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-safety_impact_2_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/safety_impact_1_0_0.md b/docs/_generated/decision_points/safety_impact_1_0_0.md
deleted file mode 100644
index 0575b6e1..00000000
--- a/docs/_generated/decision_points/safety_impact_1_0_0.md
+++ /dev/null
@@ -1,20 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Safety Impact v1.0.0"
-
-=== "Text"
-
-    The safety impact of the vulnerability.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | None | The effect is below the threshold for all aspects described in Minor. |
-    | Minor | Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons. |
-    | Major | Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people. |
-    | Hazardous | Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A. |
-    | Catastrophic | Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/safety_impact_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/safety_impact_2_0_0.md b/docs/_generated/decision_points/safety_impact_2_0_0.md
deleted file mode 100644
index 61326a77..00000000
--- a/docs/_generated/decision_points/safety_impact_2_0_0.md
+++ /dev/null
@@ -1,19 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Safety Impact v2.0.0"
-
-=== "Text"
-
-    The safety impact of the vulnerability. (based on IEC 61508)
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Negligible | Any one or more of these conditions hold.<br/><br/>- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).<br/>- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.<br/>- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.<br/>- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.<br/>- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.<br/>- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons. |
-    | Marginal | Any one or more of these conditions hold.<br/><br/>- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).<br/>- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.<br/>- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.<br/>- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.<br/>- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.<br/>- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people. |
-    | Critical | Any one or more of these conditions hold.<br/><br/>- *Physical harm*: Loss of life (IEC 61508 Critical).<br/>- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.<br/>- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.<br/>- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.<br/>- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.<br/>- *Psychological*: N/A. |
-    | Catastrophic | Any one or more of these conditions hold.<br/><br/>- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).<br/>- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).<br/>- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.<br/>- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.<br/>- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.<br/>- *Psychological*: N/A. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/safety_impact_2_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/supplier_cardinality.md b/docs/_generated/decision_points/supplier_cardinality.md
deleted file mode 120000
index 518ef0e7..00000000
--- a/docs/_generated/decision_points/supplier_cardinality.md
+++ /dev/null
@@ -1 +0,0 @@
-supplier_cardinality_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/supplier_cardinality_1_0_0.md b/docs/_generated/decision_points/supplier_cardinality_1_0_0.md
deleted file mode 100644
index 91874a69..00000000
--- a/docs/_generated/decision_points/supplier_cardinality_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Supplier Cardinality v1.0.0"
-
-=== "Text"
-
-    How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | One | There is only one supplier of the vulnerable component. |
-    | Multiple | There are multiple suppliers of the vulnerable component. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/supplier_cardinality_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/supplier_contacted.md b/docs/_generated/decision_points/supplier_contacted.md
deleted file mode 120000
index 7a40d514..00000000
--- a/docs/_generated/decision_points/supplier_contacted.md
+++ /dev/null
@@ -1 +0,0 @@
-supplier_contacted_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/supplier_contacted_1_0_0.md b/docs/_generated/decision_points/supplier_contacted_1_0_0.md
deleted file mode 100644
index 57964ada..00000000
--- a/docs/_generated/decision_points/supplier_contacted_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Supplier Contacted v1.0.0"
-
-=== "Text"
-
-    Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | No | The supplier has not been contacted. |
-    | Yes | The supplier has been contacted. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/supplier_contacted_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/supplier_engagement.md b/docs/_generated/decision_points/supplier_engagement.md
deleted file mode 120000
index 7a13d88e..00000000
--- a/docs/_generated/decision_points/supplier_engagement.md
+++ /dev/null
@@ -1 +0,0 @@
-supplier_engagement_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/supplier_engagement_1_0_0.md b/docs/_generated/decision_points/supplier_engagement_1_0_0.md
deleted file mode 100644
index 4ab0298f..00000000
--- a/docs/_generated/decision_points/supplier_engagement_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Supplier Engagement v1.0.0"
-
-=== "Text"
-
-    Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Active | The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort. |
-    | Unresponsive | The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/supplier_engagement_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/supplier_involvement.md b/docs/_generated/decision_points/supplier_involvement.md
deleted file mode 120000
index 9f97027b..00000000
--- a/docs/_generated/decision_points/supplier_involvement.md
+++ /dev/null
@@ -1 +0,0 @@
-supplier_involvement_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/supplier_involvement_1_0_0.md b/docs/_generated/decision_points/supplier_involvement_1_0_0.md
deleted file mode 100644
index d11d3d6d..00000000
--- a/docs/_generated/decision_points/supplier_involvement_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Supplier Involvement v1.0.0"
-
-=== "Text"
-
-    What is the state of the supplier’s work on addressing the vulnerability?
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Fix Ready | The supplier has provided a patch or fix. |
-    | Cooperative | The supplier is actively generating a patch or fix; they may or may not have provided a mitigation or work-around in the mean time. |
-    | Uncooperative/Unresponsive | The supplier has not responded, declined to generate a remediation, or no longer exists. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/supplier_involvement_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/system_exposure.md b/docs/_generated/decision_points/system_exposure.md
deleted file mode 120000
index 38c20e7b..00000000
--- a/docs/_generated/decision_points/system_exposure.md
+++ /dev/null
@@ -1 +0,0 @@
-system_exposure_1_0_1.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/system_exposure_1_0_0.md b/docs/_generated/decision_points/system_exposure_1_0_0.md
deleted file mode 100644
index f5d02ec8..00000000
--- a/docs/_generated/decision_points/system_exposure_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "System Exposure v1.0.0"
-
-=== "Text"
-
-    The Accessible Attack Surface of the Affected System or Service
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Small | Local service or program; highly controlled network |
-    | Controlled | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small. |
-    | Unavoidable | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/system_exposure_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/system_exposure_1_0_1.md b/docs/_generated/decision_points/system_exposure_1_0_1.md
deleted file mode 100644
index a24beb92..00000000
--- a/docs/_generated/decision_points/system_exposure_1_0_1.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "System Exposure v1.0.1"
-
-=== "Text"
-
-    The Accessible Attack Surface of the Affected System or Service
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Small | Local service or program; highly controlled network |
-    | Controlled | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. Controlled covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then exposure should be small. |
-    | Open | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/system_exposure_1_0_1.json" %}
-    ```
diff --git a/docs/_generated/decision_points/technical_impact.md b/docs/_generated/decision_points/technical_impact.md
deleted file mode 120000
index 8418d098..00000000
--- a/docs/_generated/decision_points/technical_impact.md
+++ /dev/null
@@ -1 +0,0 @@
-technical_impact_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/technical_impact_1_0_0.md b/docs/_generated/decision_points/technical_impact_1_0_0.md
deleted file mode 100644
index 543f744d..00000000
--- a/docs/_generated/decision_points/technical_impact_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Technical Impact v1.0.0"
-
-=== "Text"
-
-    The technical impact of the vulnerability.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Partial | The exploit gives the adversary limited control over, or information exposure about, the behavior of the software that contains the vulnerability. Or the exploit gives the adversary an importantly low stochastic opportunity for total control. |
-    | Total | The exploit gives the adversary total control over the behavior of the software, or it gives total disclosure of all information on the system that contains the vulnerability. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/technical_impact_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/utility.md b/docs/_generated/decision_points/utility.md
deleted file mode 120000
index 73464668..00000000
--- a/docs/_generated/decision_points/utility.md
+++ /dev/null
@@ -1 +0,0 @@
-utility_1_0_1.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/utility_1_0_0.md b/docs/_generated/decision_points/utility_1_0_0.md
deleted file mode 100644
index f05120fa..00000000
--- a/docs/_generated/decision_points/utility_1_0_0.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Utility v1.0.0"
-
-=== "Text"
-
-    The Usefulness of the Exploit to the Adversary
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Laborious | Virulence:Slow and Value Density:Diffuse |
-    | Efficient | Virulence:Rapid and Value Density:Diffuse OR Virulence:Slow and Value Density:Concentrated |
-    | Super Effective | Virulence:Rapid and Value Density:Concentrated |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/utility_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/utility_1_0_1.md b/docs/_generated/decision_points/utility_1_0_1.md
deleted file mode 100644
index 3111782d..00000000
--- a/docs/_generated/decision_points/utility_1_0_1.md
+++ /dev/null
@@ -1,18 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Utility v1.0.1"
-
-=== "Text"
-
-    The Usefulness of the Exploit to the Adversary
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Laborious | Automatable:No AND Value Density:Diffuse |
-    | Efficient | (Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated) |
-    | Super Effective | Automatable:Yes AND Value Density:Concentrated |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/utility_1_0_1.json" %}
-    ```
diff --git a/docs/_generated/decision_points/value_density.md b/docs/_generated/decision_points/value_density.md
deleted file mode 120000
index d65e392d..00000000
--- a/docs/_generated/decision_points/value_density.md
+++ /dev/null
@@ -1 +0,0 @@
-value_density_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/value_density_1_0_0.md b/docs/_generated/decision_points/value_density_1_0_0.md
deleted file mode 100644
index e23853ce..00000000
--- a/docs/_generated/decision_points/value_density_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Value Density v1.0.0"
-
-=== "Text"
-
-    The concentration of value in the target
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Diffuse | The system that contains the vulnerable component has limited resources. That is, the resources that the adversary will gain control over with a single exploitation event are relatively small. |
-    | Concentrated | The system that contains the vulnerable component is rich in resources. Heuristically, such systems are often the direct responsibility of “system operators” rather than users. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/value_density_1_0_0.json" %}
-    ```
diff --git a/docs/_generated/decision_points/virulence.md b/docs/_generated/decision_points/virulence.md
deleted file mode 120000
index e14f67c6..00000000
--- a/docs/_generated/decision_points/virulence.md
+++ /dev/null
@@ -1 +0,0 @@
-virulence_1_0_0.md
\ No newline at end of file
diff --git a/docs/_generated/decision_points/virulence_1_0_0.md b/docs/_generated/decision_points/virulence_1_0_0.md
deleted file mode 100644
index a8c231ee..00000000
--- a/docs/_generated/decision_points/virulence_1_0_0.md
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "Virulence v1.0.0"
-
-=== "Text"
-
-    The speed at which the vulnerability can be exploited.
-
-    | Value | Definition |
-    |:-----|:-----------|
-    | Slow | Steps 1-4 of the kill chain cannot be reliably automated for this vulnerability for some reason. These steps are reconnaissance, weaponization, delivery, and exploitation. |
-    | Rapid | Steps 1-4 of the of the kill chain can be reliably automated. If the vulnerability allows remote code execution or command injection, the default response should be rapid. |
-    
-=== "JSON"
-
-    ```json
-    {% include "../../../data/json/decision_points/virulence_1_0_0.json" %}
-    ```
diff --git a/docs/howto/acuity_ramp.md b/docs/howto/acuity_ramp.md
index 13e4a2be..af3b467b 100644
--- a/docs/howto/acuity_ramp.md
+++ b/docs/howto/acuity_ramp.md
@@ -92,7 +92,12 @@ data collection and analysis capabilities increase. We demonstrate this with the
     [Exploit Prediction Scoring System](https://www.first.org/epss/) ([EPSS](https://www.first.org/epss/))
     into their decision model.
 
-    {% include-markdown "../_generated/decision_points/exploitation_1_0_0.md" %}
+    ```python exec="true" idprefix=""
+    from ssvc.decision_points.exploitation import LATEST
+    from ssvc.doc_helpers import example_block
+
+    print(example_block(LATEST))
+    ```
 
     ### Improved Asset Management (Acuity Level 3)
 
@@ -100,7 +105,12 @@ data collection and analysis capabilities increase. We demonstrate this with the
     asset data to reflect the degree to which a system is exposed to the internet, allowing them to 
     incorporate the `SYSTEM_EXPOSURE_1_0_1` decision point into their decision model.
 
-    {% include-markdown "../_generated/decision_points/system_exposure_1_0_1.md" %}
+    ```python exec="true" idprefix=""
+    from ssvc.decision_points.system_exposure import LATEST
+    from ssvc.doc_helpers import example_block
+    
+    print(example_block(LATEST))
+    ```
 
     ### Improved Threat and Vulnerability Analysis (Acuity Level 4)
 
@@ -111,7 +121,12 @@ data collection and analysis capabilities increase. We demonstrate this with the
     [National Vulnerability Database](https://nvd.nist.gov/) ([NVD](https://nvd.nist.gov/))
     or by translating CVSS v3 or v4 scores into a value for this decision point.
 
-    {% include-markdown "../_generated/decision_points/automatable_2_0_0.md" %}
+    ```python exec="true" idprefix=""
+    from ssvc.decision_points.automatable import LATEST
+    from ssvc.doc_helpers import example_block
+    
+    print(example_block(LATEST))
+    ```
 
     ### Improved Mission and Safety Impact Understanding (Acuity Level 5)
 
@@ -119,8 +134,15 @@ data collection and analysis capabilities increase. We demonstrate this with the
     degree to which a vulnerability impacts both their mission and public safety, allowing them to incorporate the
     `MISSION_IMPACT_2` and `SAFETY_IMPACT_1` decision points into their decision model.
 
-    {% include-markdown "../_generated/decision_points/mission_impact_2_0_0.md" %}
-    {% include-markdown "../_generated/decision_points/safety_impact_1_0_0.md" %}
+    ```python exec="true" idprefix=""
+    from ssvc.decision_points.mission_impact import LATEST as MI
+    from ssvc.decision_points.safety_impact import LATEST as SI
+
+    from ssvc.doc_helpers import example_block
+    
+    print(example_block(MI))
+    print(example_block(SI))
+    ```
 
     In this way, the organization can grow into a more detailed decision model as their understanding and capabilities improve.
 
diff --git a/docs/howto/bootstrap/use.md b/docs/howto/bootstrap/use.md
index cbf9a4db..0f7ed8d1 100644
--- a/docs/howto/bootstrap/use.md
+++ b/docs/howto/bootstrap/use.md
@@ -139,7 +139,12 @@ If the analyst knows nothing, all states are possible.
 
     For example, [Utility](../../reference/decision_points/utility.md) may be [laborious](../../reference/decision_points/utility.md), [efficient](../../reference/decision_points/utility.md), or [super effective](../../reference/decision_points/system_exposure.md).
 
-    {% include-markdown "../../_generated/decision_points/utility.md" %}
+    ```python exec="true" idprefix=""
+    from ssvc.decision_points.utility import LATEST
+    from ssvc.doc_helpers import example_block
+    
+    print(example_block(LATEST))
+    ```
 
     The reason a stakeholder might publish a decision point with all its possible values is that doing so expresses that the analyst thought about [*Utility*](#utility) but does not have anything to communicate.
     A stakeholder might have information to communicate about some decision points but not others.
@@ -151,9 +156,19 @@ The merit in this “list all values” approach emerges when the stakeholder kn
 
     Extending the previous example, say the analyst knows that [*Value Density*](../../reference/decision_points/value_density.md) is [diffuse](../../reference/decision_points/value_density.md) but does not know the value for [Automatability](../../reference/decision_points/automatable.md).
 
-    {% include-markdown "../../_generated/decision_points/value_density.md" %}
+    ```python exec="true" idprefix=""
+    from ssvc.decision_points.value_density import LATEST
+    from ssvc.doc_helpers import example_block
+
+    print(example_block(LATEST))
+    ```
+
+    ```python exec="true" idprefix=""
+    from ssvc.decision_points.automatable import LATEST
+    from ssvc.doc_helpers import example_block
 
-    {% include-markdown "../../_generated/decision_points/automatable.md" %}
+    print(example_block(LATEST))
+    ```
 
     Therefore they could rule out [super effective](../../reference/decision_points/utility.md) 
     for [Utility](../../reference/decision_points/utility.md)
diff --git a/docs/howto/coordination_triage_decision.md b/docs/howto/coordination_triage_decision.md
index 18ef5d5c..ec5bf7f1 100644
--- a/docs/howto/coordination_triage_decision.md
+++ b/docs/howto/coordination_triage_decision.md
@@ -85,13 +85,19 @@ The remaining five decision points are:
 
 More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
 
-{% include-markdown "../_generated/decision_points/report_public.md" %}
-{% include-markdown "../_generated/decision_points/supplier_contacted.md" %}
-{% include-markdown "../_generated/decision_points/report_credibility.md" %}
-{% include-markdown "../_generated/decision_points/supplier_cardinality.md" %}
-{% include-markdown "../_generated/decision_points/supplier_engagement.md" %}
-{% include-markdown "../_generated/decision_points/utility.md" %}
-{% include-markdown "../_generated/decision_points/public_safety_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.report_public import LATEST as RP
+from ssvc.decision_points.supplier_contacted import LATEST as SC
+from ssvc.decision_points.report_credibility import LATEST as RC
+from ssvc.decision_points.supplier_cardinality import LATEST as SI
+from ssvc.decision_points.supplier_engagement import LATEST as SE
+from ssvc.decision_points.utility import LATEST as U
+from ssvc.decision_points.public_safety_impact import LATEST as PSI
+from ssvc.doc_helpers import example_block
+
+for dp in [RP, SC, RC, SI, SE, U, PSI]:
+    print(example_block(dp))
+```
 
 ## Coordinator Triage Decision Model
 
diff --git a/docs/howto/deployer_tree.md b/docs/howto/deployer_tree.md
index 68853bc0..e6683150 100644
--- a/docs/howto/deployer_tree.md
+++ b/docs/howto/deployer_tree.md
@@ -114,10 +114,16 @@ The Deployer Patch Deployment Priority decision model uses the following decisio
 
 More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
 
-{% include-markdown "../_generated/decision_points/exploitation.md" %}
-{% include-markdown "../_generated/decision_points/system_exposure.md" %}
-{% include-markdown "../_generated/decision_points/utility.md" %}
-{% include-markdown "../_generated/decision_points/human_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.exploitation import LATEST as EXP
+from ssvc.decision_points.system_exposure import LATEST as SE
+from ssvc.decision_points.utility import LATEST as U
+from ssvc.decision_points.human_impact import LATEST as HI
+from ssvc.doc_helpers import example_block
+
+for dp in [EXP, SE, U, HI]:
+    print(example_block(dp))
+```
 
 In the _Human Impact_ table above, *MEF* stands for Mission Essential Function.
 
diff --git a/docs/howto/publication_decision.md b/docs/howto/publication_decision.md
index a19a93d7..f727af0b 100644
--- a/docs/howto/publication_decision.md
+++ b/docs/howto/publication_decision.md
@@ -136,10 +136,16 @@ and adds two new ones ([*Supplier Involvement*](../reference/decision_points/sup
 
 More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
 
-{% include-markdown "../_generated/decision_points/supplier_involvement.md" %}
-{% include-markdown "../_generated/decision_points/exploitation.md" %}
-{% include-markdown "../_generated/decision_points/public_value_added.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.supplier_involvement import LATEST as SI
+from ssvc.decision_points.exploitation import LATEST as EXP
+from ssvc.decision_points.public_value_added import LATEST as PVA
 
+from ssvc.doc_helpers import example_block
+
+for dp in [SI, EXP, PVA]:
+    print(example_block(dp))
+```
 
 ## Coordinator Publication Decision Model
 
diff --git a/docs/howto/supplier_tree.md b/docs/howto/supplier_tree.md
index 380a1177..fc165e57 100644
--- a/docs/howto/supplier_tree.md
+++ b/docs/howto/supplier_tree.md
@@ -71,10 +71,17 @@ The decision to create a patch is based on the following decision points:
 
 More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
 
-{% include-markdown "../_generated/decision_points/exploitation.md" %}
-{% include-markdown "../_generated/decision_points/utility.md" %}
-{% include-markdown "../_generated/decision_points/technical_impact.md" %}
-{% include-markdown "../_generated/decision_points/public_safety_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.exploitation import LATEST as EXP
+from ssvc.decision_points.utility import LATEST as U
+from ssvc.decision_points.technical_impact import LATEST as TI
+from ssvc.decision_points.public_safety_impact import LATEST as PSI
+
+from ssvc.doc_helpers import example_block
+
+for dp in [EXP, U, TI, PSI]:
+    print(example_block(dp))
+```
 
 !!! tip "Public Safety Impact is a notational convenience"
 
diff --git a/docs/reference/decision_points/automatable.md b/docs/reference/decision_points/automatable.md
index 9b74a09b..171c7cbb 100644
--- a/docs/reference/decision_points/automatable.md
+++ b/docs/reference/decision_points/automatable.md
@@ -1,6 +1,13 @@
 # Automatable
 
-{% include-markdown "../../_generated/decision_points/automatable.md" %}
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.automatable import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
 
 !!! tip "See also"
 
@@ -57,8 +64,15 @@ Due to vulnerability chaining, there is some nuance as to whether reconnaissance
 
 ## Prior Versions
 
+```python exec="true" idprefix=""
+from ssvc.decision_points.automatable import VERSIONS
+from ssvc.doc_helpers import prior_version, example_block
 
-{% include-markdown "../../_generated/decision_points/virulence_1_0_0.md" %}
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
 
 !!! warning "*Virulence* is Superseded by *Automatable*"
 
diff --git a/docs/reference/decision_points/exploitation.md b/docs/reference/decision_points/exploitation.md
index 58b398c2..bed76396 100644
--- a/docs/reference/decision_points/exploitation.md
+++ b/docs/reference/decision_points/exploitation.md
@@ -1,6 +1,12 @@
 # Exploitation 
 
-{% include-markdown "../../_generated/decision_points/exploitation.md" %}
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.exploitation import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
 
 The intent of this measure is the present state of exploitation of the vulnerability. The intent is not to predict future exploitation but only to acknowledge the current state of affairs. Predictive systems, such as EPSS, could be used to augment this decision or to notify stakeholders of likely changes [@jacobs2021epss].
 
@@ -46,4 +52,14 @@ The table below lists CWE-IDs that could be used to mark a vulnerability as *PoC
 <!-- relative to /data/csvs/ -->
 {{ read_csv('cwe/possible-cwe-with-poc-examples.csv') }}
 
----
\ No newline at end of file
+## Prior Versions
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.exploitation import VERSIONS
+from ssvc.doc_helpers import prior_version, example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/human_impact.md b/docs/reference/decision_points/human_impact.md
index a8a22036..7f970a6b 100644
--- a/docs/reference/decision_points/human_impact.md
+++ b/docs/reference/decision_points/human_impact.md
@@ -1,6 +1,11 @@
 # Human Impact
 
-{% include-markdown "../../_generated/decision_points/human_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.human_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
 
 !!! tip "See also"
 
@@ -43,6 +48,12 @@ see [Guidance on Communicating Results](../../howto/bootstrap/use.md).
 
 ## Prior Versions
 
-{% include-markdown "../../_generated/decision_points/human_impact_2_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.human_impact import VERSIONS
+from ssvc.doc_helpers import prior_version, example_block
 
-{% include-markdown "../../_generated/decision_points/mission_and_well-being_impact_1_0_0.md" %}
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/mission_impact.md b/docs/reference/decision_points/mission_impact.md
index ca2a05c7..9af10310 100644
--- a/docs/reference/decision_points/mission_impact.md
+++ b/docs/reference/decision_points/mission_impact.md
@@ -1,6 +1,11 @@
 # Mission Impact
 
-{% include-markdown "../../_generated/decision_points/mission_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.mission_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
 
 !!! tip "See also"
 
@@ -40,4 +45,12 @@ For example, if the [Utility](utility.md) is [*super effective*](utility.md), th
 
 ## Prior Versions
 
-{% include-markdown "../../_generated/decision_points/mission_impact_1_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.mission_impact import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/public_safety_impact.md b/docs/reference/decision_points/public_safety_impact.md
index 1f26a47d..9943ddac 100644
--- a/docs/reference/decision_points/public_safety_impact.md
+++ b/docs/reference/decision_points/public_safety_impact.md
@@ -1,6 +1,11 @@
 # Public Safety Impact
 
-{% include-markdown "../../_generated/decision_points/public_safety_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.public_safety_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
 
 !!! tip "See also"
 
@@ -17,6 +22,12 @@ Therefore we simplify the above into a binary categorization:
 
 ## Prior Versions
 
-{% include-markdown "../../_generated/decision_points/public_safety_impact_2_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.public_safety_impact import VERSIONS
+from ssvc.doc_helpers import example_block
 
-{% include-markdown "../../_generated/decision_points/public_well-being_impact_1_0_0.md" %}
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/public_value_added.md b/docs/reference/decision_points/public_value_added.md
index 03507837..ad5759a9 100644
--- a/docs/reference/decision_points/public_value_added.md
+++ b/docs/reference/decision_points/public_value_added.md
@@ -1,6 +1,12 @@
 # Public Value Added
 
-{% include-markdown "../../_generated/decision_points/public_value_added.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.public_value_added import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
 
 The intent of the definition is that one rarely if ever transitions from _limited_ to _ampliative_ or _ampliative_ to _precedence_.
 A vulnerability could transition from _precedence_ to _ampliative_ and _ampliative_ to _limited_.
diff --git a/docs/reference/decision_points/report_credibility.md b/docs/reference/decision_points/report_credibility.md
index f508f7cd..647360a1 100644
--- a/docs/reference/decision_points/report_credibility.md
+++ b/docs/reference/decision_points/report_credibility.md
@@ -1,6 +1,12 @@
 # Report Credibility
 
-{% include-markdown "../../_generated/decision_points/report_credibility.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.report_credibility import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
 
 An analyst should start with a presumption of credibility and proceed toward disqualification.
 The reason for this is that, as a coordinator, occasionally doing a bit of extra work on a bad report is preferable to rejecting legitimate reports.
diff --git a/docs/reference/decision_points/report_public.md b/docs/reference/decision_points/report_public.md
index 5f02a81e..aa795f2e 100644
--- a/docs/reference/decision_points/report_public.md
+++ b/docs/reference/decision_points/report_public.md
@@ -1,3 +1,8 @@
 # Report Public
 
-{% include-markdown "../../_generated/decision_points/report_public.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.report_public import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/safety_impact.md b/docs/reference/decision_points/safety_impact.md
index 41cd2eb4..425dd7a0 100644
--- a/docs/reference/decision_points/safety_impact.md
+++ b/docs/reference/decision_points/safety_impact.md
@@ -1,6 +1,12 @@
 # Safety Impact
 
-{% include-markdown "../../_generated/decision_points/safety_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.safety_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
 
 !!! tip "See also"
 
@@ -214,5 +220,13 @@ We defer this topic for now because we combine it with [*Mission Impact*](missio
 
 ## Prior Versions
 
-{% include-markdown "../../_generated/decision_points/safety_impact_1_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.safety_impact import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
 
diff --git a/docs/reference/decision_points/supplier_cardinality.md b/docs/reference/decision_points/supplier_cardinality.md
index ef55c8bf..ccd088fa 100644
--- a/docs/reference/decision_points/supplier_cardinality.md
+++ b/docs/reference/decision_points/supplier_cardinality.md
@@ -1,3 +1,8 @@
 # Supplier Cardinality
 
-{% include-markdown "../../_generated/decision_points/supplier_cardinality.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.supplier_cardinality import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/supplier_contacted.md b/docs/reference/decision_points/supplier_contacted.md
index 7a3d9d38..def0c2b6 100644
--- a/docs/reference/decision_points/supplier_contacted.md
+++ b/docs/reference/decision_points/supplier_contacted.md
@@ -1,6 +1,11 @@
 # Supplier Contacted
 
-{% include-markdown "../../_generated/decision_points/supplier_contacted.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.supplier_contacted import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
 
 
 !!! tip "Quality Contact Method"
diff --git a/docs/reference/decision_points/supplier_engagement.md b/docs/reference/decision_points/supplier_engagement.md
index 42e306af..c8a7426b 100644
--- a/docs/reference/decision_points/supplier_engagement.md
+++ b/docs/reference/decision_points/supplier_engagement.md
@@ -1,3 +1,8 @@
 # Supplier Engagement
 
-{% include-markdown "../../_generated/decision_points/supplier_engagement.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.supplier_engagement import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/supplier_involvement.md b/docs/reference/decision_points/supplier_involvement.md
index d28e978e..d4fb9d70 100644
--- a/docs/reference/decision_points/supplier_involvement.md
+++ b/docs/reference/decision_points/supplier_involvement.md
@@ -1,3 +1,8 @@
 # Supplier Involvement
 
-{% include-markdown "../../_generated/decision_points/supplier_involvement.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.supplier_involvement import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/system_exposure.md b/docs/reference/decision_points/system_exposure.md
index 9ada4318..4595895b 100644
--- a/docs/reference/decision_points/system_exposure.md
+++ b/docs/reference/decision_points/system_exposure.md
@@ -1,6 +1,12 @@
 # System Exposure
 
-{% include-markdown "../../_generated/decision_points/system_exposure.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.system_exposure import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
 
 Measuring the attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access.
 Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed.
@@ -38,4 +44,12 @@ If you have suggestions for further heuristics, or potential counterexamples to
 
 ## Prior Versions
 
-{% include-markdown "../../_generated/decision_points/system_exposure_1_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.system_exposure import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/technical_impact.md b/docs/reference/decision_points/technical_impact.md
index f7280b9a..5fc482f1 100644
--- a/docs/reference/decision_points/technical_impact.md
+++ b/docs/reference/decision_points/technical_impact.md
@@ -1,6 +1,11 @@
 # Technical Impact
 
-{% include-markdown "../../_generated/decision_points/technical_impact.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.technical_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
 
 When evaluating *Technical Impact*, recall the scope definition in the [Scope Section](../../topics/scope.md).
 Total control is relative to the affected component where the vulnerability resides.
diff --git a/docs/reference/decision_points/utility.md b/docs/reference/decision_points/utility.md
index 93e94124..4779439f 100644
--- a/docs/reference/decision_points/utility.md
+++ b/docs/reference/decision_points/utility.md
@@ -1,6 +1,11 @@
 # Utility
 
-{% include-markdown "../../_generated/decision_points/utility.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.utility import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
 
 !!! tip "See also"
 
@@ -44,7 +49,15 @@ However, future work should look for and prevent large mismatches between the ou
 
 ## Previous Versions
 
-{% include-markdown "../../_generated/decision_points/utility_1_0_0.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.utility import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
 
 !!! tip "See also"
 
diff --git a/docs/reference/decision_points/value_density.md b/docs/reference/decision_points/value_density.md
index 934231f6..34339b35 100644
--- a/docs/reference/decision_points/value_density.md
+++ b/docs/reference/decision_points/value_density.md
@@ -1,6 +1,11 @@
 # Value Density
 
-{% include-markdown "../../_generated/decision_points/value_density.md" %}
+```python exec="true" idprefix=""
+from ssvc.decision_points.value_density import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
 
 !!! tip "See also"
 
diff --git a/mkdocs.yml b/mkdocs.yml
index 3e2ff861..922b7a98 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -117,6 +117,7 @@ plugins:
       data_path: 'data/csvs'
   - bibtex:
       bib_file: 'doc/md_src_files/sources_ssvc.bib'
+  - markdown-exec
   - mkdocstrings:
       handlers:
         python:
diff --git a/requirements.txt b/requirements.txt
index 9328527c..0799221f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,6 +7,7 @@ mkdocs-material-extensions==1.3.1
 mkdocstrings==0.28.1
 mkdocstrings-python==1.16.0
 mkdocs-print-site-plugin==2.6.0
+markdown-exec==1.10.0
 thefuzz==0.22.1
 pandas==2.2.3
 scikit-learn==1.6.1
diff --git a/src/cvss_to_json.py b/src/cvss_to_json.py
deleted file mode 100644
index df739988..00000000
--- a/src/cvss_to_json.py
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/usr/bin/python3"
-#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
-#  - see Contributors.md for a full list of Contributors
-#  - see ContributionInstructions.md for information on how you can Contribute to this project
-#  Stakeholder Specific Vulnerability Categorization (SSVC) is
-#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
-#  with this Software or contact permission@sei.cmu.edu for full terms.
-#  Created, in part, with funding and support from the United States Government
-#  (see Acknowledgments file). This program may include and/or can make use of
-#  certain third party source code, object code, documentation and other files
-#  (“Third Party Software”). See LICENSE.md for more details.
-#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
-#  U.S. Patent and Trademark Office by Carnegie Mellon University
-
-mods = [
-    "attack_complexity",
-    "attack_requirements",
-    "attack_vector",
-    "authentication",
-    "availability_impact",
-    "availability_requirement",
-    "collateral_damage_potential",
-    "confidentiality_impact",
-    "confidentiality_requirement",
-    "exploitability",
-    "helpers",
-    "impact_bias",
-    "integrity_impact",
-    "integrity_requirement",
-    "privileges_required",
-    "remediation_level",
-    "report_confidence",
-    "scope",
-    "subsequent_availability_impact",
-    "subsequent_confidentiality_impact",
-    "subsequent_integrity_impact",
-    "target_distribution",
-    "user_interaction",
-]
-
-
-def main():
-    for mod in mods:
-        module = getattr(__import__("ssvc.decision_points.cvss", fromlist=[mod]), mod)
-        for dp in dir(module):
-            if dp.upper().find(mod.upper()) > -1:
-                # user_interaction USER_INTERACTION_2
-                print(mod, dp)
-                sdp = getattr(module, dp)
-                with open(
-                    f"../data/json/decision_points/cvss/{dp.lower()}.json", "w"
-                ) as f:
-                    f.write(sdp.model_dump_json(indent=2))
-
-
-if __name__ == "__main__":
-    main()
diff --git a/src/ssvc/decision_points/automatable.py b/src/ssvc/decision_points/automatable.py
index a1745321..843626b5 100644
--- a/src/ssvc/decision_points/automatable.py
+++ b/src/ssvc/decision_points/automatable.py
@@ -65,11 +65,13 @@
     values=(AUT_NO, AUT_YES),
 )
 
+# always append new VERSIONS to this list, do not remove old ones
+VERSIONS = (VIRULENCE_1, AUTOMATABLE_2)
+LATEST = VERSIONS[-1]
 
-def main():
-    versions = (VIRULENCE_1, AUTOMATABLE_2)
 
-    print_versions_and_diffs(versions)
+def main():
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/critical_software.py b/src/ssvc/decision_points/critical_software.py
index 7fc28a4c..d9dad7d9 100644
--- a/src/ssvc/decision_points/critical_software.py
+++ b/src/ssvc/decision_points/critical_software.py
@@ -17,6 +17,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 YES = SsvcDecisionPointValue(
     name="Yes",
@@ -41,9 +42,12 @@
     ),
 )
 
+VERSIONS = (CRITICAL_SOFTWARE_1,)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(CRITICAL_SOFTWARE_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/attack_complexity.py b/src/ssvc/decision_points/cvss/attack_complexity.py
index 2d6880f3..5fa68d59 100644
--- a/src/ssvc/decision_points/cvss/attack_complexity.py
+++ b/src/ssvc/decision_points/cvss/attack_complexity.py
@@ -133,16 +133,17 @@
 """
 
 
-versions = [
+VERSIONS = (
     ACCESS_COMPLEXITY_1,
     ACCESS_COMPLEXITY_2,
     ATTACK_COMPLEXITY_3,
     ATTACK_COMPLEXITY_3_0_1,
-]
+)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/attack_requirements.py b/src/ssvc/decision_points/cvss/attack_requirements.py
index d1dfc43c..8ae4ba7d 100644
--- a/src/ssvc/decision_points/cvss/attack_requirements.py
+++ b/src/ssvc/decision_points/cvss/attack_requirements.py
@@ -47,13 +47,12 @@
     ),
 )
 
-versions = [
-    ATTACK_REQUIREMENTS_1,
-]
+VERSIONS = (ATTACK_REQUIREMENTS_1,)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/attack_vector.py b/src/ssvc/decision_points/cvss/attack_vector.py
index 041a8bda..d7b81b81 100644
--- a/src/ssvc/decision_points/cvss/attack_vector.py
+++ b/src/ssvc/decision_points/cvss/attack_vector.py
@@ -194,16 +194,16 @@
     ),
 )
 
-versions = [
+VERSIONS = (
     ACCESS_VECTOR_1,
     ACCESS_VECTOR_2,
     ATTACK_VECTOR_3,
     ATTACK_VECTOR_3_0_1,
-]
+)
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/authentication.py b/src/ssvc/decision_points/cvss/authentication.py
index 50729ce4..516966f1 100644
--- a/src/ssvc/decision_points/cvss/authentication.py
+++ b/src/ssvc/decision_points/cvss/authentication.py
@@ -79,15 +79,12 @@
 Includes MULTIPLE, SINGLE, and AUTH_NONE values for CVSS Authentication.
 """
 
-
-versions = [
-    AUTHENTICATION_1,
-    AUTHENTICATION_2,
-]
+VERSIONS = (AUTHENTICATION_1, AUTHENTICATION_2)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/availability_impact.py b/src/ssvc/decision_points/cvss/availability_impact.py
index c6f45212..e744c341 100644
--- a/src/ssvc/decision_points/cvss/availability_impact.py
+++ b/src/ssvc/decision_points/cvss/availability_impact.py
@@ -127,15 +127,12 @@
     ),
 )
 
-versions = [
-    AVAILABILITY_IMPACT_1,
-    AVAILABILITY_IMPACT_2,
-    AVAILABILITY_IMPACT_2_0_1,
-]
+VERSIONS = (AVAILABILITY_IMPACT_1, AVAILABILITY_IMPACT_2, AVAILABILITY_IMPACT_2_0_1)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/availability_requirement.py b/src/ssvc/decision_points/cvss/availability_requirement.py
index fcaddba1..09cd2660 100644
--- a/src/ssvc/decision_points/cvss/availability_requirement.py
+++ b/src/ssvc/decision_points/cvss/availability_requirement.py
@@ -112,15 +112,16 @@
     ),
 )
 
-versions = [
+VERSIONS = (
     AVAILABILITY_REQUIREMENT_1,
     AVAILABILITY_REQUIREMENT_1_1,
     AVAILABILITY_REQUIREMENT_1_1_1,
-]
+)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/collateral_damage_potential.py b/src/ssvc/decision_points/cvss/collateral_damage_potential.py
index 27c0caa1..3c541009 100644
--- a/src/ssvc/decision_points/cvss/collateral_damage_potential.py
+++ b/src/ssvc/decision_points/cvss/collateral_damage_potential.py
@@ -98,11 +98,12 @@
 Updates None description. Adds Low-Medium, Medium-High, and Not Defined value.
 """
 
-versions = [COLLATERAL_DAMAGE_POTENTIAL_1, COLLATERAL_DAMAGE_POTENTIAL_2]
+VERSIONS = (COLLATERAL_DAMAGE_POTENTIAL_1, COLLATERAL_DAMAGE_POTENTIAL_2)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/confidentiality_impact.py b/src/ssvc/decision_points/cvss/confidentiality_impact.py
index 4524308c..955ab72a 100644
--- a/src/ssvc/decision_points/cvss/confidentiality_impact.py
+++ b/src/ssvc/decision_points/cvss/confidentiality_impact.py
@@ -138,15 +138,16 @@
 )
 
 
-versions = [
+VERSIONS = (
     CONFIDENTIALITY_IMPACT_1,
     CONFIDENTIALITY_IMPACT_2,
     CONFIDENTIALITY_IMPACT_2_0_1,
-]
+)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/confidentiality_requirement.py b/src/ssvc/decision_points/cvss/confidentiality_requirement.py
index 117db9d2..288c05c8 100644
--- a/src/ssvc/decision_points/cvss/confidentiality_requirement.py
+++ b/src/ssvc/decision_points/cvss/confidentiality_requirement.py
@@ -110,15 +110,16 @@
     ),
 )
 
-versions = [
+VERSIONS = (
     CONFIDENTIALITY_REQUIREMENT_1,
     CONFIDENTIALITY_REQUIREMENT_1_1,
     CONFIDENTIALITY_REQUIREMENT_1_1_1,
-]
+)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/exploitability.py b/src/ssvc/decision_points/cvss/exploitability.py
index 9447ff60..2a3eee2a 100644
--- a/src/ssvc/decision_points/cvss/exploitability.py
+++ b/src/ssvc/decision_points/cvss/exploitability.py
@@ -180,16 +180,17 @@
     ),
 )
 
-versions = [
+VERSIONS = (
     EXPLOITABILITY_1,
     EXPLOITABILITY_1_1,
     EXPLOIT_CODE_MATURITY_1_2,
     EXPLOIT_MATURITY_2,
-]
+)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/helpers.py b/src/ssvc/decision_points/cvss/helpers.py
index 23b0774c..25782192 100644
--- a/src/ssvc/decision_points/cvss/helpers.py
+++ b/src/ssvc/decision_points/cvss/helpers.py
@@ -34,7 +34,7 @@ def _modify_3(dp: SsvcDecisionPoint):
     names = [v.name for v in values]
     if nd.name not in names:
         values.append(nd)
-    _dp.values = tuple(values)
+    _dp.values = list(values)
 
     return _dp
 
@@ -98,7 +98,7 @@ def _modify_4(dp: SsvcDecisionPoint):
         )
         values = list(_dp.values)
         values.append(_SAFETY)
-        _dp.values = tuple(values)
+        _dp.values = list(values)
 
     return _dp
 
diff --git a/src/ssvc/decision_points/cvss/impact_bias.py b/src/ssvc/decision_points/cvss/impact_bias.py
index 1a3f44e9..ad113083 100644
--- a/src/ssvc/decision_points/cvss/impact_bias.py
+++ b/src/ssvc/decision_points/cvss/impact_bias.py
@@ -59,13 +59,12 @@
 Defines Normal, Confidentiality, Integrity, and Availability values for CVSS Impact Bias.
 """
 
-versions = [
-    IMPACT_BIAS_1,
-]
+VERSIONS = (IMPACT_BIAS_1,)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/integrity_impact.py b/src/ssvc/decision_points/cvss/integrity_impact.py
index a5b6533c..7bc62e96 100644
--- a/src/ssvc/decision_points/cvss/integrity_impact.py
+++ b/src/ssvc/decision_points/cvss/integrity_impact.py
@@ -125,11 +125,12 @@
     ),
 )
 
-versions = [INTEGRITY_IMPACT_1, INTEGRITY_IMPACT_2, INTEGRITY_IMPACT_2_0_1]
+VERSIONS = (INTEGRITY_IMPACT_1, INTEGRITY_IMPACT_2, INTEGRITY_IMPACT_2_0_1)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/integrity_requirement.py b/src/ssvc/decision_points/cvss/integrity_requirement.py
index dc3255a4..5bfb30e9 100644
--- a/src/ssvc/decision_points/cvss/integrity_requirement.py
+++ b/src/ssvc/decision_points/cvss/integrity_requirement.py
@@ -110,15 +110,16 @@
     ),
 )
 
-versions = [
+VERSIONS = (
     INTEGRITY_REQUIREMENT_1,
     INTEGRITY_REQUIREMENT_1_1,
     INTEGRITY_REQUIREMENT_1_1_1,
-]
+)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/privileges_required.py b/src/ssvc/decision_points/cvss/privileges_required.py
index 4c62f852..e9cb0ea5 100644
--- a/src/ssvc/decision_points/cvss/privileges_required.py
+++ b/src/ssvc/decision_points/cvss/privileges_required.py
@@ -101,11 +101,12 @@
     ),
 )
 
-versions = [PRIVILEGES_REQUIRED_1, PRIVILEGES_REQUIRED_1_0_1]
+VERSIONS = (PRIVILEGES_REQUIRED_1, PRIVILEGES_REQUIRED_1_0_1)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/remediation_level.py b/src/ssvc/decision_points/cvss/remediation_level.py
index 8163f946..73a031ef 100644
--- a/src/ssvc/decision_points/cvss/remediation_level.py
+++ b/src/ssvc/decision_points/cvss/remediation_level.py
@@ -84,11 +84,12 @@
 Adds Not Defined to the CVSS Remediation Level decision point.
 """
 
-versions = [REMEDIATION_LEVEL_1, REMEDIATION_LEVEL_1_1]
+VERSIONS = (REMEDIATION_LEVEL_1, REMEDIATION_LEVEL_1_1)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/report_confidence.py b/src/ssvc/decision_points/cvss/report_confidence.py
index 5873138a..93ea24fc 100644
--- a/src/ssvc/decision_points/cvss/report_confidence.py
+++ b/src/ssvc/decision_points/cvss/report_confidence.py
@@ -126,15 +126,16 @@
 """
 
 
-versions = [
+VERSIONS = (
     REPORT_CONFIDENCE_1,
     REPORT_CONFIDENCE_1_1,
     REPORT_CONFIDENCE_2,
-]
+)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/scope.py b/src/ssvc/decision_points/cvss/scope.py
index f56c1ed0..9eaf0b35 100644
--- a/src/ssvc/decision_points/cvss/scope.py
+++ b/src/ssvc/decision_points/cvss/scope.py
@@ -49,13 +49,12 @@
 Defines Changed and Unchanged values for CVSS Scope.
 """
 
-versions = [
-    SCOPE_1,
-]
+VERSIONS = (SCOPE_1,)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
index e2efc8a5..e3cbe929 100644
--- a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
@@ -56,13 +56,12 @@
     ),
 )
 
-versions = [
-    SUBSEQUENT_AVAILABILITY_IMPACT_1,
-]
+VERSIONS = (SUBSEQUENT_AVAILABILITY_IMPACT_1,)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py b/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
index 4ae2c407..413dc803 100644
--- a/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_confidentiality_impact.py
@@ -57,13 +57,12 @@
     ),
 )
 
-versions = [
-    SUBSEQUENT_CONFIDENTIALITY_IMPACT_1,
-]
+VERSIONS = (SUBSEQUENT_CONFIDENTIALITY_IMPACT_1,)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py b/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
index 2cf2ccb9..4a2efbf5 100644
--- a/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_integrity_impact.py
@@ -60,13 +60,12 @@
     ),
 )
 
-versions = [
-    SUBSEQUENT_INTEGRITY_IMPACT_1,
-]
+VERSIONS = (SUBSEQUENT_INTEGRITY_IMPACT_1,)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/automatable.py b/src/ssvc/decision_points/cvss/supplemental/automatable.py
index f679705e..c6fa0dd7 100644
--- a/src/ssvc/decision_points/cvss/supplemental/automatable.py
+++ b/src/ssvc/decision_points/cvss/supplemental/automatable.py
@@ -19,7 +19,13 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
-
+NO = SsvcDecisionPointValue(name="No", key="N",
+                               description="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for " \
+                                           "some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.", )
+YES = SsvcDecisionPointValue(name="Yes", key="Y",
+                               description="Attackers can reliably automate all 4 steps of the kill chain. These steps are " \
+                                           "reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is " \
+                                           '"wormable").', )
 AUTOMATABLE_1 = CvssDecisionPoint(
     name="Automatable",
     description='The "Automatable" metric captures the answer to the question "Can an attacker automate exploitation '
@@ -27,29 +33,16 @@
     key="AU",
     version="1.0.0",
     values=(
-        SsvcDecisionPointValue(
-            name="No",
-            key="N",
-            description="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for "
-            "some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.",
-        ),
-        SsvcDecisionPointValue(
-            name="Yes",
-            key="Y",
-            description="Attackers can reliably automate all 4 steps of the kill chain. These steps are "
-            "reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is "
-            '"wormable").',
-        ),
+        NO,
+        YES,
     ),
 )
 
+VERSIONS = (AUTOMATABLE_1,)
+LATEST = AUTOMATABLE_1
 
 def main():
-    versions = [
-        AUTOMATABLE_1,
-    ]
-
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
index a9a7aa36..aca04676 100644
--- a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
+++ b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
@@ -20,6 +20,14 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
+RED = SsvcDecisionPointValue(name="Red", key="R",
+                               description="Provider has assessed the impact of this vulnerability as having the highest urgency.", )
+AMBER = SsvcDecisionPointValue(name="Amber", key="A",
+                               description="Provider has assessed the impact of this vulnerability as having a moderate urgency.", )
+GREEN = SsvcDecisionPointValue(name="Green", key="G",
+                               description="Provider has assessed the impact of this vulnerability as having a reduced urgency.", )
+CLEAR = SsvcDecisionPointValue(name="Clear", key="C",
+                               description="Provider has assessed the impact of this vulnerability as having no urgency (Informational).", )
 PROVIDER_URGENCY_1 = CvssDecisionPoint(
     name="Provider Urgency",
     description="Many vendors currently provide supplemental severity ratings to consumers via product security "
@@ -30,37 +38,18 @@
     version="1.0.0",
     values=(
         NOT_DEFINED_X,
-        # Red, Amber, Green, Clear
-        SsvcDecisionPointValue(
-            name="Red",
-            key="R",
-            description="Provider has assessed the impact of this vulnerability as having the highest urgency.",
-        ),
-        SsvcDecisionPointValue(
-            name="Amber",
-            key="A",
-            description="Provider has assessed the impact of this vulnerability as having a moderate urgency.",
-        ),
-        SsvcDecisionPointValue(
-            name="Green",
-            key="G",
-            description="Provider has assessed the impact of this vulnerability as having a reduced urgency.",
-        ),
-        SsvcDecisionPointValue(
-            name="Clear",
-            key="C",
-            description="Provider has assessed the impact of this vulnerability as having no urgency (Informational).",
-        ),
+        CLEAR,
+        GREEN,
+        AMBER,
+        RED,
     ),
 )
 
+VERSIONS = (PROVIDER_URGENCY_1,)
+LATEST = PROVIDER_URGENCY_1
 
 def main():
-    versions = [
-        PROVIDER_URGENCY_1,
-    ]
-
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/recovery.py b/src/ssvc/decision_points/cvss/supplemental/recovery.py
index f86994e9..5297e10a 100644
--- a/src/ssvc/decision_points/cvss/supplemental/recovery.py
+++ b/src/ssvc/decision_points/cvss/supplemental/recovery.py
@@ -20,7 +20,13 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
-
+AUTOMATIC = SsvcDecisionPointValue(name="Automatic", key="A",
+                               description="The system recovers services automatically after an attack has been performed.", )
+USER = SsvcDecisionPointValue(name="User", key="U",
+                               description="The system requires manual intervention by the user to recover services, after an attack has " \
+                                           "been performed.", )
+IRRECOVERABLE = SsvcDecisionPointValue(name="Irrecoverable", key="I",
+                               description="The system services are irrecoverable by the user, after an attack has been performed.", )
 RECOVERY_1 = CvssDecisionPoint(
     name="Recovery",
     description="The Recovery metric describes the resilience of a system to recover services, in terms of performance "
@@ -29,32 +35,17 @@
     version="1.0.0",
     values=(
         NOT_DEFINED_X,
-        SsvcDecisionPointValue(
-            name="Automatic",
-            key="A",
-            description="The system recovers services automatically after an attack has been performed.",
-        ),
-        SsvcDecisionPointValue(
-            name="User",
-            key="U",
-            description="The system requires manual intervention by the user to recover services, after an attack has "
-            "been performed.",
-        ),
-        SsvcDecisionPointValue(
-            name="Irrecoverable",
-            key="I",
-            description="The system services are irrecoverable by the user, after an attack has been performed.",
-        ),
+        AUTOMATIC,
+        USER,
+        IRRECOVERABLE,
     ),
 )
 
+VERSIONS = (RECOVERY_1,)
+LATEST = VERSIONS[-1]
 
 def main():
-    versions = [
-        RECOVERY_1,
-    ]
-
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/safety.py b/src/ssvc/decision_points/cvss/supplemental/safety.py
index ca3347b6..f251a958 100644
--- a/src/ssvc/decision_points/cvss/supplemental/safety.py
+++ b/src/ssvc/decision_points/cvss/supplemental/safety.py
@@ -21,6 +21,12 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
+PRESENT = SsvcDecisionPointValue(name="Present", key="P",
+                               description="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of " \
+                                           '"marginal," "critical," or "catastrophic."', )
+NEGLIGIBLE = SsvcDecisionPointValue(name="Negligible", key="N",
+                               description="Consequences of the vulnerability meet definition of IEC 61508 consequence category " \
+                                           '"negligible."', )
 SAFETY_1 = CvssDecisionPoint(
     name="Safety",
     description="The Safety decision point is a measure of the potential for harm to humans or the environment.",
@@ -28,29 +34,16 @@
     version="1.0.0",
     values=(
         NOT_DEFINED_X,
-        # Present, Negligible
-        SsvcDecisionPointValue(
-            name="Present",
-            key="P",
-            description="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of "
-            '"marginal," "critical," or "catastrophic."',
-        ),
-        SsvcDecisionPointValue(
-            name="Negligible",
-            key="N",
-            description="Consequences of the vulnerability meet definition of IEC 61508 consequence category "
-            '"negligible."',
-        ),
+        PRESENT,
+        NEGLIGIBLE,
     ),
 )
 
+VERSIONS = (SAFETY_1,)
+LATEST = SAFETY_1
 
 def main():
-    versions = [
-        SAFETY_1,
-    ]
-
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/value_density.py b/src/ssvc/decision_points/cvss/supplemental/value_density.py
index 065512cf..ba176576 100644
--- a/src/ssvc/decision_points/cvss/supplemental/value_density.py
+++ b/src/ssvc/decision_points/cvss/supplemental/value_density.py
@@ -20,7 +20,12 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
-
+DIFFUSE = SsvcDecisionPointValue(name="Diffuse", key="D",
+                               description="The vulnerable system has limited resources. That is, the resources that the attacker will " \
+                                           "gain control over with a single exploitation event are relatively small.", )
+CONCENTRATED = SsvcDecisionPointValue(name="Concentrated", key="C",
+                               description="The vulnerable system is rich in resources. Heuristically, such systems are often the direct " \
+                                           'responsibility of "system operators" rather than users.', )
 VALUE_DENSITY_1 = CvssDecisionPoint(
     name="Value Density",
     description="Value Density describes the resources that the attacker will gain control over with a single "
@@ -29,28 +34,16 @@
     version="1.0.0",
     values=(
         NOT_DEFINED_X,
-        SsvcDecisionPointValue(
-            name="Diffuse",
-            key="D",
-            description="The vulnerable system has limited resources. That is, the resources that the attacker will "
-            "gain control over with a single exploitation event are relatively small.",
-        ),
-        SsvcDecisionPointValue(
-            name="Concentrated",
-            key="C",
-            description="The vulnerable system is rich in resources. Heuristically, such systems are often the direct "
-            'responsibility of "system operators" rather than users.',
-        ),
+        DIFFUSE,
+        CONCENTRATED,
     ),
 )
 
+VERSIONS = (VALUE_DENSITY_1,)
+LATEST = VERSIONS[-1]
 
 def main():
-    versions = [
-        VALUE_DENSITY_1,
-    ]
-
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
index 40da0e4b..d3d058cb 100644
--- a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
+++ b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
@@ -20,7 +20,18 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
-
+LOW = SsvcDecisionPointValue(name="Low", key="L",
+                               description="The effort required to respond to a vulnerability is low/trivial.", )
+MODERATE = SsvcDecisionPointValue(name="Moderate", key="M",
+                               description="The actions required to respond to a vulnerability require some effort on behalf of the " \
+                                           "consumer and could cause minimal service impact to implement.", )
+HIGH = SsvcDecisionPointValue(name="High", key="H",
+                               description="The actions required to respond to a vulnerability are significant and/or difficult, and may " \
+                                           "possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling " \
+                                           "purposes including honoring any embargo on deployment of the selected response. Alternatively, response " \
+                                           "to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability " \
+                                           "involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or " \
+                                           "replacement).", )
 VULNERABILITY_RESPONSE_EFFORT_1 = CvssDecisionPoint(
     name="Vulnerability Response Effort",
     description="The intention of the Vulnerability Response Effort metric is to provide supplemental information on "
@@ -31,37 +42,17 @@
     version="1.0.0",
     values=(
         NOT_DEFINED_X,
-        SsvcDecisionPointValue(
-            name="Low",
-            key="L",
-            description="The effort required to respond to a vulnerability is low/trivial.",
-        ),
-        SsvcDecisionPointValue(
-            name="Moderate",
-            key="M",
-            description="The actions required to respond to a vulnerability require some effort on behalf of the "
-            "consumer and could cause minimal service impact to implement.",
-        ),
-        SsvcDecisionPointValue(
-            name="High",
-            key="H",
-            description="The actions required to respond to a vulnerability are significant and/or difficult, and may "
-            "possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling "
-            "purposes including honoring any embargo on deployment of the selected response. Alternatively, response "
-            "to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability "
-            "involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or "
-            "replacement).",
-        ),
+        LOW,
+        MODERATE,
+        HIGH,
     ),
 )
 
+VERSIONS = (VULNERABILITY_RESPONSE_EFFORT_1,)
+LATEST = VERSIONS[-1]
 
 def main():
-    versions = [
-        VULNERABILITY_RESPONSE_EFFORT_1,
-    ]
-
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/target_distribution.py b/src/ssvc/decision_points/cvss/target_distribution.py
index d96ff767..2f408e67 100644
--- a/src/ssvc/decision_points/cvss/target_distribution.py
+++ b/src/ssvc/decision_points/cvss/target_distribution.py
@@ -87,14 +87,15 @@
 Introduces Not Defined value.
 """
 
-versions = [
+VERSIONS = (
     TARGET_DISTRIBUTION_1,
     TARGET_DISTRIBUTION_1_1,
-]
+)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/cvss/user_interaction.py b/src/ssvc/decision_points/cvss/user_interaction.py
index d1e17418..02e75941 100644
--- a/src/ssvc/decision_points/cvss/user_interaction.py
+++ b/src/ssvc/decision_points/cvss/user_interaction.py
@@ -89,11 +89,12 @@
     ),
 )
 
-versions = [USER_INTERACTION_1, USER_INTERACTION_2]
+VERSIONS = (USER_INTERACTION_1, USER_INTERACTION_2)
+LATEST = VERSIONS[-1]
 
 
 def main():
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/exploitation.py b/src/ssvc/decision_points/exploitation.py
index 0f7c5f59..bb1a2a52 100644
--- a/src/ssvc/decision_points/exploitation.py
+++ b/src/ssvc/decision_points/exploitation.py
@@ -74,11 +74,12 @@ def _strip_spaces(s):
     ),
 )
 
+VERSIONS = (EXPLOITATION_1, EXPLOITATION_1_1_0)
+LATEST = VERSIONS[-1]
 
-def main():
-    versions = [EXPLOITATION_1, EXPLOITATION_1_1_0]
 
-    print_versions_and_diffs(versions)
+def main():
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py
index 1a93505a..12a52077 100644
--- a/src/ssvc/decision_points/helpers.py
+++ b/src/ssvc/decision_points/helpers.py
@@ -127,45 +127,33 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]:
         major = True
 
     for name in dp2_names.difference(dp1_names):
-        diffs.append(
-            f"(major or minor) {dp2.name} v{dp2.version} adds value {name}"
-        )
+        diffs.append(f"(major or minor) {dp2.name} v{dp2.version} adds value {name}")
         maybe_major = True
         maybe_minor = True
 
     # did the value keys change?
     for name in intersection:
-        v1 = {
-            value["name"]: value["key"] for value in dp1.model_dump()["values"]
-        }
+        v1 = {value["name"]: value["key"] for value in dp1.model_dump()["values"]}
         v1 = v1[name]
 
-        v2 = {
-            value["name"]: value["key"] for value in dp2.model_dump()["values"]
-        }
+        v2 = {value["name"]: value["key"] for value in dp2.model_dump()["values"]}
         v2 = v2[name]
 
         if v1 != v2:
-            diffs.append(
-                f"(minor) {dp2.name} v{dp2.version} value {name} key changed"
-            )
+            diffs.append(f"(minor) {dp2.name} v{dp2.version} value {name} key changed")
             minor = True
         else:
-            diffs.append(
-                f"{dp2.name} v{dp2.version} value {name} key did not change"
-            )
+            diffs.append(f"{dp2.name} v{dp2.version} value {name} key did not change")
 
     # did the value descriptions change?
     for name in intersection:
         v1 = {
-            value["name"]: value["description"]
-            for value in dp1.model_dump()["values"]
+            value["name"]: value["description"] for value in dp1.model_dump()["values"]
         }
         v1 = v1[name]
 
         v2 = {
-            value["name"]: value["description"]
-            for value in dp2.model_dump()["values"]
+            value["name"]: value["description"] for value in dp2.model_dump()["values"]
         }
         v2 = v2[name]
 
diff --git a/src/ssvc/decision_points/high_value_asset.py b/src/ssvc/decision_points/high_value_asset.py
index b483b7e3..b0aeac2b 100644
--- a/src/ssvc/decision_points/high_value_asset.py
+++ b/src/ssvc/decision_points/high_value_asset.py
@@ -17,6 +17,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 YES = SsvcDecisionPointValue(
     name="Yes",
@@ -41,9 +42,11 @@
     ),
 )
 
+VERSIONS = (HIGH_VALUE_ASSET_1,)
+LATEST = VERSIONS[-1]
 
 def main():
-    print(HIGH_VALUE_ASSET_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/human_impact.py b/src/ssvc/decision_points/human_impact.py
index 1b178d92..ac2deac0 100644
--- a/src/ssvc/decision_points/human_impact.py
+++ b/src/ssvc/decision_points/human_impact.py
@@ -120,15 +120,16 @@
     ),
 )
 
+VERSIONS = (
+    MISSION_AND_WELL_BEING_IMPACT_1,
+    HUMAN_IMPACT_2,
+    HUMAN_IMPACT_2_0_1,
+)
+LATEST = VERSIONS[-1]
 
-def main():
-    versions = (
-        MISSION_AND_WELL_BEING_IMPACT_1,
-        HUMAN_IMPACT_2,
-        HUMAN_IMPACT_2_0_1,
-    )
 
-    print_versions_and_diffs(versions)
+def main():
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/in_kev.py b/src/ssvc/decision_points/in_kev.py
index 2b10690c..31466aaa 100644
--- a/src/ssvc/decision_points/in_kev.py
+++ b/src/ssvc/decision_points/in_kev.py
@@ -16,6 +16,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 YES = SsvcDecisionPointValue(
     name="Yes",
@@ -40,9 +41,12 @@
     ),
 )
 
+VERSIONS = (IN_KEV_1,)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(IN_KEV_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/mission_impact.py b/src/ssvc/decision_points/mission_impact.py
index d98f4208..d0a3a132 100644
--- a/src/ssvc/decision_points/mission_impact.py
+++ b/src/ssvc/decision_points/mission_impact.py
@@ -80,11 +80,12 @@
     values=(DEGRADED, MEF_CRIPPLED, MEF_FAILURE, MISSION_FAILURE),
 )
 
+VERSIONS = (MISSION_IMPACT_1, MISSION_IMPACT_2)
+LATEST = VERSIONS[-1]
 
-def main():
-    versions = (MISSION_IMPACT_1, MISSION_IMPACT_2)
 
-    print_versions_and_diffs(versions)
+def main():
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/mission_prevalence.py b/src/ssvc/decision_points/mission_prevalence.py
index 6fb697e8..bc5e4778 100644
--- a/src/ssvc/decision_points/mission_prevalence.py
+++ b/src/ssvc/decision_points/mission_prevalence.py
@@ -52,7 +52,9 @@
     ),
 )
 
+VERSIONS = (MISSION_PREVALENCE,)
+LATEST = VERSIONS[-1]
+
 if __name__ == "__main__":
-    versions = (MISSION_PREVALENCE,)
 
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
diff --git a/src/ssvc/decision_points/public_safety_impact.py b/src/ssvc/decision_points/public_safety_impact.py
index f057a39c..54df0a8e 100644
--- a/src/ssvc/decision_points/public_safety_impact.py
+++ b/src/ssvc/decision_points/public_safety_impact.py
@@ -109,14 +109,16 @@
     ),
 )
 
+VERSIONS = (
+    PUBLIC_WELL_BEING_IMPACT_1,
+    PUBLIC_SAFETY_IMPACT_2,
+    PUBLIC_SAFETY_IMPACT_2_0_1,
+)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    versions = (
-        PUBLIC_WELL_BEING_IMPACT_1,
-        PUBLIC_SAFETY_IMPACT_2,
-        PUBLIC_SAFETY_IMPACT_2_0_1,
-    )
-    print_versions_and_diffs(versions)
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/public_value_added.py b/src/ssvc/decision_points/public_value_added.py
index cec1b200..87b4700a 100644
--- a/src/ssvc/decision_points/public_value_added.py
+++ b/src/ssvc/decision_points/public_value_added.py
@@ -47,10 +47,12 @@
 )
 
 
-def main():
-    versions = (PUBLIC_VALUE_ADDED_1,)
+VERSIONS = (PUBLIC_VALUE_ADDED_1,)
+LATEST = VERSIONS[-1]
+
 
-    print_versions_and_diffs(versions)
+def main():
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/report_credibility.py b/src/ssvc/decision_points/report_credibility.py
index 3fbcdd51..1e4cf105 100644
--- a/src/ssvc/decision_points/report_credibility.py
+++ b/src/ssvc/decision_points/report_credibility.py
@@ -18,6 +18,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 NOT_CREDIBLE = SsvcDecisionPointValue(
     name="Not Credible",
@@ -42,9 +43,12 @@
     ),
 )
 
+VERSIONS = (REPORT_CREDIBILITY_1,)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(REPORT_CREDIBILITY_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/report_public.py b/src/ssvc/decision_points/report_public.py
index 815d296c..a072e185 100644
--- a/src/ssvc/decision_points/report_public.py
+++ b/src/ssvc/decision_points/report_public.py
@@ -17,6 +17,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 YES = SsvcDecisionPointValue(
     name="Yes",
@@ -41,9 +42,12 @@
     ),
 )
 
+VERSIONS = (REPORT_PUBLIC_1,)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(REPORT_PUBLIC_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/safety_impact.py b/src/ssvc/decision_points/safety_impact.py
index 110d053c..5a5c16ae 100644
--- a/src/ssvc/decision_points/safety_impact.py
+++ b/src/ssvc/decision_points/safety_impact.py
@@ -159,10 +159,12 @@
 )
 
 
-def main():
-    versions = (SAFETY_IMPACT_1, SAFETY_IMPACT_2)
+VERSIONS = (SAFETY_IMPACT_1, SAFETY_IMPACT_2)
+LATEST = VERSIONS[-1]
+
 
-    print_versions_and_diffs(versions)
+def main():
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_cardinality.py b/src/ssvc/decision_points/supplier_cardinality.py
index e0c9ecfb..934ebfdf 100644
--- a/src/ssvc/decision_points/supplier_cardinality.py
+++ b/src/ssvc/decision_points/supplier_cardinality.py
@@ -17,6 +17,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 MULTIPLE = SsvcDecisionPointValue(
     name="Multiple",
@@ -41,9 +42,12 @@
     ),
 )
 
+VERSIONS = (SUPPLIER_CARDINALITY_1,)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(SUPPLIER_CARDINALITY_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_contacted.py b/src/ssvc/decision_points/supplier_contacted.py
index 1d07aa00..f3586008 100644
--- a/src/ssvc/decision_points/supplier_contacted.py
+++ b/src/ssvc/decision_points/supplier_contacted.py
@@ -16,6 +16,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 YES = SsvcDecisionPointValue(
     name="Yes",
@@ -40,9 +41,12 @@
     ),
 )
 
+VERSIONS = (SUPPLIER_CONTACTED_1,)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(SUPPLIER_CONTACTED_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_engagement.py b/src/ssvc/decision_points/supplier_engagement.py
index 94f94097..cb0aef24 100644
--- a/src/ssvc/decision_points/supplier_engagement.py
+++ b/src/ssvc/decision_points/supplier_engagement.py
@@ -18,6 +18,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 UNRESPONSIVE = SsvcDecisionPointValue(
     name="Unresponsive",
@@ -42,9 +43,12 @@
     ),
 )
 
+VERSIONS = (SUPPLIER_ENGAGEMENT_1,)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(SUPPLIER_ENGAGEMENT_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/supplier_involvement.py b/src/ssvc/decision_points/supplier_involvement.py
index e7712e27..823afd4d 100644
--- a/src/ssvc/decision_points/supplier_involvement.py
+++ b/src/ssvc/decision_points/supplier_involvement.py
@@ -17,6 +17,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 UNCOOPERATIVE = SsvcDecisionPointValue(
     name="Uncooperative/Unresponsive",
@@ -48,9 +49,12 @@
     ),
 )
 
+VERSIONS = (SUPPLIER_INVOLVEMENT_1,)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(SUPPLIER_INVOLVEMENT_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/system_exposure.py b/src/ssvc/decision_points/system_exposure.py
index 12a7a10b..9f0c813a 100644
--- a/src/ssvc/decision_points/system_exposure.py
+++ b/src/ssvc/decision_points/system_exposure.py
@@ -17,6 +17,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 EXP_UNAVOIDABLE = SsvcDecisionPointValue(
     name="Unavoidable",
@@ -76,10 +77,12 @@
     ),
 )
 
+VERSIONS = (SYSTEM_EXPOSURE_1, SYSTEM_EXPOSURE_1_0_1)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(SYSTEM_EXPOSURE_1.model_dump_json(indent=2))
-    print(SYSTEM_EXPOSURE_1_0_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/technical_impact.py b/src/ssvc/decision_points/technical_impact.py
index 6f8133a6..3fa10eff 100644
--- a/src/ssvc/decision_points/technical_impact.py
+++ b/src/ssvc/decision_points/technical_impact.py
@@ -18,6 +18,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 TOTAL = SsvcDecisionPointValue(
     name="Total",
@@ -42,9 +43,12 @@
     ),
 )
 
+VERSIONS = (TECHNICAL_IMPACT_1,)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(TECHNICAL_IMPACT_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/utility.py b/src/ssvc/decision_points/utility.py
index d20f05a3..b1f08b0a 100644
--- a/src/ssvc/decision_points/utility.py
+++ b/src/ssvc/decision_points/utility.py
@@ -80,11 +80,12 @@
     ),
 )
 
+VERSIONS = (UTILITY_1, UTILITY_1_0_1)
+LATEST = VERSIONS[-1]
 
-def main():
-    versions = (UTILITY_1, UTILITY_1_0_1)
 
-    print_versions_and_diffs(versions)
+def main():
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/decision_points/value_density.py b/src/ssvc/decision_points/value_density.py
index d13a606f..81b9fd14 100644
--- a/src/ssvc/decision_points/value_density.py
+++ b/src/ssvc/decision_points/value_density.py
@@ -3,7 +3,7 @@
 Provides the Value Density decision point and its values.
 """
 
-#  Copyright (c) 2024-2025  Carnegie Mellon University and Contributors.
+#  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
@@ -17,6 +17,7 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points.base import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.decision_points.helpers import print_versions_and_diffs
 
 CONCENTRATED = SsvcDecisionPointValue(
     name="Concentrated",
@@ -41,9 +42,12 @@
     ),
 )
 
+VERSIONS = (VALUE_DENSITY_1,)
+LATEST = VERSIONS[-1]
+
 
 def main():
-    print(VALUE_DENSITY_1.model_dump_json(indent=2))
+    print_versions_and_diffs(VERSIONS)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/doc_helpers.py b/src/ssvc/doc_helpers.py
new file mode 100644
index 00000000..3e794601
--- /dev/null
+++ b/src/ssvc/doc_helpers.py
@@ -0,0 +1,141 @@
+#!/usr/bin/env python
+"""
+file: doc_helpers
+author: adh
+created_at: 2/14/25 2:54 PM
+"""
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points.base import SsvcDecisionPoint
+
+MD_TABLE_ROW_TEMPLATE = "| {value.name} | {value.description} |"
+
+
+def markdown_table(dp: SsvcDecisionPoint, indent: int = 0) -> str:
+    """
+    Generate a markdown table for a decision point.
+
+    Args:
+        dp (SsvcDecisionPoint): The decision point to generate a markdown table for.
+
+    Returns:
+        str: The markdown table.
+    """
+    rows = []
+    # prepend the header
+    _indent = " " * indent
+    rows.append(f"{_indent}{dp.description}")
+    rows.append("")
+    rows.append(f"{_indent}| Value | Definition |")
+    rows.append(f"{_indent}|:-----|:-----------|")
+
+    # add a row for each value
+    for value in dp.values:
+        rows.append(_indent + MD_TABLE_ROW_TEMPLATE.format(value=value))
+
+    return "\n".join(rows)
+
+
+def example_block_tabbed(dp: SsvcDecisionPoint, indent=4) -> str:
+    """Given a decision point, return a markdown block that contains an example of the decision point."""
+
+    indent_ = " " * 4
+    rows = []
+    rows.append(f'!!! note "{dp.name} v{dp.version}"')
+    rows.append("")
+
+    rows.append(indent_ + '=== "Table"')
+    rows.append("")
+    for row in markdown_table(dp, indent=4).splitlines():
+        rows.append(indent_ + row)
+    rows.append("")
+
+    rows.append(indent_ + '=== "JSON"')
+    rows.append("")
+    for row in json_example(dp, indent=4).splitlines():
+        rows.append(indent_ + row)
+
+    return "\n".join(rows)
+
+
+def example_block(dp: SsvcDecisionPoint, indent=4) -> str:
+    """Given a decision point, return a markdown block that contains an example of the decision point."""
+
+    indent_ = " " * 4
+    rows = []
+    rows.append(f'!!! note "{dp.name} v{dp.version}"')
+    rows.append("")
+
+    for row in markdown_table(dp).splitlines():
+        rows.append(indent_ + row)
+    rows.append("")
+
+    rows.append(indent_ + f'??? example "{dp.name} v{dp.version} JSON Example"')
+    rows.append("")
+    for row in json_example(dp, indent=4).splitlines():
+        rows.append(indent_ + row)
+
+    return "\n".join(rows)
+
+
+def prior_version(dp: SsvcDecisionPoint, indent=4) -> str:
+    """Given a decision point, return a markdown block that contains an example of the decision point."""
+
+    indent_ = " " * 4
+    rows = []
+    rows.append(f'!!! note "{dp.name} v{dp.version}"')
+    rows.append("")
+
+    rows.append("")
+    for row in markdown_table(dp, indent=0).splitlines():
+        rows.append(indent_ + row)
+
+    return "\n".join(rows)
+
+
+def json_example(dp, indent=0):
+    """
+    Generate a markdown block that contains a JSON example.
+
+    Args:
+        dp: the decision point object
+        jstr:
+        collapsible:
+
+    Returns:
+
+    """
+    indent_ = " " * indent
+    json_rows = [
+        indent_ + "```json",
+    ]
+
+    jstr = dp.model_dump_json(indent=2).strip()
+
+    for line in jstr.splitlines():
+        json_rows.append(indent_ + line)
+
+    json_rows.append(
+        indent_ + "```",
+    )
+    json_block = "\n".join(json_rows)
+    return json_block
+
+
+def main():
+    pass
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/doctools.py b/src/ssvc/doctools.py
index 8130aeb6..e3d973a7 100644
--- a/src/ssvc/doctools.py
+++ b/src/ssvc/doctools.py
@@ -15,30 +15,28 @@
 Provides tools to assist with generating documentation for SSVC decision points.
 
 Writes the following files for each decision point:
-- a markdown table that can be used in the decision point documentation
 - a json example that can be used in the decision point documentation
-- a markdown file that builds an insert using mkdocs tabs to switch between the markdown description and the json
-  example
 
 Examples
 
 To generate the documentation for the decision points, use the following command:
 
-    python -m ssvc.doctools --overwrite --outdir ./tmp/md_out --jsondir ./tmp/json_out`
+    python -m ssvc.doctools --overwrite --jsondir ./tmp/json_out`
 
 To regenerate the existing docs, use the following command:
 
-    python -m ssvc.doctools --overwrite --outdir docs/_generated/decision_points --jsondir data/json/decision_points
+    python -m ssvc.doctools --overwrite --jsondir data/json/decision_points
 
 """
 import logging
 import os
 
+import ssvc.dp_groups.cvss.collections  # noqa
+import ssvc.dp_groups.ssvc.collections  # noqa
 from ssvc.decision_points.base import (
     REGISTERED_DECISION_POINTS,
     SsvcDecisionPoint,
 )
-from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1  # noqa
 
 logger = logging.getLogger(__name__)
 
@@ -56,49 +54,6 @@ def _filename_friendly(name: str) -> str:
     return name.lower().replace(" ", "_").replace(".", "_")
 
 
-MD_TABLE_ROW_TEMPLATE = "| {value.name} | {value.description} |"
-
-# indent by 4 spaces to make it a code block
-MD_INCLUDE_TEMPLATE = """<!-- This content is autogenerated by doctools.py. Do not Edit. -->
-!!! note "{dp.name} v{dp.version}"
-
-=== "Text"
-
-{table}
-    
-=== "JSON"
-
-    ```json
-    {{% include "{json_file}" %}}
-    ```
-"""
-
-
-def to_markdown_table(dp: SsvcDecisionPoint) -> str:
-    """
-    Generate a markdown table for a decision point.
-
-    Args:
-        dp (SsvcDecisionPoint): The decision point to generate a markdown table for.
-
-    Returns:
-        str: The markdown table.
-    """
-    rows = []
-    # prepend the header
-    rows.append(f"    {dp.description}")
-    rows.append("")
-    indent = " " * 4
-    rows.append(f"{indent}| Value | Definition |")
-    rows.append(f"{indent}|:-----|:-----------|")
-
-    # add a row for each value
-    for value in dp.values:
-        rows.append(indent + MD_TABLE_ROW_TEMPLATE.format(value=value))
-
-    return "\n".join(rows)
-
-
 # create a runtime context that ensures that dir exists
 class EnsureDirExists:
     """
@@ -137,9 +92,7 @@ def remove_if_exists(file):
         logger.debug(f"File {file} does not exist, nothing to remove")
 
 
-def dump_decision_point(
-    jsondir: str, outdir: str, dp: SsvcDecisionPoint, overwrite: bool
-) -> dict:
+def dump_decision_point(jsondir: str, dp: SsvcDecisionPoint, overwrite: bool) -> None:
     """
     Generate the markdown table, json example, and markdown table file for a decision point.
 
@@ -155,75 +108,10 @@ def dump_decision_point(
             - symlink: The path to the symlink that points to the markdown table file.
             - json_file: The path to the json example file.
     """
-    # - generate markdown table
     # make dp.name safe for use in a filename
-    basename = (
-        _filename_friendly(dp.name) + f"_{_filename_friendly(dp.version)}"
-    )
+    basename = _filename_friendly(dp.name) + f"_{_filename_friendly(dp.version)}"
     # - generate json example
-    json_file = dump_json(basename, dp, jsondir, overwrite)
-
-    # - generate markdown table file
-    r = dump_markdown(basename, dp, json_file, outdir, overwrite)
-    r["json_file"] = json_file
-    return r
-
-
-def dump_markdown(
-    basename: str,
-    dp: SsvcDecisionPoint,
-    json_file: str,
-    outdir: str,
-    overwrite: bool,
-) -> dict:
-    """
-    Generate the markdown table file for a decision point.
-
-    Args:
-        basename (str): The basename of the markdown table file.
-        dp (SsvcDecisionPoint): The decision point to generate documentation for.
-        json_file (str): The path to the json example file.
-        outdir (str): The directory to write the markdown table file to.
-        overwrite (bool): Whether to overwrite existing files.
-
-    Returns:
-        dict: A dictionary with the following keys:
-            - include_file: The path to the markdown table file.
-            - symlink: The path to the symlink that points to the markdown table file.
-    """
-    include_file = f"{outdir}/{basename}.md"
-
-    relative_json_file = os.path.relpath(json_file, outdir)
-
-    if overwrite:
-        remove_if_exists(include_file)
-    with EnsureDirExists(outdir):
-        try:
-            with open(include_file, "x") as f:
-                formatted_template = MD_INCLUDE_TEMPLATE.format(
-                    dp=dp,
-                    json_file=relative_json_file,
-                    table=(to_markdown_table(dp)),
-                )
-                f.write(formatted_template)
-        except FileExistsError:
-            logger.warning(
-                f"File {include_file} already exists, use --overwrite to replace"
-            )
-
-    # update the symlink
-    # because we don't want to have to edit each markdown file every time something changes
-    symlink = f"{outdir}/{_filename_friendly(dp.name)}.md"
-    remove_if_exists(symlink)
-    relative_md_file = os.path.relpath(include_file, outdir)
-    os.symlink(relative_md_file, symlink)
-
-    result = {
-        "include_file": include_file,
-        "symlink": symlink,
-    }
-
-    return result
+    dump_json(basename, dp, jsondir, overwrite)
 
 
 def dump_json(
@@ -241,13 +129,24 @@ def dump_json(
     Returns:
         str: The path to the json example file.
     """
-    json_file = f"{jsondir}/{basename}.json"
+    # if namespace is ssvc, it goes in jsondir
+    filename = f"{basename}.json"
+    parts = [
+        jsondir,
+    ]
+    if dp.namespace != "ssvc":
+        parts.append(_filename_friendly(dp.namespace))
+    parts.append(filename)
+
+    json_file = os.path.join(*parts)
+
     if overwrite:
         remove_if_exists(json_file)
     with EnsureDirExists(jsondir):
         try:
             with open(json_file, "x") as f:
                 f.write(dp.model_dump_json(indent=2))
+                f.write("\n")  # newline at end of file
         except FileExistsError:
             logger.warning(
                 f"File {json_file} already exists, use --overwrite to replace"
@@ -275,21 +174,17 @@ def main():
         default=False,
     )
 
-    parser.add_argument(
-        "--outdir", help="output directory", default="./tmp/md_out"
-    )
     parser.add_argument(
         "--jsondir", help="json output directory", default="./tmp/json_out"
     )
     args = parser.parse_args()
 
     overwrite = args.overwrite
-    outdir = args.outdir
     jsondir = args.jsondir
 
     # for each decision point:
     for dp in REGISTERED_DECISION_POINTS:
-        dump_decision_point(jsondir, outdir, dp, overwrite)
+        dump_decision_point(jsondir, dp, overwrite)
 
 
 if __name__ == "__main__":
diff --git a/src/ssvc/dp_groups/base.py b/src/ssvc/dp_groups/base.py
index f2c0b530..d198a0df 100644
--- a/src/ssvc/dp_groups/base.py
+++ b/src/ssvc/dp_groups/base.py
@@ -4,7 +4,7 @@
 author: adh
 created_at: 9/20/23 4:47 PM
 """
-#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
diff --git a/src/ssvc/dp_groups/cvss/collections.py b/src/ssvc/dp_groups/cvss/collections.py
index a8e8a271..debfaaca 100644
--- a/src/ssvc/dp_groups/cvss/collections.py
+++ b/src/ssvc/dp_groups/cvss/collections.py
@@ -334,9 +334,7 @@
     name="CVSSv4",
     description="All decision points for CVSS v4 (including supplemental metrics)",
     version="1.0.0",
-    decision_points=tuple(
-        _BASE_4 + _THREAT_4 + _ENVIRONMENTAL_4 + _SUPPLEMENTAL_4
-    ),
+    decision_points=tuple(_BASE_4 + _THREAT_4 + _ENVIRONMENTAL_4 + _SUPPLEMENTAL_4),
 )
 
 CVSSv4_Equivalence_Sets = SsvcDecisionPointGroup(
diff --git a/src/test/test_doc_helpers.py b/src/test/test_doc_helpers.py
new file mode 100644
index 00000000..f7834eee
--- /dev/null
+++ b/src/test/test_doc_helpers.py
@@ -0,0 +1,81 @@
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+import unittest
+
+from ssvc.decision_points import SsvcDecisionPoint, SsvcDecisionPointValue
+from ssvc.doc_helpers import example_block, markdown_table
+
+
+class MyTestCase(unittest.TestCase):
+    def setUp(self):
+        self.dp = SsvcDecisionPoint(
+            namespace="test",
+            name="test name",
+            description="test description",
+            key="TK",
+            version="1.0.0",
+            values=(
+                SsvcDecisionPointValue(name="A", key="A", description="A Definition"),
+                SsvcDecisionPointValue(name="B", key="B", description="B Definition"),
+            ),
+        )
+
+    def tearDown(self):
+        pass
+
+    def test_markdown_table(self):
+        result = markdown_table(self.dp)
+
+        expected = (
+            "test description\n"
+            "\n"
+            "| Value | Definition |\n"
+            "|:-----|:-----------|\n"
+            "| A | A Definition |\n"
+            "| B | B Definition |"
+        )
+
+        self.assertEqual(result, expected)
+
+        indented = markdown_table(self.dp, indent=4)
+
+        expected_indented = (
+            "    test description\n"
+            "\n"
+            "    | Value | Definition |\n"
+            "    |:-----|:-----------|\n"
+            "    | A | A Definition |\n"
+            "    | B | B Definition |"
+        )
+
+        self.assertEqual(indented, expected_indented)
+
+    def test_example_block(self):
+
+        result = example_block(self.dp)
+
+        self.assertIn("!!! note", result)
+        self.assertIn("\n    | Value | Definition |", result)
+        self.assertIn("\n    | A | A Definition |", result)
+        self.assertIn("\n    | B | B Definition |", result)
+        self.assertIn("\n    ??? example", result)
+        self.assertIn("\n        ```json", result)
+
+        for value in self.dp.values:
+            self.assertIn(value.name, result)
+            self.assertIn(value.description, result)
+
+
+if __name__ == "__main__":
+    unittest.main()
diff --git a/src/test/test_doctools.py b/src/test/test_doctools.py
index 2e2083c7..c59226a5 100644
--- a/src/test/test_doctools.py
+++ b/src/test/test_doctools.py
@@ -22,9 +22,7 @@
     _filename_friendly,
     dump_decision_point,
     dump_json,
-    dump_markdown,
     remove_if_exists,
-    to_markdown_table,
 )
 
 _dp_dict = {
@@ -60,18 +58,6 @@ def test__filename_friendly(self):
         # lowercase the string
         self.assertEqual("foo_bar", _filename_friendly("Foo.Bar"))
 
-    def test_to_markdown_table(self):
-        dp = self.dp
-
-        table = to_markdown_table(dp)
-        self.assertIn(dp.description, table)
-        # self.assertIn(dp.name, table)
-        # self.assertIn(dp.version, table)
-        for value in dp.values:
-            self.assertIn(value.name, table)
-            self.assertIn(value.description, table)
-            self.assertIn(value.key, table)
-
     def test_ensure_dir_exists(self):
         path = os.path.join(self.tempdir.name, "foo")
         self.assertFalse(os.path.exists(path))
@@ -98,78 +84,26 @@ def test_remove_if_exists(self):
 
     def test_dump_decision_point(self):
         jsondir = os.path.join(self.tempdir.name, "json")
-        outdir = os.path.join(self.tempdir.name, "out")
         dp = self.dp
         overwrite = False
 
+        # should create the files in the expected places
+        self.assertFalse(os.path.exists(jsondir))
         self.assertEqual(0, len(os.listdir(self.tempdir.name)))
 
-        # should create the files in the expected places
-        r = dump_decision_point(jsondir, outdir, dp, overwrite)
-        self.assertTrue(os.path.exists(r["include_file"]))
-        self.assertTrue(os.path.exists(r["symlink"]))
-        self.assertTrue(os.path.exists(r["json_file"]))
+        r = dump_decision_point(jsondir, dp, overwrite)
 
-        # not checking these thoroughly, just making sure they are there
-        # because they are tested elsewhere in dump_markdown and dump_json
+        self.assertTrue(os.path.exists(jsondir))
+        self.assertIn("json", os.listdir(self.tempdir.name))
+        self.assertEqual(1, len(os.listdir(jsondir)))
 
-    def test_dump_markdown(self):
-        # dump_markdown should create a file, write to it, and then create a generic symlink
-        basename = "foo"
-        dp = self.dp
-        json_file = os.path.join(self.tempdir.name, f"{basename}.json")
-        outdir = self.tempdir.name
-        overwrite = False
+        file_created = os.listdir(jsondir)[0]
 
-        # should create the file in the expected place
-        include_file = os.path.join(outdir, f"{basename}.md")
-        symlink = os.path.join(outdir, f"{_filename_friendly(dp.name)}.md")
-
-        self.assertFalse(os.path.exists(include_file))
-        self.assertFalse(os.path.exists(symlink))
-        r = dump_markdown(basename, dp, json_file, outdir, overwrite)
-        self.assertTrue(os.path.exists(include_file))
-
-        self.assertEqual(include_file, r["include_file"])
-        self.assertEqual(symlink, r["symlink"])
-
-        # the file contains text based on the dp
-        with open(include_file, "r") as f:
-            text = f.read()
-
-        self.assertIn(dp.description, text)
-        self.assertIn(dp.name, text)
-        self.assertIn(dp.version, text)
-        for value in dp.values:
-            self.assertIn(value.name, text)
-            self.assertIn(value.description, text)
-            self.assertIn(value.key, text)
-
-        # should create the symlink in the expected place
-        self.assertTrue(os.path.exists(symlink), symlink)
-        # should be a symlink
-        self.assertTrue(os.path.islink(symlink))
-        # should point to the include file
-        self.assertEqual(
-            os.path.realpath(symlink), os.path.realpath(include_file)
-        )
+        for word in dp.name.split():
+            self.assertIn(word.lower(), file_created)
 
-        # should not overwrite the file
-        overwrite = False
-        # capture logger output
-        with self.assertLogs() as cm:
-            dump_markdown(basename, dp, json_file, outdir, overwrite)
-        # logger warns that the file exists
-        self.assertIn("already exists", cm.output[0])
-
-        # should overwrite the file
-        overwrite = True
-        dp.name = "Different Decision Point"
-        # capture logger output
-        with self.assertLogs(level=logging.DEBUG) as cm:
-            dump_markdown(basename, dp, json_file, outdir, overwrite)
-        # logger warns that the file was removed
-        self.assertIn("Removed", cm.output[0])
+        # not checking these thoroughly, just making sure they are there
+        # because they are tested elsewhere in dump_markdown and dump_json
 
     def test_dump_json(self):
         basename = "foo"

From 300893838a8b1b3d4bab81472b80f36e0ef66bde Mon Sep 17 00:00:00 2001
From: sei-renae <kmetcalf@cert.org>
Date: Tue, 18 Feb 2025 15:32:20 -0500
Subject: [PATCH 15/31] Fix json schema example (#684)

* Standardize docstrings to define what the program does, add missing license wording, and format blank lines around header docstrings.

* Update schemas for typos

* Update mission_prevalence.py

* Update 'virulence' to 'automatable'
keys

---------

Co-authored-by: Allen D. Householder <ahouseholder@users.noreply.github.com>
---
 .../Computed-CVE-2014-0751-Coordinator-with-tree.json         | 4 ++--
 data/schema_examples/Computed-CVE-2014-0751-Coordinator.json  | 2 +-
 src/ssvc/decision_points/mission_prevalence.py                | 2 +-
 src/ssvc/decision_points/utility.py                           | 1 -
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json b/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json
index 38184aff..d7896c88 100644
--- a/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json
+++ b/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json
@@ -2,7 +2,7 @@
   "role": "Coordinator",
   "id": "CVE-2014-0751",
   "version": "2.0.3",
-    "computed": "SSVCv2/E:A/V:S/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/",
+    "computed": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/",
     "timestamp":  "2021-09-29T15:29:44Z",
   "options": [
     {
@@ -52,7 +52,7 @@
       },
       {
         "label": "Automatable",
-        "key": "V",
+        "key": "A",
         "decision_type": "simple",
         "options": [
           {
diff --git a/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json b/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json
index 7e869630..b75aa68b 100644
--- a/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json
+++ b/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json
@@ -2,7 +2,7 @@
     "role": "Coordinator",
     "id": "CVE-2014-0751",
     "version": "2.0.3",
-    "computed": "SSVCv2/E:A/V:S/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/",
+    "computed": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2021-09-29T15:29:44Z/",
     "timestamp": "2021-09-29T15:29:44Z",
     "options": [
 	{
diff --git a/src/ssvc/decision_points/mission_prevalence.py b/src/ssvc/decision_points/mission_prevalence.py
index bc5e4778..8bf55920 100644
--- a/src/ssvc/decision_points/mission_prevalence.py
+++ b/src/ssvc/decision_points/mission_prevalence.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 """
-Provides the Mission Prevalence decision point and its values."
+Provides the Mission Prevalence decision point and its values.
 """
 
 #  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
diff --git a/src/ssvc/decision_points/utility.py b/src/ssvc/decision_points/utility.py
index b1f08b0a..10b43924 100644
--- a/src/ssvc/decision_points/utility.py
+++ b/src/ssvc/decision_points/utility.py
@@ -5,7 +5,6 @@
 """
 
 #  Copyright (c) 2024-2025 Carnegie Mellon University and Contributors.
-#  - see Contributors.md for a full list of Contributors
 #  - see ContributionInstructions.md for information on how you can Contribute to this project
 #  Stakeholder Specific Vulnerability Categorization (SSVC) is
 #  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed

From 2d115aa28ad47b11d3237b459b6a8885ff3bc4ef Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <ahouseholder@users.noreply.github.com>
Date: Tue, 18 Feb 2025 15:32:47 -0500
Subject: [PATCH 16/31] Split CVSS equivalence sets (#685)

* split eq1 into separate module

* split EQ2-6 into separate modules
---
 src/ssvc/_mixins.py                           |   4 +-
 src/ssvc/decision_points/cvss/eq_sets.py      | 191 ------------------
 .../decision_points/cvss/equivalence_set_1.py |  66 ++++++
 .../decision_points/cvss/equivalence_set_2.py |  57 ++++++
 .../decision_points/cvss/equivalence_set_3.py |  65 ++++++
 .../decision_points/cvss/equivalence_set_4.py |  62 ++++++
 .../decision_points/cvss/equivalence_set_5.py |  50 +++++
 .../decision_points/cvss/equivalence_set_6.py |  49 +++++
 src/ssvc/dp_groups/cvss/collections.py        |   7 +-
 9 files changed, 356 insertions(+), 195 deletions(-)
 delete mode 100644 src/ssvc/decision_points/cvss/eq_sets.py
 create mode 100644 src/ssvc/decision_points/cvss/equivalence_set_1.py
 create mode 100644 src/ssvc/decision_points/cvss/equivalence_set_2.py
 create mode 100644 src/ssvc/decision_points/cvss/equivalence_set_3.py
 create mode 100644 src/ssvc/decision_points/cvss/equivalence_set_4.py
 create mode 100644 src/ssvc/decision_points/cvss/equivalence_set_5.py
 create mode 100644 src/ssvc/decision_points/cvss/equivalence_set_6.py

diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py
index c363a06f..6eb4c507 100644
--- a/src/ssvc/_mixins.py
+++ b/src/ssvc/_mixins.py
@@ -1,8 +1,6 @@
 #!/usr/bin/env python
 """
-file: _basics
-author: adh
-created_at: 9/20/23 4:51 PM
+This module provides mixin classes for adding features to SSVC objects.
 """
 #  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
 #  - see Contributors.md for a full list of Contributors
diff --git a/src/ssvc/decision_points/cvss/eq_sets.py b/src/ssvc/decision_points/cvss/eq_sets.py
deleted file mode 100644
index 0e12c2ea..00000000
--- a/src/ssvc/decision_points/cvss/eq_sets.py
+++ /dev/null
@@ -1,191 +0,0 @@
-#!/usr/bin/env python
-"""
-CVSS v4 Equivalence Sets
-"""
-#  Copyright (c) 2023-2025 Carnegie Mellon University and Contributors.
-#  - see Contributors.md for a full list of Contributors
-#  - see ContributionInstructions.md for information on how you can Contribute to this project
-#  Stakeholder Specific Vulnerability Categorization (SSVC) is
-#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
-#  with this Software or contact permission@sei.cmu.edu for full terms.
-#  Created, in part, with funding and support from the United States Government
-#  (see Acknowledgments file). This program may include and/or can make use of
-#  certain third party source code, object code, documentation and other files
-#  (“Third Party Software”). See LICENSE.md for more details.
-#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
-#  U.S. Patent and Trademark Office by Carnegie Mellon University
-
-from ssvc.decision_points import SsvcDecisionPointValue
-from ssvc.decision_points.cvss.base import CvssDecisionPoint
-
-
-# EQ1 → AV/PR/UI with 3 levels specified in Table 24
-# Levels	Constraints	Highest Severity Vector(s)
-# 0	AV:N and PR:N and UI:N	AV:N/PR:N/UI:N
-# 1	(AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P	AV:A/PR:N/UI:N or AV:N/PR:L/UI:N or AV:N/PR:N:/UI:P
-# 2	AV:P or not(AV:N or PR:N or UI:N)	AV:P/PR:N/UI:N or AV:A/PR:L/UI:P
-EQ1 = CvssDecisionPoint(
-    name="Equivalence Set 1",
-    key="EQ1",
-    description="AV/PR/UI with 3 levels specified in Table 24",
-    version="1.0.0",
-    values=[
-        SsvcDecisionPointValue(
-            name="Low",
-            key="L",
-            description="2: AV:P or not(AV:N or PR:N or UI:N)",
-        ),
-        SsvcDecisionPointValue(
-            name="Medium",
-            key="M",
-            description="1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P",
-        ),
-        SsvcDecisionPointValue(
-            name="High",
-            key="H",
-            description="0: AV:N and PR:N and UI:N",
-        ),
-    ],
-)
-
-# EQ2 → AC/AT with 2 levels specified in Table 25
-# Levels	Constraints	Highest Severity Vector(s)
-# 0	AC:L and AT:N	AC:L/AT:N
-# 1	not (AC:L and AT:N)	AC:L/AT:P or AC:H/AT:N
-EQ2 = CvssDecisionPoint(
-    name="Equivalence Set 2",
-    key="EQ2",
-    description="AC/AT with 2 levels specified in Table 25",
-    version="1.0.0",
-    values=[
-        SsvcDecisionPointValue(
-            name="Low",
-            key="L",
-            description="1: not (AC:L and AT:N)",
-        ),
-        SsvcDecisionPointValue(
-            name="High",
-            key="H",
-            description="0: AC:L and AT:N",
-        ),
-    ],
-)
-
-
-# EQ3 → VC/VI/VA with 3 levels specified in Table 26
-# Levels	Constraints	Highest Severity Vector(s)
-# 0	VC:H and VI:H	VC:H/VI:H/VA:H
-# 1	not (VC:H and VI:H) and (VC:H or VI:H or VA:H)	VC:L/VI:H/VA:H or VC:H/VI:L/VA:H
-# 2	not (VC:H or VI:H or VA:H)	VC:L/VI:L/VA:L
-EQ3 = CvssDecisionPoint(
-    name="Equivalence Set 3",
-    key="EQ3",
-    description="VC/VI/VA with 3 levels specified in Table 26",
-    version="1.0.0",
-    values=[
-        SsvcDecisionPointValue(
-            name="Low",
-            key="L",
-            description="2: not (VC:H or VI:H or VA:H)",
-        ),
-        SsvcDecisionPointValue(
-            name="Medium",
-            key="M",
-            description="1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)",
-        ),
-        SsvcDecisionPointValue(
-            name="High",
-            key="H",
-            description="0: VC:H and VI:H",
-        ),
-    ],
-)
-
-
-# EQ4 → SC/SI/SA with 3 levels specified in Table 27
-# 0	MSI:S or MSA:S	SC:H/SI:S/SA:S
-# 1	not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)	SC:H/SI:H/SA:H
-# 2	not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)	SC:L/SI:L/SA:L
-EQ4 = CvssDecisionPoint(
-    name="Equivalence Set 4",
-    key="EQ4",
-    description="SC/SI/SA with 3 levels specified in Table 27",
-    version="1.0.0",
-    values=[
-        SsvcDecisionPointValue(
-            name="Low",
-            key="L",
-            description="2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)",
-        ),
-        SsvcDecisionPointValue(
-            name="Medium",
-            key="M",
-            description="1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)",
-        ),
-        SsvcDecisionPointValue(
-            name="High",
-            key="H",
-            description="0: MSI:S or MSA:S",
-        ),
-    ],
-)
-
-
-# EQ5 → E with 3 levels specified in Table 28
-# 0	E:A	E:A
-# 1	E:P	E:P
-# 2	E:U	E:U
-EQ5 = CvssDecisionPoint(
-    name="Equivalence Set 5",
-    key="EQ5",
-    description="E with 3 levels specified in Table 28",
-    version="1.0.0",
-    values=[
-        SsvcDecisionPointValue(
-            name="Low",
-            key="L",
-            description="2: E:U",
-        ),
-        SsvcDecisionPointValue(
-            name="Medium",
-            key="M",
-            description="1: E:P",
-        ),
-        SsvcDecisionPointValue(
-            name="High",
-            key="H",
-            description="0: E:A",
-        ),
-    ],
-)
-
-# EQ6 → VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29
-# 0	(CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)	VC:H/VI:H/VA:H/CR:H/IR:H/AR:H
-# 1	not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)	VC:H/VI:H/VA:H/CR:M/IR:M/AR:M or VC:H/VI:H/VA:L/CR:M/IR:M/AR:H or VC:H/VI:L/VA:H/CR:M/IR:H/AR:M or VC:H/VI:L/VA:L/CR:M/IR:H/AR:H or VC:L/VI:H/VA:H/CR:H/IR:M/AR:M or VC:L/VI:H/VA:L/CR:H/IR:M/AR:H or VC:L/VI:L/VA:H/CR:H/IR:H/AR:M or VC:L/VI:L/VA:L/CR:H/IR:H/AR:H
-EQ6 = CvssDecisionPoint(
-    name="Equivalence Set 6",
-    key="EQ6",
-    description="VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
-    version="1.0.0",
-    values=[
-        SsvcDecisionPointValue(
-            name="Low",
-            key="L",
-            description="1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)",
-        ),
-        SsvcDecisionPointValue(
-            name="High",
-            key="H",
-            description="0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)",
-        ),
-    ],
-)
-
-
-def main():
-    for dp in [EQ1, EQ2, EQ3, EQ4, EQ5, EQ6]:
-        print(dp.model_dump_json(indent=2))
-
-
-if __name__ == "__main__":
-    main()
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_1.py b/src/ssvc/decision_points/cvss/equivalence_set_1.py
new file mode 100644
index 00000000..6e832210
--- /dev/null
+++ b/src/ssvc/decision_points/cvss/equivalence_set_1.py
@@ -0,0 +1,66 @@
+#!/usr/bin/env python
+"""
+Provides an object representing the CVSS Equivalence Set 1 as a decision point.
+"""
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points import SsvcDecisionPointValue
+from ssvc.decision_points.cvss.base import CvssDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+TWO = SsvcDecisionPointValue(
+    name="Low",
+    key="L",
+    description="2: AV:P or not(AV:N or PR:N or UI:N)",
+)
+
+ONE = SsvcDecisionPointValue(
+    name="Medium",
+    key="M",
+    description="1: (AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P",
+)
+
+ZERO = SsvcDecisionPointValue(
+    name="High",
+    key="H",
+    description="0: AV:N and PR:N and UI:N",
+)
+
+# EQ1 → AV/PR/UI with 3 levels specified in Table 24
+# Levels	Constraints	Highest Severity Vector(s)
+# 0	AV:N and PR:N and UI:N	AV:N/PR:N/UI:N
+# 1	(AV:N or PR:N or UI:N) and not (AV:N and PR:N and UI:N) and not AV:P	AV:A/PR:N/UI:N or AV:N/PR:L/UI:N or AV:N/PR:N:/UI:P
+# 2	AV:P or not(AV:N or PR:N or UI:N)	AV:P/PR:N/UI:N or AV:A/PR:L/UI:P
+EQ1 = CvssDecisionPoint(
+    name="Equivalence Set 1",
+    key="EQ1",
+    description="AV/PR/UI with 3 levels specified in Table 24",
+    version="1.0.0",
+    values=(
+        TWO,
+        ONE,
+        ZERO,
+    ),
+)
+
+VERSIONS = (EQ1,)
+LATEST = EQ1
+
+
+def main():
+    print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_2.py b/src/ssvc/decision_points/cvss/equivalence_set_2.py
new file mode 100644
index 00000000..b20e1cd1
--- /dev/null
+++ b/src/ssvc/decision_points/cvss/equivalence_set_2.py
@@ -0,0 +1,57 @@
+#!/usr/bin/env python
+"""
+This module provides an object representing the CVSS Equivalence Set 2 as a decision point.
+"""
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points import SsvcDecisionPointValue
+from ssvc.decision_points.cvss.base import CvssDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+# EQ2 → AC/AT with 2 levels specified in Table 25
+# Levels	Constraints	Highest Severity Vector(s)
+# 0	AC:L and AT:N	AC:L/AT:N
+# 1	not (AC:L and AT:N)	AC:L/AT:P or AC:H/AT:N
+ONE = SsvcDecisionPointValue(
+    name="Low",
+    key="L",
+    description="1: not (AC:L and AT:N)",
+)
+ZERO = SsvcDecisionPointValue(
+    name="High",
+    key="H",
+    description="0: AC:L and AT:N",
+)
+
+EQ2 = CvssDecisionPoint(
+    name="Equivalence Set 2",
+    key="EQ2",
+    description="AC/AT with 2 levels specified in Table 25",
+    version="1.0.0",
+    values=(
+        ONE,
+        ZERO,
+    ),
+)
+
+VERSIONS = (EQ2,)
+LATEST = VERSIONS[-1]
+
+
+def main():
+    print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_3.py b/src/ssvc/decision_points/cvss/equivalence_set_3.py
new file mode 100644
index 00000000..5d551b39
--- /dev/null
+++ b/src/ssvc/decision_points/cvss/equivalence_set_3.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python
+"""
+This module provides an object representing the CVSS Equivalence Set 3 as a decision point.
+"""
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points import SsvcDecisionPointValue
+from ssvc.decision_points.cvss.base import CvssDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+# EQ3 → VC/VI/VA with 3 levels specified in Table 26
+# Levels	Constraints	Highest Severity Vector(s)
+# 0	VC:H and VI:H	VC:H/VI:H/VA:H
+# 1	not (VC:H and VI:H) and (VC:H or VI:H or VA:H)	VC:L/VI:H/VA:H or VC:H/VI:L/VA:H
+# 2	not (VC:H or VI:H or VA:H)	VC:L/VI:L/VA:L
+TWO = SsvcDecisionPointValue(
+    name="Low",
+    key="L",
+    description="2: not (VC:H or VI:H or VA:H)",
+)
+ONE = SsvcDecisionPointValue(
+    name="Medium",
+    key="M",
+    description="1: not (VC:H and VI:H) and (VC:H or VI:H or VA:H)",
+)
+ZERO = SsvcDecisionPointValue(
+    name="High",
+    key="H",
+    description="0: VC:H and VI:H",
+)
+
+EQ3 = CvssDecisionPoint(
+    name="Equivalence Set 3",
+    key="EQ3",
+    description="VC/VI/VA with 3 levels specified in Table 26",
+    version="1.0.0",
+    values=(
+        TWO,
+        ONE,
+        ZERO,
+    ),
+)
+
+
+VERSIONS = (EQ3,)
+LATEST = VERSIONS[-1]
+
+
+def main():
+    print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_4.py b/src/ssvc/decision_points/cvss/equivalence_set_4.py
new file mode 100644
index 00000000..c7caf550
--- /dev/null
+++ b/src/ssvc/decision_points/cvss/equivalence_set_4.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+"""
+This module provides an object representing the CVSS Equivalence Set 4 as a decision point.
+"""
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points import SsvcDecisionPointValue
+from ssvc.decision_points.cvss.base import CvssDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+# EQ4 → SC/SI/SA with 3 levels specified in Table 27
+# 0	MSI:S or MSA:S	SC:H/SI:S/SA:S
+# 1	not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)	SC:H/SI:H/SA:H
+# 2	not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)	SC:L/SI:L/SA:L
+TWO = SsvcDecisionPointValue(
+    name="Low",
+    key="L",
+    description="2: not (MSI:S or MSA:S) and not (SC:H or SI:H or SA:H)",
+)
+ONE = SsvcDecisionPointValue(
+    name="Medium",
+    key="M",
+    description="1: not (MSI:S or MSA:S) and (SC:H or SI:H or SA:H)",
+)
+ZERO = SsvcDecisionPointValue(
+    name="High",
+    key="H",
+    description="0: MSI:S or MSA:S",
+)
+EQ4 = CvssDecisionPoint(
+    name="Equivalence Set 4",
+    key="EQ4",
+    description="SC/SI/SA with 3 levels specified in Table 27",
+    version="1.0.0",
+    values=(
+        TWO,
+        ONE,
+        ZERO,
+    ),
+)
+
+VERSIONS = (EQ4,)
+LATEST = VERSIONS[-1]
+
+
+def main():
+    print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_5.py b/src/ssvc/decision_points/cvss/equivalence_set_5.py
new file mode 100644
index 00000000..30e3fdba
--- /dev/null
+++ b/src/ssvc/decision_points/cvss/equivalence_set_5.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python
+"""
+This module provides an object representing the CVSS Equivalence Set 5 as a decision point.
+"""
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points import SsvcDecisionPointValue
+from ssvc.decision_points.cvss.base import CvssDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+# EQ5 → E with 3 levels specified in Table 28
+# 0	E:A	E:A
+# 1	E:P	E:P
+# 2	E:U	E:U
+TWO = SsvcDecisionPointValue(name="Low", key="L", description="2: E:U", )
+ONE = SsvcDecisionPointValue(name="Medium", key="M", description="1: E:P", )
+ZERO = SsvcDecisionPointValue(name="High", key="H", description="0: E:A", )
+EQ5 = CvssDecisionPoint(
+    name="Equivalence Set 5",
+    key="EQ5",
+    description="E with 3 levels specified in Table 28",
+    version="1.0.0",
+    values=(
+        TWO,
+        ONE,
+        ZERO,
+),
+)
+
+
+VERSIONS = (EQ5,)
+LATEST = VERSIONS[-1]
+
+def main():
+    print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == '__main__':
+    main()
diff --git a/src/ssvc/decision_points/cvss/equivalence_set_6.py b/src/ssvc/decision_points/cvss/equivalence_set_6.py
new file mode 100644
index 00000000..4b4887c8
--- /dev/null
+++ b/src/ssvc/decision_points/cvss/equivalence_set_6.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+"""
+This module provides an object representing the CVSS Equivalence Set 6 as a decision point.
+"""
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points import SsvcDecisionPointValue
+from ssvc.decision_points.cvss.base import CvssDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+# EQ6 → VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29
+# 0	(CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)	VC:H/VI:H/VA:H/CR:H/IR:H/AR:H
+# 1	not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)	VC:H/VI:H/VA:H/CR:M/IR:M/AR:M or VC:H/VI:H/VA:L/CR:M/IR:M/AR:H or VC:H/VI:L/VA:H/CR:M/IR:H/AR:M or VC:H/VI:L/VA:L/CR:M/IR:H/AR:H or VC:L/VI:H/VA:H/CR:H/IR:M/AR:M or VC:L/VI:H/VA:L/CR:H/IR:M/AR:H or VC:L/VI:L/VA:H/CR:H/IR:H/AR:M or VC:L/VI:L/VA:L/CR:H/IR:H/AR:H
+ONE = SsvcDecisionPointValue(name="Low", key="L",
+                             description="1: not (CR:H and VC:H) and not (IR:H and VI:H) and not (AR:H and VA:H)", )
+ZERO = SsvcDecisionPointValue(name="High", key="H",
+                              description="0: (CR:H and VC:H) or (IR:H and VI:H) or (AR:H and VA:H)", )
+EQ6 = CvssDecisionPoint(
+    name="Equivalence Set 6",
+    key="EQ6",
+    description="VC/VI/VA+CR/CI/CA with 2 levels specified in Table 29",
+    version="1.0.0",
+    values=(
+        ONE,
+        ZERO,
+    ),
+)
+
+VERSIONS = (EQ6,)
+LATEST = VERSIONS[-1]
+
+def main():
+    print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == '__main__':
+    main()
+
diff --git a/src/ssvc/dp_groups/cvss/collections.py b/src/ssvc/dp_groups/cvss/collections.py
index debfaaca..3b40ee14 100644
--- a/src/ssvc/dp_groups/cvss/collections.py
+++ b/src/ssvc/dp_groups/cvss/collections.py
@@ -56,7 +56,12 @@
     CONFIDENTIALITY_REQUIREMENT_1_1,
     CONFIDENTIALITY_REQUIREMENT_1_1_1,
 )
-from ssvc.decision_points.cvss.eq_sets import EQ1, EQ2, EQ3, EQ4, EQ5, EQ6
+from ssvc.decision_points.cvss.equivalence_set_1 import EQ1
+from ssvc.decision_points.cvss.equivalence_set_2 import EQ2
+from ssvc.decision_points.cvss.equivalence_set_3 import EQ3
+from ssvc.decision_points.cvss.equivalence_set_4 import EQ4
+from ssvc.decision_points.cvss.equivalence_set_5 import EQ5
+from ssvc.decision_points.cvss.equivalence_set_6 import EQ6
 from ssvc.decision_points.cvss.exploitability import (
     EXPLOITABILITY_1,
     EXPLOITABILITY_1_1,

From be5fb3f085ca27f75c43dfab96800b47cf8695d2 Mon Sep 17 00:00:00 2001
From: Vijay Sarvepalli <vssarvepalli@cert.org>
Date: Tue, 18 Feb 2025 16:01:19 -0500
Subject: [PATCH 17/31] Update to schema_examples directory (#688)

* Update to schema_examples directory

* Updated link to CVE-1900-1234-Decision_Point_Value_Selection.json
---
 data/schema_examples/README.MD                        | 11 -----------
 .../Computed-CVE-2014-0751-Coordinator-with-tree.json |  0
 .../Computed-CVE-2014-0751-Coordinator.json           |  0
 data/schema_examples/archive/index.md                 |  8 ++++++++
 data/schema_examples/index.md                         | 10 ++++++++++
 5 files changed, 18 insertions(+), 11 deletions(-)
 delete mode 100644 data/schema_examples/README.MD
 rename data/schema_examples/{ => archive}/Computed-CVE-2014-0751-Coordinator-with-tree.json (100%)
 rename data/schema_examples/{ => archive}/Computed-CVE-2014-0751-Coordinator.json (100%)
 create mode 100644 data/schema_examples/archive/index.md
 create mode 100644 data/schema_examples/index.md

diff --git a/data/schema_examples/README.MD b/data/schema_examples/README.MD
deleted file mode 100644
index fa6c9b9b..00000000
--- a/data/schema_examples/README.MD
+++ /dev/null
@@ -1,11 +0,0 @@
-# Sample JSON files
-
-
-There are there sample JSON files that provide examples of the current [JSON schema](../schema/).
-The JSON files here are 
-1. Full Decision tree used for making an SSVC based decision.
-2. Computed SSVC score of a vulnerability at a point of time.
-3. Computed SSVC score with the full decision tree embedded.
-
-
-
diff --git a/data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json b/data/schema_examples/archive/Computed-CVE-2014-0751-Coordinator-with-tree.json
similarity index 100%
rename from data/schema_examples/Computed-CVE-2014-0751-Coordinator-with-tree.json
rename to data/schema_examples/archive/Computed-CVE-2014-0751-Coordinator-with-tree.json
diff --git a/data/schema_examples/Computed-CVE-2014-0751-Coordinator.json b/data/schema_examples/archive/Computed-CVE-2014-0751-Coordinator.json
similarity index 100%
rename from data/schema_examples/Computed-CVE-2014-0751-Coordinator.json
rename to data/schema_examples/archive/Computed-CVE-2014-0751-Coordinator.json
diff --git a/data/schema_examples/archive/index.md b/data/schema_examples/archive/index.md
new file mode 100644
index 00000000..386fd140
--- /dev/null
+++ b/data/schema_examples/archive/index.md
@@ -0,0 +1,8 @@
+# Sample JSON files (Archived)
+
+
+There are a few examples of the old schema validated JSON files here, please follow the latest schema in [Decision_Point_Value_Selection.schema.json ](../../schema/current/Decision_Point_Value_Selection.schema.json)
+
+
+
+
diff --git a/data/schema_examples/index.md b/data/schema_examples/index.md
new file mode 100644
index 00000000..4c4db38c
--- /dev/null
+++ b/data/schema_examples/index.md
@@ -0,0 +1,10 @@
+# Sample JSON files
+
+
+There is a sample JSON file that provides an example of a hypothetical CVE [CVE-1900-1234](CVE-1900-1234-Decision_Point_Value_Selection.json) that adheres to the [JSON schema](../schema/)
+
+The old JSON files are in the [archive](./archive/) folder
+
+
+
+

From 90e548ee5173f3e398d28b96c0e81e8b3d4b92ee Mon Sep 17 00:00:00 2001
From: sei-renae <kmetcalf@cert.org>
Date: Wed, 19 Feb 2025 11:13:08 -0500
Subject: [PATCH 18/31] Update FEMA Federal continuity directive link (#692)

---
 doc/md_src_files/sources_ssvc.bib | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/md_src_files/sources_ssvc.bib b/doc/md_src_files/sources_ssvc.bib
index e42cce40..74c6192f 100644
--- a/doc/md_src_files/sources_ssvc.bib
+++ b/doc/md_src_files/sources_ssvc.bib
@@ -537,7 +537,7 @@ @techreport{FCD2_2017
   year={2017},
   author={Federal Emergency Management Agency},
   institution={US Department of Homeland Security, Federal Emergency Management Agency},
-  url={https://www.fema.gov/media-library-data/1499702987348-c8eb5e5746bfc5a7a3cb954039df7fc2/FCD-2June132017.pdf}
+  url={https://www.fema.gov/sites/default/files/2020-07/Federal_Continuity_Directive-2_June132017.pdf}
 }
 
 @techreport{dod3026_26_2018,

From 3819abcfad52e53468fdbcd63481f028b11a1a27 Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <adh@cert.org>
Date: Wed, 19 Feb 2025 11:58:45 -0500
Subject: [PATCH 19/31] add PR template

---
 .../PULL_REQUEST_TEMPLATE/pull_request_template.md   | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 .github/PULL_REQUEST_TEMPLATE/pull_request_template.md

diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md
new file mode 100644
index 00000000..a0400e19
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md
@@ -0,0 +1,12 @@
+- Remove this template and add a description of the changes you are proposing.
+- Most pull requests should be in response to an issue, and ideally a PR will
+resolve or close one or more issues. 
+- If a PR only partially resolves an issue,
+we suggest spawning one or more child issues from the main issue to identify what portion
+of the issue is resolved by the PR, and what work remains to be done.
+- Please use github keywords (closes, fixes, resolves, etc.) to reference relevant issues.
+- Using bulleted lists with the issue id at the end lets github automatically
+link the issue and provide the title inline.
+- CoPilot summaries are welcome in the PR description, but please provide a brief
+description of the changes in your own words as well. CoPilot can be good at the _what_,
+but not so good at the _why_.
\ No newline at end of file

From 676bf24a51e451d9cef2a74d09f9b6d27f03c23c Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <adh@cert.org>
Date: Wed, 19 Feb 2025 14:22:53 -0500
Subject: [PATCH 20/31] revisions to address pr feedback

---
 .../pull_request_template.md                      | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md
index a0400e19..324b4ead 100644
--- a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md
+++ b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md
@@ -1,12 +1,17 @@
 - Remove this template and add a description of the changes you are proposing.
+- Edit the title of the PR to be a concise summary of the changes. The title should
+  be descriptive enough to give a reviewer a good idea of what the PR is about, and
+  not just a reference to an issue number. PR titles are used in the commit log
+  and release notes, so they need to convey meaning on their own.
 - Most pull requests should be in response to an issue, and ideally a PR will
-resolve or close one or more issues. 
+  resolve or close one or more issues. 
 - If a PR only partially resolves an issue,
-we suggest spawning one or more child issues from the main issue to identify what portion
-of the issue is resolved by the PR, and what work remains to be done.
-- Please use github keywords (closes, fixes, resolves, etc.) to reference relevant issues.
+  we suggest spawning one or more child issues from the main issue to identify what portion
+  of the issue is resolved by the PR, and what work remains to be done.
+- Please use [github keyword syntax](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/using-keywords-in-issues-and-pull-requests)
+  (closes, fixes, resolves, etc.) to reference relevant issues.
 - Using bulleted lists with the issue id at the end lets github automatically
-link the issue and provide the title inline.
+  link the issue and provide the title inline. E.g.: `- resolves #99999`
 - CoPilot summaries are welcome in the PR description, but please provide a brief
 description of the changes in your own words as well. CoPilot can be good at the _what_,
 but not so good at the _why_.
\ No newline at end of file

From 42afa912e7748f0b538ce59b9b449f3be9c214bf Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <ahouseholder@users.noreply.github.com>
Date: Wed, 19 Feb 2025 15:32:29 -0500
Subject: [PATCH 21/31] Add markdownlint workflow (#693)

* add markdownlint config to project

* fix config

* ignore node modules

* `markdownlint --fix docs`

* `markdownlint --fix .`

* add markdownlint workflow to check changes
---
 .github/workflows/lint_md_changes.yml         | 30 ++++++++
 .gitignore                                    |  1 +
 .markdownlint.yml                             | 29 ++++++++
 CONTRIBUTING.md                               |  5 +-
 README.md                                     | 17 ++---
 data/schema/README.MD                         |  8 +-
 data/schema_examples/archive/index.md         |  7 +-
 data/schema_examples/index.md                 |  5 --
 docs/_includes/helping_out.md                 | 26 +++----
 docs/about/acknowledgements.md                |  5 +-
 docs/about/changelog.md                       | 28 ++++---
 docs/about/contact_us.md                      |  2 +-
 docs/about/contributing.md                    |  2 +-
 docs/about/copyright.md                       |  2 +-
 docs/about/index.md                           |  7 +-
 .../adr/0000-record-architecture-decisions.md |  4 +-
 ...markdown-architectural-decision-records.md | 33 +++++----
 ...0002-ssvc-decision-points-are-versioned.md | 18 ++---
 ...03-ssvc-decision-point-versioning-rules.md | 27 +++----
 ...svc-decision-point-groups-are-versioned.md |  4 +-
 ...05-ssvc-decision-point-group-versioning.md | 17 ++---
 ...06-ssvc-decision-point-versioning-rules.md | 74 +++++++++----------
 .../adr/0007-descriptions-exclude-examples.md | 26 +++----
 .../0008-decision-points-are-ordered-sets.md  | 28 ++++---
 docs/adr/0009-outcomes-are-ordered-sets.md    | 30 ++++----
 ...are-separate-from-decision-point-groups.md | 62 ++++++++--------
 ...utomatable-and-value-density-and-CVSSv4.md | 21 ++----
 docs/adr/_template.md                         | 42 +++++------
 docs/adr/index.md                             |  2 +-
 docs/howto/acuity_ramp.md                     | 42 +++++------
 docs/howto/bootstrap/collect.md               | 11 +--
 docs/howto/bootstrap/index.md                 |  2 +-
 docs/howto/bootstrap/prepare.md               | 24 +++---
 docs/howto/bootstrap/summary.md               | 70 +++++++++---------
 docs/howto/bootstrap/use.md                   | 17 ++---
 docs/howto/coordination_intro.md              |  7 +-
 docs/howto/coordination_triage_decision.md    | 24 +++---
 docs/howto/deployer_tree.md                   | 27 +++----
 docs/howto/index.md                           | 18 ++---
 docs/howto/publication_decision.md            | 35 ++++-----
 docs/howto/supplier_tree.md                   |  9 +--
 docs/howto/tree_customization.md              | 39 ++++++----
 docs/index.md                                 | 12 ++-
 docs/reference/code/analyze_csv.md            |  1 -
 docs/reference/code/doctools.md               |  1 -
 docs/reference/code/index.md                  |  2 +-
 docs/reference/code/policy_generator.md       |  3 +-
 docs/reference/decision_points/automatable.md |  6 --
 .../compound_decision_points.md               |  1 -
 .../reference/decision_points/exploitation.md |  5 +-
 .../reference/decision_points/human_impact.md |  6 +-
 docs/reference/decision_points/index.md       |  2 +-
 .../decision_points/mission_impact.md         | 25 +++----
 .../decision_points/public_safety_impact.md   |  4 +-
 .../decision_points/public_value_added.md     |  7 +-
 .../decision_points/report_credibility.md     | 57 +++++++-------
 .../decision_points/safety_impact.md          |  7 +-
 .../decision_points/supplier_contacted.md     |  3 -
 .../decision_points/system_exposure.md        | 13 ++--
 .../decision_points/technical_impact.md       |  2 -
 docs/reference/decision_points/utility.md     |  6 +-
 docs/reference/index.md                       | 11 ++-
 docs/ssvc-calc/README.md                      | 23 +++---
 docs/ssvc-calc/index.md                       |  3 +-
 docs/topics/asset_management.md               |  1 -
 docs/topics/decision_points_as_bricks.md      | 27 ++++---
 docs/topics/decision_trees.md                 |  3 +
 docs/topics/enumerating_decisions.md          | 18 +----
 docs/topics/enumerating_stakeholders.md       |  2 -
 docs/topics/evaluation_of_draft_trees.md      | 24 +++---
 docs/topics/formalization_options.md          |  1 -
 docs/topics/future_work.md                    |  9 +--
 docs/topics/index.md                          | 10 +--
 docs/topics/information_sources.md            | 19 +++--
 docs/topics/items_with_same_priority.md       |  2 -
 docs/topics/limitations.md                    |  8 +-
 docs/topics/related_systems.md                |  3 -
 docs/topics/representing_information.md       | 26 +++----
 docs/topics/risk_tolerance_and_priority.md    |  5 +-
 docs/topics/state_of_practice.md              |  1 -
 .../vulnerability_management_decisions.md     |  1 -
 docs/topics/worked_example.md                 |  2 +-
 docs/tutorials/index.md                       |  7 +-
 src/README.md                                 |  7 +-
 84 files changed, 591 insertions(+), 672 deletions(-)
 create mode 100644 .github/workflows/lint_md_changes.yml
 create mode 100644 .markdownlint.yml

diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml
new file mode 100644
index 00000000..d5aa5b78
--- /dev/null
+++ b/.github/workflows/lint_md_changes.yml
@@ -0,0 +1,30 @@
+name: "Lint Markdown (Changes)"
+on:
+  push:
+    paths:
+      - '**/*.md'
+      - .github/workflows/lint_md_changes.yml
+  pull_request:
+    paths:
+      - '**/*.md'
+      - .github/workflows/lint_md_changes.yml
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - uses: tj-actions/changed-files@v44
+      id: changed-files
+      with:
+        files: '**/*.md'
+        separator: ","
+    - uses: DavidAnson/markdownlint-cli2-action@v16
+      if: steps.changed-files.outputs.any_changed == 'true'
+      with:
+        globs: ${{ steps.changed-files.outputs.all_changed_files }}
+        separator: ","
+        config: .markdownlint.yml
+        
diff --git a/.gitignore b/.gitignore
index 6189a8e6..c575e379 100644
--- a/.gitignore
+++ b/.gitignore
@@ -129,3 +129,4 @@ dmypy.json
 .pyre/
 ssvc2-applier-wip.xlsx
 _version.py
+node_modules
diff --git a/.markdownlint.yml b/.markdownlint.yml
new file mode 100644
index 00000000..3c95d570
--- /dev/null
+++ b/.markdownlint.yml
@@ -0,0 +1,29 @@
+default: true
+# disable noisy rules
+# 0004 Unordered List style
+# Force dash style for unordered lists
+MD004:
+  style: "dash"
+# 013 Line length
+# Disabled because we have a lot of long lines. We should fix this eventually.
+MD013: false
+# 033 Inline HTML
+# Disabled because we use inline HTML (<br/> in table cells for example)
+MD033: false
+# MD040/fenced-code-language : Fenced code blocks should have a language specified : https://github.com/DavidAnson/markdownlint/blob/v0.37.4/doc/md040.md
+MD040: false
+# 041 First line in file should be a top level header
+# Disabled because we use `include-markdown` plugin for merging markdown files
+MD041: false
+# 046 Code block style
+# Disabled because mkdocs-material uses indented blocks for admonitions
+MD046: false
+# 049 emphasis style
+# Force asterisk style for emphasis
+MD049:
+  style: "asterisk"
+# 050 strong style
+# Force asterisk style for strong
+MD050:
+  style: "asterisk"
+
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index d3e01067..e2d15805 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,7 +1,7 @@
 # How to contribute
 
 Thanks for your help on improving our stakeholder-specific vulnerability categorization work.
-To account for different stakeholder perspectives, we benefit from a diverse group of contributors. 
+To account for different stakeholder perspectives, we benefit from a diverse group of contributors.
 
 Please see our project documentation in the [wiki](https://github.com/CERTCC/SSVC/wiki) that accompanies this repository
 for more information on how you can contribute to the project.
@@ -9,9 +9,8 @@ for more information on how you can contribute to the project.
 ## Licenses
 
 See [LICENSE](https://github.com/CERTCC/SSVC/blob/main/LICENSE)
- 
+
 ## Questions
 
 If you have any questions, an [issue](https://github.com/CERTCC/SSVC/issues) or
 [discussion](https://github.com/CERTCC/SSVC/discussions) is the best way to get in touch with us.
-
diff --git a/README.md b/README.md
index ae0a2910..319c0a0f 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-ma
 SSVC is mostly conceptual tools for vulnerability management.
 These conceptual tools (how to make decisions, what should go into a decision, how to document and communicate decisions clearly, etc.) are described here.
 
-**Note:** This repository contains the _content_ for the main SSVC documentation hosted at
+**Note:** This repository contains the *content* for the main SSVC documentation hosted at
 
 ## [https://certcc.github.io/SSVC/](https://certcc.github.io/SSVC/)
 
@@ -19,7 +19,6 @@ These conceptual tools (how to make decisions, what should go into a decision, h
 
 ---
 
-
 # What's here
 
 Here's a quick overview of the main directories and files in this repository.
@@ -34,7 +33,7 @@ See [`project_docs/README.md`](project_docs/README.md) for more info.
 Directory with SSVC calculator using D3 graph.
 See [`ssvc-calc/README.md`](docs/ssvc-calc/README.md) for more info.
 
-A demo version of `ssvc-calc` can be found at https://certcc.github.io/SSVC/ssvc-calc/
+A demo version of `ssvc-calc` can be found at <https://certcc.github.io/SSVC/ssvc-calc/>
 
 ## `/pdfs/*`
 
@@ -82,7 +81,6 @@ The two methods just loop through their respective lookup tables until
 they hit a match, then return the outcome. Maybe not the best implementation,
 but it worked well enough for what was needed at the time.
 
-
 ## Local development
 
 Install prerequisites:
@@ -97,11 +95,11 @@ Start a local server:
 mkdocs serve
 ```
 
-Navigate to http://localhost:8001/ to see the site.
+Navigate to <http://localhost:8001/> to see the site.
 
 (Hint: You can use the `--dev-addr` argument with mkdocs to change the port, e.g. `mkdocs serve --dev-addr localhost:8000`)
 
-## Run tests 
+## Run tests
 
 We include a few tests for the `ssvc` module.
 
@@ -121,9 +119,6 @@ pip install pytest  # if you haven't already
 pytest # should find tests in src/test/*
 ```
 
-
-
-
 ## Contributing
 
 - [SSVC Community Engagement](https://certcc.github.io/SSVC/about/contributing/) has more detail on how to contribute to the project.
@@ -147,5 +142,5 @@ To reference SSVC in an academic publication, please refer to the version presen
 
 ## References
 
-1. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization." White Paper, Software Engineering Institute, Carnegie Mellon University (2019). https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=636379
-2. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Towards Improving CVSS." White Paper, Software Engineering Institute, Carnegie Mellon University (2018). https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538368
+1. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization." White Paper, Software Engineering Institute, Carnegie Mellon University (2019). <https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=636379>
+2. Spring, J., Hatleback, E., Householder, A., Manion, A., and Shick, D. "Towards Improving CVSS." White Paper, Software Engineering Institute, Carnegie Mellon University (2018). <https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538368>
diff --git a/data/schema/README.MD b/data/schema/README.MD
index 75c80654..6f90e8bc 100644
--- a/data/schema/README.MD
+++ b/data/schema/README.MD
@@ -1,10 +1,6 @@
-# SSVC decision tree schemas 
+# SSVC decision tree schemas
 
-Two JSON schema files are embedded here that provide schema information for 
+Two JSON schema files are embedded here that provide schema information for
 
 1. Full Decision tree schema for represeting an SSVC decision tree for a Role
 2. Computed SSVC score schema of a vulnerability at a point of time, optionally includes the tree used in making the decision.
-
-
-
-
diff --git a/data/schema_examples/archive/index.md b/data/schema_examples/archive/index.md
index 386fd140..71f652a2 100644
--- a/data/schema_examples/archive/index.md
+++ b/data/schema_examples/archive/index.md
@@ -1,8 +1,3 @@
 # Sample JSON files (Archived)
 
-
-There are a few examples of the old schema validated JSON files here, please follow the latest schema in [Decision_Point_Value_Selection.schema.json ](../../schema/current/Decision_Point_Value_Selection.schema.json)
-
-
-
-
+There are a few examples of the old schema validated JSON files here, please follow the latest schema in [Decision_Point_Value_Selection.schema.json](../../schema/current/Decision_Point_Value_Selection.schema.json)
diff --git a/data/schema_examples/index.md b/data/schema_examples/index.md
index 4c4db38c..b405110a 100644
--- a/data/schema_examples/index.md
+++ b/data/schema_examples/index.md
@@ -1,10 +1,5 @@
 # Sample JSON files
 
-
 There is a sample JSON file that provides an example of a hypothetical CVE [CVE-1900-1234](CVE-1900-1234-Decision_Point_Value_Selection.json) that adheres to the [JSON schema](../schema/)
 
 The old JSON files are in the [archive](./archive/) folder
-
-
-
-
diff --git a/docs/_includes/helping_out.md b/docs/_includes/helping_out.md
index e869620b..f088bbe1 100644
--- a/docs/_includes/helping_out.md
+++ b/docs/_includes/helping_out.md
@@ -4,53 +4,52 @@ We welcome your feedback and contributions to SSVC. Here are some ways you can g
 
 <div class="grid cards" markdown>
 
-- :material-message-question: _Ask a question_
+- :material-message-question: *Ask a question*
 
     ---
 
-    If you have a specific question for the SSVC team, please feel free to 
+    If you have a specific question for the SSVC team, please feel free to
     [Ask a Question](https://github.com/CERTCC/SSVC/issues/new?template=question.md).
- 
+
     Questions of more general interest to the community of SSVC users might fit better in the
     [Q&A](https://github.com/CERTCC/SSVC/discussions/categories/q-a) section of the
     [Discussion](https://github.com/CERTCC/SSVC/discussions) area.
 
-- :fontawesome-solid-bug: _Report a problem_
+- :fontawesome-solid-bug: *Report a problem*
 
     ---
 
     If you find a problem with the SSVC documentation, the methodology, or accompanying code, we
     welcome your [Bug Reports](https://github.com/CERTCC/SSVC/issues/new?template=bug_report.md)
-    
-- :material-lightbulb-on: _Suggest an improvement_
+
+- :material-lightbulb-on: *Suggest an improvement*
 
     ---
     Got an idea for how to make SSVC better? We'd love to hear it! Please submit your
     [Feature Requests](https://github.com/CERTCC/SSVC/issues/new?template=feature_request.md)
- 
-- :fontawesome-regular-comments: _Join the conversation_
+
+- :fontawesome-regular-comments: *Join the conversation*
 
     ---
 
     More in-depth conversations that might not be actionable as issues are found in the
     [Discussions](https://github.com/CERTCC/SSVC/discussions) area.
 
-- :material-binoculars: _See what we're working on_
+- :material-binoculars: *See what we're working on*
 
     ---
 
     We manage the SSVC development effort via Github [Issues](https://github.com/CERTCC/SSVC/issues) and
-    [Pull Requests](https://github.com/CERTCC/SSVC/pulls). 
+    [Pull Requests](https://github.com/CERTCC/SSVC/pulls).
     Drop by and see what we're working on, or leave a comment to let us know what you're interested in.
 
-- :material-hub: _Get more involved_
+- :material-hub: *Get more involved*
 
     ---
 
     Want more information about engaging as a collaborator? Check out the [SSVC Project Wiki](https://github.com/CERTCC/SSVC/wiki)
-    
-</div>
 
+</div>
 
 !!! tip "Footer Icons"
 
@@ -60,4 +59,3 @@ We welcome your feedback and contributions to SSVC. Here are some ways you can g
 
     If you are new to contributing to open source projects on Github, we've assembled some pointers
     to help you get started in the [Github Tips for SSVC contributors](https://github.com/CERTCC/SSVC/wiki/Github-Tips-for-SSVC-contributors)
-
diff --git a/docs/about/acknowledgements.md b/docs/about/acknowledgements.md
index b2176f46..174ef80c 100644
--- a/docs/about/acknowledgements.md
+++ b/docs/about/acknowledgements.md
@@ -5,8 +5,8 @@ of this report: Art Manion, Madison Oliver, and Deana Shick.
 
 The authors thank the [contributors](https://github.com/CERTCC/SSVC/graphs/contributors) to the
 [SSVC project](https://github.com/CERTCC/SSVC) on Github as well as the following individuals for helpful comments on
-prior drafts (listed in alphabetical order): 
-Muhammad Akbar, 
+prior drafts (listed in alphabetical order):
+Muhammad Akbar,
 Will Dormann,
 Manish Gaur,
 Ralph Langer,
@@ -23,4 +23,3 @@ Anonymous WEIS reviewers;
 Various staff members and analysts at CERT/CC, CISA, McAfee, and VMWare;
 FIRST CVSS SIG and EPSS SIG members;
 and others who wish to remain anonymous.
-
diff --git a/docs/about/changelog.md b/docs/about/changelog.md
index aee45fe4..cb31527b 100644
--- a/docs/about/changelog.md
+++ b/docs/about/changelog.md
@@ -9,29 +9,29 @@ In the 2024.3 release of the Stakeholder-Specific Vulnerability Classification (
 This release debuts the [certcc.github.io/SSVC](https://certcc.github.io/SSVC) web site to serve as the front-door for all things SSVC.
 
 - **Diátaxis Framework** - We adopted the [Diátaxis Framework](https://diataxis.fr/) as a document organization framework for SSVC documentation. High level content categories are: tutorials, how-to, topics, and reference. What used to be a linear paper format is now sectioned off into more digestible pieces.
-- **More call-outs and examples** - With our adoption of [_Material for MkDocs_](https://squidfunk.github.io/mkdocs-material/) as the underlying toolkit to construct our web site, we were able to better highlight examples, tips, and sidebar topics through the use of call-out boxes throughout the site.
+- **More call-outs and examples** - With our adoption of [*Material for MkDocs*](https://squidfunk.github.io/mkdocs-material/) as the underlying toolkit to construct our web site, we were able to better highlight examples, tips, and sidebar topics through the use of call-out boxes throughout the site.
 
-## New and Revised Content 
+## New and Revised Content
 
 - **Expanded Content** - We've included more examples of Decision Points and the like directly inline where they're mentioned so readers don't need to keep flipping back and forth to their definitions for reference.
-- **Bootstrapping advice** - Added a _Getting Started with SSVC_ process to help organizations go from being _potential_ SSVC users to being _actual_ SSVC users. This process is based on both our own experience helping organizations adopt SSVC as well as a few field reports of SSVC adoption from the community.
-- **Putting the Pieces Together** - _Added a Putting the Pieces Together_ page explaining some of our philosophy regarding how to use SSVC to model decisions. SSVC provides you with the pieces and some instructions on how to assemble them, but you can customize it however you like.
-- **Acuity Ramp** - Added an _Acuity Ramp_ explainer to show how an organization can grow into a decision model over time.
+- **Bootstrapping advice** - Added a *Getting Started with SSVC* process to help organizations go from being *potential* SSVC users to being *actual* SSVC users. This process is based on both our own experience helping organizations adopt SSVC as well as a few field reports of SSVC adoption from the community.
+- **Putting the Pieces Together** - *Added a Putting the Pieces Together* page explaining some of our philosophy regarding how to use SSVC to model decisions. SSVC provides you with the pieces and some instructions on how to assemble them, but you can customize it however you like.
+- **Acuity Ramp** - Added an *Acuity Ramp* explainer to show how an organization can grow into a decision model over time.
 - **Community Engagement** - Included in the new web site are a number of suggested ways for the community to interact with and contribute to the SSVC.
 
 ## Versioned Objects
 
-- **Semantic Versioning for Decision Points and Decision Point Groups** - Introduced Semantic Versioning (SemVer) for _Decision Points_ and _Decision Point Groups_ to improve communication around decision points and decision models
-- **Calendar Versioning for SSVC as a whole** - With the introduction of SemVer for _Decision Points_ and _Decision Point Groups_, it started to make less sense for us to talk in terms of "SSVC v2.2", especially as we were simultaneously moving away from a PDF document-focused development model towards a more flexible web-based documentation model. Beginning with this version, we anticipate that future tagged releases will use Calendar Versioning (CalVer) instead of SemVer.
+- **Semantic Versioning for Decision Points and Decision Point Groups** - Introduced Semantic Versioning (SemVer) for *Decision Points* and *Decision Point Groups* to improve communication around decision points and decision models
+- **Calendar Versioning for SSVC as a whole** - With the introduction of SemVer for *Decision Points* and *Decision Point Groups*, it started to make less sense for us to talk in terms of "SSVC v2.2", especially as we were simultaneously moving away from a PDF document-focused development model towards a more flexible web-based documentation model. Beginning with this version, we anticipate that future tagged releases will use Calendar Versioning (CalVer) instead of SemVer.
 
 ## Experimental & Emerging Features
 
 There are a few improvements we've begun but have not yet fully finished, and that are largely undocumented. Most of these in the current release are python-centric. Here's a brief overview for those who want to poke around at code.
 
-- **SSVC Python module** - This release introduces the `ssvc` python module to allow us to more easily work with _Decision Points_, _Decision Point Groups_, _Outcomes_, and _Policies_ that map from _Decision Points_ to _Outcomes_. We expect to have more to say about this module in the future, but for now it's geared towards helping us produce the site documentation.
-- **Policy Generator** - We're prototyping a Python tool that can generate a starting policy given any combination of a _Decision Point Group_  and _Outcomes_. It's not ready for prime-time yet, but folks with a bit of python skill might be in a position to try it out.
+- **SSVC Python module** - This release introduces the `ssvc` python module to allow us to more easily work with *Decision Points*, *Decision Point Groups*, *Outcomes*, and *Policies* that map from *Decision Points* to *Outcomes*. We expect to have more to say about this module in the future, but for now it's geared towards helping us produce the site documentation.
+- **Policy Generator** - We're prototyping a Python tool that can generate a starting policy given any combination of a *Decision Point Group*  and *Outcomes*. It's not ready for prime-time yet, but folks with a bit of python skill might be in a position to try it out.
 - **More Decision Points and Outcomes** - In the process of exercising our Semantic Versioning rules for decision points and groups, we needed some examples of versioning events for discussion purposes. As a result, the `ssvc.decision_points.cvss` and `ssvc.dp_groups.cvss` modules contain python implementations of CVSS vector elements from CVSS v1, v2, v3, v3.1, and v4. We anticipate some of these coming in handy in the future as we look toward modeling other decisions potentially based on CVSS vector elements as well as other decision points from SSVC and elsewhere. We also included decision points and groups from [CISA's customized SSVC implementation](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc).
- 
+
 ## Other project infrastructure improvements
 
 - Shifted from PDF-oriented to web-oriented workflow
@@ -55,8 +55,8 @@ The details of what changes were made can be viewed on the SSVC Github under the
 - Improved consistency of *Public Safety Impact* usage throughout the document and tooling
 - Improved consistency of *Human Impact* usage throughout the document
 - Clarified that known default passwords are an example of *Exploitation*:PoC
-- Clarified that unreachable code (as in unused library features) are _System Exposure_:small
-- Mention DoD MEF definition in _Mission Impact_
+- Clarified that unreachable code (as in unused library features) are *System Exposure*:small
+- Mention DoD MEF definition in *Mission Impact*
 - Updated references to EPSS to reflect recent publications
 - Refactored markdown files to better track chapter and section numbering, improving findability when editing
 - Automated HTML and PDF generation into a Github Workflow
@@ -64,7 +64,6 @@ The details of what changes were made can be viewed on the SSVC Github under the
 - Consolidated the SSVC document style guide into a single file in the repository
 - Miscellaneous typo fixes and readability improvements (e.g., headings, bulleted lists)
   
-
 ## Version 2 (2021.5) Changelog
 
 This section summarizes the changes between SSVC version 2 and SSVC version 1.1 as published at the Workshop on the Ecnomics of Information Security (WEIS 2020).
@@ -113,7 +112,6 @@ Either situation is sufficient to increase the priority, and there do not appear
 On the other hand, a low *Utility* or *System Exposure* may mitigate a high mission or well-being impact.
 So the Version 2 recommended tree is more usable than the Version 1 tree, thanks to these changes.
 
-
 ### Tree management and communication tools
 
 The section Tree Construction and Customization Guidance is largely new or revised.
@@ -127,4 +125,4 @@ Version 2 also addresses several other questions about SSVC information manageme
 
 ## Version 1.0 (2019.12) Changelog
 
-Initial release
\ No newline at end of file
+Initial release
diff --git a/docs/about/contact_us.md b/docs/about/contact_us.md
index 3e740193..795237f4 100644
--- a/docs/about/contact_us.md
+++ b/docs/about/contact_us.md
@@ -7,4 +7,4 @@ Software Engineering Institute
 **Web**: [www.sei.cmu.edu](http://www.sei.cmu.edu)  
 **Email**: [info@sei.cmu.edu](mailto:info@sei.cmu.edu)
 
-{% include-markdown "../_includes/helping_out.md" heading-offset=1 %}
\ No newline at end of file
+{% include-markdown "../_includes/helping_out.md" heading-offset=1 %}
diff --git a/docs/about/contributing.md b/docs/about/contributing.md
index fdd0519e..1077a4b3 100644
--- a/docs/about/contributing.md
+++ b/docs/about/contributing.md
@@ -1,3 +1,3 @@
 {% include-markdown "../_includes/helping_out.md" %}
 
-{% include-markdown "../../CONTRIBUTING.md" %}
\ No newline at end of file
+{% include-markdown "../../CONTRIBUTING.md" %}
diff --git a/docs/about/copyright.md b/docs/about/copyright.md
index 59abb77e..5637a336 100644
--- a/docs/about/copyright.md
+++ b/docs/about/copyright.md
@@ -15,7 +15,7 @@ NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE
 
 Internal use:\* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.
 
-External use:\* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.
+External use:\* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at <permission@sei.cmu.edu>.
 
 \* These restrictions do not apply to U.S. government entities.
 
diff --git a/docs/about/index.md b/docs/about/index.md
index 74f4fc02..8f18dbd3 100644
--- a/docs/about/index.md
+++ b/docs/about/index.md
@@ -6,11 +6,10 @@ The evaluation process we developed in version 1 remains an important part of co
 We invite [participation](contributing.md) and further refinement of the prioritization mechanism from the community as well, such as by [posting an issue](https://github.com/CERTCC/SSVC/issues).
 We endeavored to be transparent about our process and provide justification for design decisions.
 
-We invite questions, comments, and further community refinement in moving forward with a transparent and justified 
-vulnerability prioritization methodology that is inclusive for the various stakeholders and industries that develop 
+We invite questions, comments, and further community refinement in moving forward with a transparent and justified
+vulnerability prioritization methodology that is inclusive for the various stakeholders and industries that develop
 and use information and computer technology.
 
-
 <div class="grid cards" markdown>
 
 - :material-offer: [Community Engagement](contributing.md)
@@ -20,4 +19,4 @@ and use information and computer technology.
 - :material-copyright: [Copyright](copyright.md)
 - :material-inbox-arrow-down: [Contact Us](contact_us.md)
 
-</div>
\ No newline at end of file
+</div>
diff --git a/docs/adr/0000-record-architecture-decisions.md b/docs/adr/0000-record-architecture-decisions.md
index fcd64cce..1afae220 100644
--- a/docs/adr/0000-record-architecture-decisions.md
+++ b/docs/adr/0000-record-architecture-decisions.md
@@ -1,7 +1,7 @@
 # Record architecture decisions
 
-* Status: accepted
-* Date: 2023-10-16
+- Status: accepted
+- Date: 2023-10-16
 
 ## Context
 
diff --git a/docs/adr/0001-use-markdown-architectural-decision-records.md b/docs/adr/0001-use-markdown-architectural-decision-records.md
index 2c99e241..103a62f1 100644
--- a/docs/adr/0001-use-markdown-architectural-decision-records.md
+++ b/docs/adr/0001-use-markdown-architectural-decision-records.md
@@ -3,8 +3,8 @@
 Adapted from
 [MADR's similar decision record](https://github.com/adr/madr/blob/2.1.2/docs/adr/0000-use-markdown-architectural-decision-records.md).
 
-* Status: accepted
-* Date: 2023-10-16
+- Status: accepted
+- Date: 2023-10-16
 
 ## Context and Problem Statement
 
@@ -13,31 +13,32 @@ Which format and structure should these records follow?
 
 ## Considered Options
 
-* [MADR](https://adr.github.io/madr/) 3.0.0 - The Markdown Architectural Decision Records
-* [Michael Nygard's template](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions) - The first incarnation of the term "ADR"
-* [Sustainable Architectural Decisions](https://www.infoq.com/articles/sustainable-architectural-design-decisions) - The Y-Statements
-* Other templates listed at <https://github.com/joelparkerhenderson/architecture_decision_record>
-* Formless - No conventions for file format and structure
+- [MADR](https://adr.github.io/madr/) 3.0.0 - The Markdown Architectural Decision Records
+- [Michael Nygard's template](http://thinkrelevance.com/blog/2011/11/15/documenting-architecture-decisions) - The first incarnation of the term "ADR"
+- [Sustainable Architectural Decisions](https://www.infoq.com/articles/sustainable-architectural-design-decisions) - The Y-Statements
+- Other templates listed at <https://github.com/joelparkerhenderson/architecture_decision_record>
+- Formless - No conventions for file format and structure
 
 ## Decision Outcome
 
 Chosen option: "MADR 3.0.0", because
 
-* Implicit assumptions should be made explicit.
+- Implicit assumptions should be made explicit.
   Design documentation is important to enable people understanding the decisions later on.
   See also [A rational design process: How and why to fake it](https://doi.org/10.1109/TSE.1986.6312940).
-* The MADR format is lean and fits our development style.
-* The MADR structure is comprehensible and facilitates usage & maintenance.
-* Version 3.0.0 is the latest one available when starting to document ADRs.
+- The MADR format is lean and fits our development style.
+- The MADR structure is comprehensible and facilitates usage & maintenance.
+- Version 3.0.0 is the latest one available when starting to document ADRs.
 
 ### Positive Consequences
 
 The ADR are more structured. See especially:
-* [MADR-0002 - Do not use numbers in headings](https://github.com/adr/madr/blob/2.1.2/docs/adr/0002-do-not-use-numbers-in-headings.md).
-* [MADR-0005 - Use (unique number and) dashes in filenames](https://github.com/adr/madr/blob/2.1.2/docs/adr/0005-use-dashes-in-filenames.md).
-* [MADR-0010 - Support categories (in form of subfolders with local ids)](https://github.com/adr/madr/blob/2.1.2/docs/adr/0010-support-categories.md).
-* See [full set of MADR ADRs](https://github.com/adr/madr/blob/2.1.2/docs/adr).
+
+- [MADR-0002 - Do not use numbers in headings](https://github.com/adr/madr/blob/2.1.2/docs/adr/0002-do-not-use-numbers-in-headings.md).
+- [MADR-0005 - Use (unique number and) dashes in filenames](https://github.com/adr/madr/blob/2.1.2/docs/adr/0005-use-dashes-in-filenames.md).
+- [MADR-0010 - Support categories (in form of subfolders with local ids)](https://github.com/adr/madr/blob/2.1.2/docs/adr/0010-support-categories.md).
+- See [full set of MADR ADRs](https://github.com/adr/madr/blob/2.1.2/docs/adr).
 
 ### Negative Consequences
 
-* Learning curve will be slightly longer.
+- Learning curve will be slightly longer.
diff --git a/docs/adr/0002-ssvc-decision-points-are-versioned.md b/docs/adr/0002-ssvc-decision-points-are-versioned.md
index 4a0d0ae2..9203a78b 100644
--- a/docs/adr/0002-ssvc-decision-points-are-versioned.md
+++ b/docs/adr/0002-ssvc-decision-points-are-versioned.md
@@ -18,18 +18,17 @@ should be relatively infrequent after an initial period of refinement.
 Note: This decision addresses the fact that decision points are versioned, but does not address how the version number
 is used. We will address that in a separate decision.
 
-
 ## Decision Drivers
 
-* Decision points evolve over time
-  * new values (options) are added, modified, or removed
-  * descriptions are updated
+- Decision points evolve over time
+  - new values (options) are added, modified, or removed
+  - descriptions are updated
 
 ## Considered Options
 
-* No versioning
-* [Semantic versioning](https://semver.org/)
-* [CalVer](https://calver.org/)
+- No versioning
+- [Semantic versioning](https://semver.org/)
+- [CalVer](https://calver.org/)
 
 ## Decision Outcome
 
@@ -42,7 +41,6 @@ compatibility expectations between versions.
 - Semver makes sense for decision point versioning because we don't anticipate them changing much once they go 1.0
   - and typo fixes etc. could just bump the fix version e.g., 1.0.2 -> 1.0.3
 
-
 ### Consequences
 
 - Maintaining version numbers for decision points will add a small burden to each decision point.
@@ -56,6 +54,6 @@ compatibility expectations between versions.
 
 ## More Information
 
-- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. 
+- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project.
 - [Semantic Versioning](https://semver.org/)
-- [CalVer](https://calver.org/)
\ No newline at end of file
+- [CalVer](https://calver.org/)
diff --git a/docs/adr/0003-ssvc-decision-point-versioning-rules.md b/docs/adr/0003-ssvc-decision-point-versioning-rules.md
index b625d4cc..ecffcbfb 100644
--- a/docs/adr/0003-ssvc-decision-point-versioning-rules.md
+++ b/docs/adr/0003-ssvc-decision-point-versioning-rules.md
@@ -7,7 +7,6 @@ deciders: adh, jspring, vssarvepalli, latyzenhaus, cgyarbrough, ehatleback
 
 ## Context and Problem Statement
 
-
 A decision point represents a unit of information for use in one or more decisions
 An SSVC "version" might introduce new decision points or new functions (trees) over existing decision points (or both)
 As SSVC evolves and grows, we occasionally have the need to modify an existing decision point.
@@ -19,13 +18,12 @@ should be relatively infrequent after an initial period of refinement.
 
 Note: This decision addresses the rules for versioning, and depends on the decision to version decision points in the first place.
 
-
 ## Decision Drivers
 
-* Decision points evolve over time
-  * new values (options) are added, modified, or removed
-  * descriptions are updated
-* Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points.
+- Decision points evolve over time
+  - new values (options) are added, modified, or removed
+  - descriptions are updated
+- Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points.
 
 ## Considered Options
 
@@ -36,31 +34,30 @@ Strictly speaking, Decision Points might not need to be explicitly versioned bec
 However, for future-proofing purposes we might want to include a key-value pair in the decision point definition to represent a version ID.
 
 We could establish rules such as
+
 - version 0.x is reserved for pre-support Decision Points and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change
 - version 1.0 freezes the Decision Point labels, number of labels, and their ordering
 - version 1.0.x for x > 0 would be limited to description changes
 
-
 ## Decision Outcome
 
 Chosen option: "Semantic versioning":
 
 > Given a version number MAJOR.MINOR.PATCH, increment the:
-> 
+>
 > - MAJOR version when you make incompatible API changes
-> - MINOR version when you add functionality in a backward compatible manner 
+> - MINOR version when you add functionality in a backward compatible manner
 > - PATCH version when you make backward compatible bug fixes
 >
 > Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
 
 Applied as follows:
 
-
 | Do this...           | ...when...                                                                                                                                                                                                                                                        |
 |----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | New Object           | A different or new concept is being represented<br/>Note: new objects get new names                                                                                                                                                                               |
-| +1 Major Version     | Existing options are _removed_<br/>Option semantics change in a way that older answers are no longer usable<br/>New options are added that divide previous semantics ambiguously<br/>Note: The ability to map old to new semantics is encouraged but not required |
-| +0.1 Minor Version   | New options are added<br/>Option names are changed while semantics are retained<br/>_AND_ all existing options are retained with compatible semantics                                                                                                             |
+| +1 Major Version     | Existing options are *removed*<br/>Option semantics change in a way that older answers are no longer usable<br/>New options are added that divide previous semantics ambiguously<br/>Note: The ability to map old to new semantics is encouraged but not required |
+| +0.1 Minor Version   | New options are added<br/>Option names are changed while semantics are retained<br/>*AND* all existing options are retained with compatible semantics                                                                                                             |
 | +0.0.1 Patch Version | No changes to number of options<br/>No changes to semantics of options<br/>Typo fixes in option names or decision point name                                                                                                                                      |
 
 Decision Points having a major version of 0 are considered to be pre-support and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change.
@@ -80,8 +77,8 @@ The lowest supported version of a decision point is 1.0.0.
 use use version 2.1 of a decision point at one time and later revert to using version 1.0 if the 2.1 was found to be problematic).
 - Multiple versions of decision points will be "live and available for use" by folks modeling decisions unless explicitly deprecated.
 - We think that Decision Points SHOULD have a way to indicate a deprecated status as a means to stave off future regrets.
-This implies the need for a way to denote the _status_ of a decision point in addition to its _version_.
-Decision Point _status_ will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles.
+This implies the need for a way to denote the *status* of a decision point in addition to its *version*.
+Decision Point *status* will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles.
 
 ### Confirmation
 
@@ -89,5 +86,5 @@ Decision Point _status_ will need to be addressed in a separate decision (or dec
 
 ## More Information
 
-- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project. 
+- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project.
 - [Semantic Versioning](https://semver.org/)
diff --git a/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md b/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md
index 345801ca..1e7aa82d 100644
--- a/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md
+++ b/docs/adr/0004-ssvc-decision-point-groups-are-versioned.md
@@ -11,9 +11,9 @@ deciders: adh, jspring, vssarvepalli, cgyarbrough, latyzenhaus, ehatleback
 Decision Point Groups are sets of decision points pinned to specific versions of those decision points.
 These groups may change over time.
 
-For example, the SSVC _Patch Applier_ and _Deployer_ trees have evolved as follows:
+For example, the SSVC *Patch Applier* and *Deployer* trees have evolved as follows:
 
-| _Patch Applier_ (SSVC v1) | _Deployer_ (SSVC v2)                                      |                   _Deployer_ (SSVC v2.1)                    |
+| *Patch Applier* (SSVC v1) | *Deployer* (SSVC v2)                                      |                   *Deployer* (SSVC v2.1)                    |
 |:-------------------------:|:--------------------------------------------------------:|:-----------------------------------------------------------:|
 | Exploitation 1.0.0        | Exploitation 1.0.0                                        |                     Exploitation 1.0.0                      |
 | System Exposure 1.0.0     | System Exposure 1.0.1                                     |                    System Exposure 1.0.1                    |
diff --git a/docs/adr/0005-ssvc-decision-point-group-versioning.md b/docs/adr/0005-ssvc-decision-point-group-versioning.md
index f515f1d0..cdb2f525 100644
--- a/docs/adr/0005-ssvc-decision-point-group-versioning.md
+++ b/docs/adr/0005-ssvc-decision-point-group-versioning.md
@@ -19,11 +19,10 @@ This ADR establishes the rules for versioning Decision Point Groups.
 - Decision Points change over time
 - The composition of decision point groups change over time
 - It is important that we can discriminate between versions of decision point groups
-- Although technically a Decision Point Group is fully defined by the set of 
-  pinned Decision Points it contains, we find it convenient to be able to 
+- Although technically a Decision Point Group is fully defined by the set of
+  pinned Decision Points it contains, we find it convenient to be able to
   refer to the group as a whole, and to be able to discriminate between different versions of the group.
 
-
 ## Considered Options
 
 A number of options were discussed in
@@ -45,7 +44,7 @@ provides indication of compatibility expectations between versions.
 Implemented as follows:
 
 The core identity of a decision point group is derived from the pairing of the
-_stakeholder role_ and the specific _decision_ being modeled.
+*stakeholder role* and the specific *decision* being modeled.
 
 ### Create a new object when
 
@@ -79,8 +78,8 @@ version of the existing name according to the following rules.
 
 ### Examples
 
-Assume a decision point group (DPG) named _DPG v1.0.0_,
-containing decision points (DP) _A v1.0.0_ and _B v1.3.1_.
+Assume a decision point group (DPG) named *DPG v1.0.0*,
+containing decision points (DP) *A v1.0.0* and *B v1.3.1*.
 In the table below, we show how the Decision Point Group version number changes
 as the constituent Decision Points change.
 
@@ -101,11 +100,11 @@ In row 4, DP C undergoes a major version increment, which triggers a major versi
 - Maintaining version numbers for decision point groups will add a small burden to each decision point group.
 - Semantic versioning will make it easier to track changes to decision point groups over time.
 - Because we don't anticipate frequent changes to decision point groups, the burden of maintaining version numbers should be minimal.
-- We are deliberately avoiding using the _name_ of the Decision Point Group as part of the versioning scheme, as
+- We are deliberately avoiding using the *name* of the Decision Point Group as part of the versioning scheme, as
 in the motivating example in
 [ADR 0004](0004-ssvc-decision-point-groups-are-versioned.md) we shifted the
-group name from _Patch Applier_ to _Deployer_, but since the group is still
-intended to represent the same _stakeholder role_ and _decision_, we want
+group name from *Patch Applier* to *Deployer*, but since the group is still
+intended to represent the same *stakeholder role* and *decision*, we want
 to be able to treat name changes as aliases rather than versioning events.
 
 ## More Information
diff --git a/docs/adr/0006-ssvc-decision-point-versioning-rules.md b/docs/adr/0006-ssvc-decision-point-versioning-rules.md
index 580b4ae0..ad1c5063 100644
--- a/docs/adr/0006-ssvc-decision-point-versioning-rules.md
+++ b/docs/adr/0006-ssvc-decision-point-versioning-rules.md
@@ -20,10 +20,10 @@ Note: This decision addresses the rules for versioning, and depends on the decis
 
 ## Decision Drivers
 
-* Decision points evolve over time
-  * new values (options) are added, modified, or removed
-  * descriptions are updated
-* Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points.
+- Decision points evolve over time
+  - new values (options) are added, modified, or removed
+  - descriptions are updated
+- Semantic versioning is a well-known and well-understood standard, but we need to define how it applies to decision points.
 
 ## Considered Options
 
@@ -35,9 +35,9 @@ However, for future-proofing purposes we might want to include a key-value pair
 
 We could establish rules such as
 
-* version 0.x is reserved for pre-support Decision Points and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change
-* version 1.0 freezes the Decision Point labels, number of labels, and their ordering
-* version 1.0.x for x > 0 would be limited to description changes
+- version 0.x is reserved for pre-support Decision Points and their shorthand key, labels, number of labels, ordering of labels, descriptions, semantics, etc. are all subject to change
+- version 1.0 freezes the Decision Point labels, number of labels, and their ordering
+- version 1.0.x for x > 0 would be limited to description changes
 
 ## Decision Outcome
 
@@ -45,9 +45,9 @@ Chosen option: "Semantic versioning":
 
 > Given a version number MAJOR.MINOR.PATCH, increment the:
 >
-> * MAJOR version when you make incompatible API changes
-> * MINOR version when you add functionality in a backward compatible manner
-> * PATCH version when you make backward compatible bug fixes
+> - MAJOR version when you make incompatible API changes
+> - MINOR version when you add functionality in a backward compatible manner
+> - PATCH version when you make backward compatible bug fixes
 >
 > Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.
 
@@ -55,17 +55,17 @@ Applied as follows:
 
 ### Create a new object when
 
-* A different or new concept is being represented
+- A different or new concept is being represented
 
 **Note**: New objects SHOULD get new names and new keys
 
 ### Increment the Major Version when
 
-* Criteria for creating a new object are not met, _AND_
-  * existing values are removed, _OR_
-  * value semantics change in a way that older answers are no longer usable,
-    _OR_
-  * new values are added that divide previous value semantics ambiguously
+- Criteria for creating a new object are not met, *AND*
+  - existing values are removed, *OR*
+  - value semantics change in a way that older answers are no longer usable,
+    *OR*
+  - new values are added that divide previous value semantics ambiguously
 
 **Note**: The ability to map old to new semantics is encouraged but not required
 
@@ -73,21 +73,21 @@ Applied as follows:
 
 Minor version increments imply that existing value semantics are preserved.
 
-* Criteria for incrementing the Major Version are not met, _AND_
-  * new options are added, _OR_
-  * value names or keys are changed, _OR_
-  * the decision point name is changed
+- Criteria for incrementing the Major Version are not met, *AND*
+  - new options are added, *OR*
+  - value names or keys are changed, *OR*
+  - the decision point name is changed
 
 ### Increment the Patch Version when
 
 Patch version increments imply that existing value number and semantics are
 preserved.
 
-* Criteria for incrementing the Major or Minor Version are not met, _AND_
-  * typo fixes in option names or decision point name, _OR_
-  * the decision point description changes in a way that does not affect 
-    semantics, _OR_
-  * a value description changes in a way that does not affect semantics
+- Criteria for incrementing the Major or Minor Version are not met, *AND*
+  - typo fixes in option names or decision point name, *OR*
+  - the decision point description changes in a way that does not affect
+    semantics, *OR*
+  - a value description changes in a way that does not affect semantics
 
 ### Pre-Support Decision Points
 
@@ -103,7 +103,7 @@ In other words, a Minor version increment of a 0.x decision point may be used
 to indicate a change in semantics that is not backwards compatible.
 This is not the case for decision points with a Major Version of 1 or greater.
 
-The lowest _supported_ version of a decision point is 1.0.0.
+The lowest *supported* version of a decision point is 1.0.0.
 
 ### Examples
 
@@ -122,21 +122,21 @@ compatible, so the new version is 3.0.0.
 
 ### Consequences
 
-* Maintaining version numbers for decision points according to these rules will add a small burden to each decision point.
-* Semantic versioning will make it easier to track changes to decision points over time.
-* Because we don't anticipate frequent changes to decision points, the burden of maintaining version numbers should be minimal.
-* Decision point versions can move in either direction when used repeatedly in other versioned objects (E.g., a decision model could
+- Maintaining version numbers for decision points according to these rules will add a small burden to each decision point.
+- Semantic versioning will make it easier to track changes to decision points over time.
+- Because we don't anticipate frequent changes to decision points, the burden of maintaining version numbers should be minimal.
+- Decision point versions can move in either direction when used repeatedly in other versioned objects (E.g., a decision model could
 use use version 2.1 of a decision point at one time and later revert to using version 1.0 if the 2.1 was found to be problematic).
-* Multiple versions of decision points will be "live and available for use" by folks modeling decisions unless explicitly deprecated.
-* We think that Decision Points SHOULD have a way to indicate a deprecated status as a means to stave off future regrets.
-This implies the need for a way to denote the _status_ of a decision point in addition to its _version_.
-Decision Point _status_ will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles.
+- Multiple versions of decision points will be "live and available for use" by folks modeling decisions unless explicitly deprecated.
+- We think that Decision Points SHOULD have a way to indicate a deprecated status as a means to stave off future regrets.
+This implies the need for a way to denote the *status* of a decision point in addition to its *version*.
+Decision Point *status* will need to be addressed in a separate decision (or decisions) regarding decision point lifecycles.
 
 ### Confirmation
 
-* The PR process will confirm that the decision point version number is updated according to these rules.
+- The PR process will confirm that the decision point version number is updated according to these rules.
 
 ## More Information
 
-* [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project.
-* [Semantic Versioning](https://semver.org/)
+- [Discussion #289](https://github.com/CERTCC/SSVC/discussions/289) in the SSVC project.
+- [Semantic Versioning](https://semver.org/)
diff --git a/docs/adr/0007-descriptions-exclude-examples.md b/docs/adr/0007-descriptions-exclude-examples.md
index 36699d94..1851adc9 100644
--- a/docs/adr/0007-descriptions-exclude-examples.md
+++ b/docs/adr/0007-descriptions-exclude-examples.md
@@ -7,9 +7,9 @@ deciders: adh, jspring
 
 ## Context and Problem Statement
 
-In written definitions of a Decision Point, Decision Point 
-Value, Outcome Group, Outcome Value, or other elements, it is common to 
-include examples in the text. In terms of documentation, this is a worthy 
+In written definitions of a Decision Point, Decision Point
+Value, Outcome Group, Outcome Value, or other elements, it is common to
+include examples in the text. In terms of documentation, this is a worthy
 practice to promote understanding.
 
 Examples are sometimes timely and need to be updated even though the
@@ -18,9 +18,9 @@ versioning of objects.
 
 ## Decision Drivers
 
-- In the course of modeling CVSS vectors across versions as SSVC decision 
+- In the course of modeling CVSS vectors across versions as SSVC decision
   points, we have found that concepts change less often than examples.
-- Our preference is to minimize version changes to objects unless the 
+- Our preference is to minimize version changes to objects unless the
   underlying concept has changed.
 
 ## Considered Options
@@ -30,19 +30,19 @@ versioning of objects.
 
 ## Decision Outcome
 
-Chosen option: "Exclude examples from descriptions of objects", because this 
+Chosen option: "Exclude examples from descriptions of objects", because this
 helps to minimize version changes to objects unless the underlying concept
 has changed.
 
-Examples may be included in the documentation text surrounding the object 
+Examples may be included in the documentation text surrounding the object
 definition, but not in the object definition itself.
 
 ### Consequences
 
-- Good, because it reduces the likelihood and frequency of version changes to 
+- Good, because it reduces the likelihood and frequency of version changes to
   objects.
 - Good, because it promotes the use of examples in documentation text.
-- Bad, because it may make it more difficult to understand the object 
+- Bad, because it may make it more difficult to understand the object
   definition solely from the object definition itself.
 
 ### Confirmation
@@ -50,8 +50,8 @@ definition, but not in the object definition itself.
 The implementation of this decision is confirmed by the absence of examples
 in the object definitions.
 
-When generating an object definition from a text description, object 
-creators should look out for phrases like "for example" and "an example of 
+When generating an object definition from a text description, object
+creators should look out for phrases like "for example" and "an example of
 this is" and exclude the example from the object definition.
 
 ## Pros and Cons of the Options
@@ -69,7 +69,7 @@ See [Decision Outcome](#decision-outcome).
 
 ## More Information
 
-- [ADR-0006](0006-ssvc-decision-point-versioning-rules.md) - SSVC Decision 
+- [ADR-0006](0006-ssvc-decision-point-versioning-rules.md) - SSVC Decision
   Point Versioning Rules
-- [ADR-0005](0005-ssvc-decision-point-group-versioning.md) - SSVC Decision 
+- [ADR-0005](0005-ssvc-decision-point-group-versioning.md) - SSVC Decision
   Point Group Versioning Rules
diff --git a/docs/adr/0008-decision-points-are-ordered-sets.md b/docs/adr/0008-decision-points-are-ordered-sets.md
index df1740be..cc366ece 100644
--- a/docs/adr/0008-decision-points-are-ordered-sets.md
+++ b/docs/adr/0008-decision-points-are-ordered-sets.md
@@ -15,25 +15,25 @@ rules about the interaction between decision point values and the outcomes of th
 
 ## Decision Drivers
 
-* The need to reason about the outcomes of a decision given a set of input values.
-* Desire to automate portions of the decision-making process.
-* Desire for rules to validate the interaction between decision point values and the outcomes of the decision.
+- The need to reason about the outcomes of a decision given a set of input values.
+- Desire to automate portions of the decision-making process.
+- Desire for rules to validate the interaction between decision point values and the outcomes of the decision.
 
 ## Considered Options
 
-* Decision Point values are ordered sets.
-* Decision Point values are unordered sets.
+- Decision Point values are ordered sets.
+- Decision Point values are unordered sets.
 
 ## Decision Outcome
 
 Chosen option: "Decision Point values are ordered sets"
 
 Rationale: An ordered set implies that for a decision set $D$ with $n$ values $d_1, d_2, \ldots, d_n$, we can
-assert the relationship $d_1 \leq d_2 \leq \ldots \leq d_n$. 
+assert the relationship $d_1 \leq d_2 \leq \ldots \leq d_n$.
 
 When combining decision points into a decision model, we can use that relationship to assert rules about the
 interaction between decision points. For example, if we have a decision point $D_a$ with values $a_1, a_2, a_3$
-and a decision point $D_b$ with values $b_1, b_2, b_3$, we know that 
+and a decision point $D_b$ with values $b_1, b_2, b_3$, we know that
 
 - $a_1 \leq a_2 \leq a_3$
 - $b_1 \leq b_2 \leq b_3$
@@ -94,21 +94,20 @@ default policies that map decision values to outcomes following the graph struct
 
 ### Consequences
 
-* (Good) This allows us to make inferences about the relationships between sets of decision point values
+- (Good) This allows us to make inferences about the relationships between sets of decision point values
   and the outcomes of the decision.
-* (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations
+- (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations
   undefined.
-* (Neutral) May require additional information to fully define the relationship between decision point values and outcomes
+- (Neutral) May require additional information to fully define the relationship between decision point values and outcomes
   into a policy
-* (Neutral) Requires each decision point to have a "direction" (i.e., a way to order the values) which may not be
+- (Neutral) Requires each decision point to have a "direction" (i.e., a way to order the values) which may not be
   intuitive in all cases. So far we have found that the natural direction is usually intuitive and most often it is
-  analogous to "less likely to act" &rarr; "more likely to act". 
-* (Good) Although a sense of direction is required, scaling the values is not. So "None, Few, Many" is just as valid as
+  analogous to "less likely to act" &rarr; "more likely to act".
+- (Good) Although a sense of direction is required, scaling the values is not. So "None, Few, Many" is just as valid as
   a more defined interval scale like "0-4, 4-7, 7-9, 9-10" or a more abstract scale like "Low, Medium, High, Critical"[^1].
 
 [^1]: The latter two examples were inspired by CVSS scoring.
 
-
 ### Confirmation
 
 All current decision points are constructed as ordered sets, and the current policy generator tool makes use of that
@@ -125,4 +124,3 @@ However, we *can* evaluate new decision points as they are proposed to ensure th
 - [ADR-0009](0009-outcomes-are-ordered-sets.md) - Outcomes are Ordered Sets
 - [Partially ordered sets](https://en.wikipedia.org/wiki/Partially_ordered_set)
 - [Hasse diagram](https://en.wikipedia.org/wiki/Hasse_diagram)
-
diff --git a/docs/adr/0009-outcomes-are-ordered-sets.md b/docs/adr/0009-outcomes-are-ordered-sets.md
index e801f2cc..afc7f561 100644
--- a/docs/adr/0009-outcomes-are-ordered-sets.md
+++ b/docs/adr/0009-outcomes-are-ordered-sets.md
@@ -13,23 +13,23 @@ rules about the interaction between decision point values and the outcomes of th
 
 ## Decision Drivers
 
-* The need to reason about the outcomes of a decision given a set of input values.
-* Desire to automate portions of the decision-making process.
-* Desire for rules to validate the interaction between decision point values and the outcomes of the decision.
+- The need to reason about the outcomes of a decision given a set of input values.
+- Desire to automate portions of the decision-making process.
+- Desire for rules to validate the interaction between decision point values and the outcomes of the decision.
 
 ## Considered Options
 
-* Outcome values are ordered sets.
-* Outcome values are unordered sets.
+- Outcome values are ordered sets.
+- Outcome values are unordered sets.
 
 ## Decision Outcome
 
 Chosen option: "Outcome values are ordered sets"
 
 Rationale: An ordered set implies that for an outcome set $C$ with $n$ values $c_1, c_2, \ldots, c_n$, we can
-assert the relationship $c_1 \leq c_2 \leq \ldots \leq c_n$. 
+assert the relationship $c_1 \leq c_2 \leq \ldots \leq c_n$.
 
-When combining outcomes with a set of decision points into a decision model and policy, we can use that relationship 
+When combining outcomes with a set of decision points into a decision model and policy, we can use that relationship
 to assert rules about the resulting policy.
 
 For example, if we have a decision model consisting of:
@@ -124,24 +124,23 @@ $Outcome(T_1)$ must be equal to or less than the outcome $Outcome(T_2)$ of any t
 
 $Outcome(T_1) \leq Outcome(T_2)$ when $T_1 \leq T_2$.
 
-This allows us to generate default policies that map decision values to outcomes following the graph structure of the 
+This allows us to generate default policies that map decision values to outcomes following the graph structure of the
 decision model.
 
 ### Consequences
 
-* (Good) This allows us to make inferences about the relationships between sets of decision point values
+- (Good) This allows us to make inferences about the relationships between sets of decision point values
   and the outcomes of the decision.
-* (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations
+- (Neutral) Does not fully order all possible decision point value combinations, leaving some relationship combinations
   undefined.
-* (Neutral) May require additional information to fully define the relationship between decision point values and outcomes
+- (Neutral) May require additional information to fully define the relationship between decision point values and outcomes
   into a policy
-* (Neutral) Requires each outcome set to have a "direction" (i.e., a way to order the values) which may not be
+- (Neutral) Requires each outcome set to have a "direction" (i.e., a way to order the values) which may not be
   intuitive in all cases. So far we have found that the natural direction is usually intuitive and most often it is
-  analogous to "less likely to act" &rarr; "more likely to act". 
-* (Good) Although a sense of direction is required, scaling the values is not. So "Defer, Scheduled, Out-of-Band, Immediate"
+  analogous to "less likely to act" &rarr; "more likely to act".
+- (Good) Although a sense of direction is required, scaling the values is not. So "Defer, Scheduled, Out-of-Band, Immediate"
   is just as valid as a more Service Level Expectation (SLE) oriented "1 hour, 1 day, 1 week, 1 month".
 
-
 ### Confirmation
 
 All current outcomes are constructed as ordered sets, and the current policy generator tool makes use of that
@@ -158,4 +157,3 @@ However, we *can* evaluate new outcome sets as they are proposed to ensure that
 - [ADR-0008](0008-decision-points-are-ordered-sets.md) - Decision Points are Ordered Sets
 - [Partially ordered sets](https://en.wikipedia.org/wiki/Partially_ordered_set)
 - [Hasse diagram](https://en.wikipedia.org/wiki/Hasse_diagram)
-
diff --git a/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md b/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md
index 3073af84..86493346 100644
--- a/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md
+++ b/docs/adr/0010-outcome-sets-are-separate-from-decision-point-groups.md
@@ -11,42 +11,41 @@ consulted: team
 Should the outcome set be included in a decision model (tree) definition?
 
 While a decision point group and their combinations of values define the structure of a tree, an Outcome Set defines
-the possible labels of each leaf node. However, in order to decide what labels are appropriate for a leaf node, one 
-must also be given a policy that maps each input combination (specific decision point values) to a specific outcome 
+the possible labels of each leaf node. However, in order to decide what labels are appropriate for a leaf node, one
+must also be given a policy that maps each input combination (specific decision point values) to a specific outcome
 (drawn from an outcome set). But both the policy and the outcome set are actually stakeholder-specific.
 
-The example trees we provide are at best a guess at a reasonable policy for SSVC adopters for each of the decisions we 
-chose to model. And they also make assumptions about the process that the decision supports. So we assumed that 
-suppliers have four options for priority. And we assigned outcome labels to leaf nodes based on what seemed reasonable 
-to us at the time. But we must acknowledge that (a) stakeholders might have an arbitrary number of categories for 
+The example trees we provide are at best a guess at a reasonable policy for SSVC adopters for each of the decisions we
+chose to model. And they also make assumptions about the process that the decision supports. So we assumed that
+suppliers have four options for priority. And we assigned outcome labels to leaf nodes based on what seemed reasonable
+to us at the time. But we must acknowledge that (a) stakeholders might have an arbitrary number of categories for
 prioritization (2, 3, 4, 5, ...), and (b) they may have wide variation in what combinations are given which priority.
 
-
 ## Decision Drivers
 
-* There was some discussion during the development of [ADR 0005](0005-ssvc-decision-point-group-versioning.md) about
-  whether the outcome set should be included in the tree definition. 
+- There was some discussion during the development of [ADR 0005](0005-ssvc-decision-point-group-versioning.md) about
+  whether the outcome set should be included in the tree definition.
 
 ## Considered Options
 
-* Include the outcome set in the decision point group definition.
-* Omit the outcome set from the decision point group definition.
+- Include the outcome set in the decision point group definition.
+- Omit the outcome set from the decision point group definition.
 
 ## Decision Outcome
 
 Chosen option: "Omit the outcome set from the decision point group definition", because the outcome set is
-stakeholder-specific and not part of the decision point group's (aka _the tree's_) identity.
+stakeholder-specific and not part of the decision point group's (aka *the tree's*) identity.
 
 We need to define a few terms here:
 
-- a _decision point group_ is a set of decision points that are used to model a decision. The combinations of the decision
-  points' values define the structure of the decision model (aka _tree_).
-- an _outcome set_ is the set of possible outcomes for a decision model. Each leaf node of a tree is labeled with an
+- a *decision point group* is a set of decision points that are used to model a decision. The combinations of the decision
+  points' values define the structure of the decision model (aka *tree*).
+- an *outcome set* is the set of possible outcomes for a decision model. Each leaf node of a tree is labeled with an
   outcome from the outcome set.
-- a _policy_ is a mapping from specific combinations of decision point values to specific outcomes from the outcome set.
+- a *policy* is a mapping from specific combinations of decision point values to specific outcomes from the outcome set.
 
 A decision point group fully defines the structure of a decision model (tree). The outcome set and the policy are
-both stakeholder-specific. 
+both stakeholder-specific.
 
 Two examples for illustrative purposes:
 
@@ -65,21 +64,20 @@ the same decision in the same structure, only differing in their policy applicat
 If we were to include the outcome set but not the policy in the decision point group definition, then the first example
 would appear to be "different" whereas the second example would appear to be "the same". This also seems misleading.
 
-For completeness, it is not possible to include the policy without the outcome set, since the policy depends on both 
+For completeness, it is not possible to include the policy without the outcome set, since the policy depends on both
 the decision point group and the outcome set.
 
-Therefore, the decision point group's (aka _the tree's_) identity omits both the outcome set and its specific mapping to
+Therefore, the decision point group's (aka *the tree's*) identity omits both the outcome set and its specific mapping to
 the tree structure. The thing we're asserting is that the structure of the tree (as defined by its constituent decision
-points and their specific versions) is invariant to the above, therefore the tree's identity omits both the outcome set 
+points and their specific versions) is invariant to the above, therefore the tree's identity omits both the outcome set
 and its specific mapping to the tree structure.
 
-
 ### Consequences
 
-* Good, because we can avoid decision point group versioning events due to changes in the outcome set or policy.
-* Good, because SSVC users can share decision point groups as decision models without needing to share their specific
+- Good, because we can avoid decision point group versioning events due to changes in the outcome set or policy.
+- Good, because SSVC users can share decision point groups as decision models without needing to share their specific
   outcome sets or policies.
-* Bad, because the decision point group definition does not fully specify the decision model including the policy.
+- Bad, because the decision point group definition does not fully specify the decision model including the policy.
 
 ### Confirmation
 
@@ -87,26 +85,26 @@ This decision is confirmed by the fact that decision point groups are versioned
 
 ## Pros and Cons of the Options
 
-### Include the outcome set in the decision point group definition.
+### Include the outcome set in the decision point group definition
 
 Including the outcome set in the decision point group definition would mean that the decision model (tree) changes
 whenever the outcome set changes. This would lead to a large number of versioning events for decision point groups
 whenever the outcome set changes, even if the structure of the decision model (tree) remains the same.
 
-* Good, because the combination of decision points and outcome sets would be fully specified, and users would only
+- Good, because the combination of decision points and outcome sets would be fully specified, and users would only
   need to establish their own policy to use the decision model.
-* Bad, because the decision model (tree) would change whenever the outcome set changes, even if the structure of the
+- Bad, because the decision model (tree) would change whenever the outcome set changes, even if the structure of the
   decision model (tree) remains the same. For example, the same structure with a 3-category outcome set and a 4-category
-  outcome set would be considered different decision models. 
+  outcome set would be considered different decision models.
 
-Furthermore, including both the outcome group _and_ the policy in the decision point group definition would mean that the
+Furthermore, including both the outcome group *and* the policy in the decision point group definition would mean that the
 decision model (tree) version would change whenever the policy changes, even if the structure of the decision model (tree) and
 the outcome set both remained the same.
 
-* Good, because the decision model (tree) would be fully specified and would not depend on any external factors.
-* Bad, because the decision model (tree) would change whenever the policy changes, even if the structure of the
+- Good, because the decision model (tree) would be fully specified and would not depend on any external factors.
+- Bad, because the decision model (tree) would change whenever the policy changes, even if the structure of the
   decision model (tree) and the outcome set both remained the same.
-* Bad, because the number of versioning events for decision models would be large.
+- Bad, because the number of versioning events for decision models would be large.
 
 ## More Information
 
diff --git a/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md b/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md
index 03609316..b38d427c 100644
--- a/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md
+++ b/docs/adr/0011-automatable-and-value-density-and-CVSSv4.md
@@ -12,17 +12,16 @@ deciders: adh, jspring
 Two SSVC decision points happen to match two CVSS v4 supplemental metrics.
 This ADR is to make clear what the SSVC support plan is in regards to this overlap for future versions of these decision points and metrics.
 
-
 ## Decision Drivers
 
-* The SSVC and CVSS communities have productively shared ideas and concepts in the past. These two decision points are an example. It was a relatively long process to propose these decision points as CVSS metrics, take feedback from the CVSS community, get text approved, and then port those changes over to SSVC. This all happened several years before we had this formalized decision documentation process within SSVC.
+- The SSVC and CVSS communities have productively shared ideas and concepts in the past. These two decision points are an example. It was a relatively long process to propose these decision points as CVSS metrics, take feedback from the CVSS community, get text approved, and then port those changes over to SSVC. This all happened several years before we had this formalized decision documentation process within SSVC.
 
 ## Considered Options
 
-* No support, expressed or implied, by either group
-* SSVC project commits to mirroring any changes made to CVSS
-* CVSS SIG commits to mirroring any changes made by the SSVC project
-* Both the second and third options, leading to joint decision making on these two decision points / metrics.
+- No support, expressed or implied, by either group
+- SSVC project commits to mirroring any changes made to CVSS
+- CVSS SIG commits to mirroring any changes made by the SSVC project
+- Both the second and third options, leading to joint decision making on these two decision points / metrics.
 
 ## Decision Outcome
 
@@ -31,14 +30,11 @@ there are no structured agreements in place that could create a service expectat
 The CVSS SIG is an independent group, even if there may be some overlap with the SSVC community, and SSVC cannot require or expect any changes by CVSS.
 While SSVC may mirror any changes the CVSS SIG makes to these metrics in the future, that change should be considered by the SSVC community indepdently on its merits, through the normal change management processes for suggestions to amend decision points.
 
-
 ### Consequences
 
-* Good, because low overhead -- no additional organizational structures
-* Good, because leaves the opportunity for continued synchronization open if everyone agrees
-* Bad, because no guarantee of future synchronization
-
-
+- Good, because low overhead -- no additional organizational structures
+- Good, because leaves the opportunity for continued synchronization open if everyone agrees
+- Bad, because no guarantee of future synchronization
 
 ### Confirmation
 
@@ -47,4 +43,3 @@ The implementation of this decision is confirmed by continued use of SSVC commun
 ## More Information
 
 This decision could hypothetically be revisited at the request of the CVSS SIG.
-
diff --git a/docs/adr/_template.md b/docs/adr/_template.md
index f4da6f8c..4e991b46 100644
--- a/docs/adr/_template.md
+++ b/docs/adr/_template.md
@@ -16,16 +16,16 @@ informed: {list everyone who is kept up-to-date on progress; and with whom there
 <!-- This is an optional element. Feel free to remove. -->
 ## Decision Drivers
 
-* {decision driver 1, e.g., a force, facing concern, …}
-* {decision driver 2, e.g., a force, facing concern, …}
-* … <!-- numbers of drivers can vary -->
+- {decision driver 1, e.g., a force, facing concern, …}
+- {decision driver 2, e.g., a force, facing concern, …}
+- … <!-- numbers of drivers can vary -->
 
 ## Considered Options
 
-* {title of option 1}
-* {title of option 2}
-* {title of option 3}
-* … <!-- numbers of options can vary -->
+- {title of option 1}
+- {title of option 2}
+- {title of option 3}
+- … <!-- numbers of options can vary -->
 
 ## Decision Outcome
 
@@ -35,9 +35,9 @@ Chosen option: "{title of option 1}", because
 <!-- This is an optional element. Feel free to remove. -->
 ### Consequences
 
-* Good, because {positive consequence, e.g., improvement of one or more desired qualities, …}
-* Bad, because {negative consequence, e.g., compromising one or more desired qualities, …}
-* … <!-- numbers of consequences can vary -->
+- Good, because {positive consequence, e.g., improvement of one or more desired qualities, …}
+- Bad, because {negative consequence, e.g., compromising one or more desired qualities, …}
+- … <!-- numbers of consequences can vary -->
 
 <!-- This is an optional element. Feel free to remove. -->
 ### Confirmation
@@ -53,22 +53,22 @@ Chosen option: "{title of option 1}", because
 <!-- This is an optional element. Feel free to remove. -->
 {example | description | pointer to more information | …}
 
-* Good, because {argument a}
-* Good, because {argument b}
+- Good, because {argument a}
+- Good, because {argument b}
 <!-- use "neutral" if the given argument weights neither for good nor bad -->
-* Neutral, because {argument c}
-* Bad, because {argument d}
-* … <!-- numbers of pros and cons can vary -->
+- Neutral, because {argument c}
+- Bad, because {argument d}
+- … <!-- numbers of pros and cons can vary -->
 
 ### {title of other option}
 
 {example | description | pointer to more information | …}
 
-* Good, because {argument a}
-* Good, because {argument b}
-* Neutral, because {argument c}
-* Bad, because {argument d}
-* …
+- Good, because {argument a}
+- Good, because {argument b}
+- Neutral, because {argument c}
+- Bad, because {argument d}
+- …
 
 <!-- This is an optional element. Feel free to remove. -->
 ## More Information
@@ -76,4 +76,4 @@ Chosen option: "{title of option 1}", because
 {You might want to provide additional evidence/confidence for the decision outcome here and/or
  document the team agreement on the decision and/or
  define when/how this decision the decision should be realized and if/when it should be re-visited.
-Links to other decisions and resources might appear here as well.}
\ No newline at end of file
+Links to other decisions and resources might appear here as well.}
diff --git a/docs/adr/index.md b/docs/adr/index.md
index eb58185e..e99a6286 100644
--- a/docs/adr/index.md
+++ b/docs/adr/index.md
@@ -1,6 +1,6 @@
 # SSVC Decision Records
 
-We have adopted the use of [Markdown Any Decision Records](https://adr.github.io/madr/) 
+We have adopted the use of [Markdown Any Decision Records](https://adr.github.io/madr/)
 to document significant decisions made in the development of SSVC. Below is a list of all
 the decision records that have been made.
 
diff --git a/docs/howto/acuity_ramp.md b/docs/howto/acuity_ramp.md
index af3b467b..ef1ae271 100644
--- a/docs/howto/acuity_ramp.md
+++ b/docs/howto/acuity_ramp.md
@@ -1,6 +1,6 @@
 # Acuity Ramp
 
-!!! question inline end "Why _Acuity_? Isn't this a _Maturity_ Model?"
+!!! question inline end "Why *Acuity*? Isn't this a *Maturity* Model?"
 
     The _acuity ramp_ concept is similar to the idea of a _maturity model_, but the term _maturity_ carries a sort of
     moral bias in the sense that it has an implied "good" direction from "immature" to "mature". 
@@ -12,7 +12,7 @@
     one that is most appropriate for both their decision and context. It is not inherently better to use a
     higher-resolution decision point, and it is not inherently worse to use a lower-resolution decision point.
 
-An SSVC _acuity ramp_ is a concept that describes a series of decision functions that are increasingly more detailed and
+An SSVC *acuity ramp* is a concept that describes a series of decision functions that are increasingly more detailed and
 complex while addressing the same decision. The idea is that a decision maker can start with a simple decision model and
 then, as their needs, resources, or abilities change, they can gather and analyze more or different data to understand
 their environment with more acuity.
@@ -21,37 +21,36 @@ their environment with more acuity.
 
 In Cybersecurity Threat and Vulnerability analysis, as with most decision-making processes, decision makers must
 balance trade-offs between the volume, quality, or detail of the information they use and the cost of gathering and
-analyzing that information. 
-There are many good reasons that decision makers might choose to use a lower resolution indicator that is readily 
+analyzing that information.
+There are many good reasons that decision makers might choose to use a lower resolution indicator that is readily
 available over a higher resolution indicator that comes at a high cost in terms of time, money, or effort.
 
 One way to think about the tradeoffs in acuity is to consider the cost or difficulty of gathering and analyzing data.
-Some vulnerability information is readily available for free as a public resource. 
+Some vulnerability information is readily available for free as a public resource.
 Other information is available for purchase, for example as a subscription to a threat intelligence feed.
 Still other information is only available if you set up a system to collect and manage it yourself, such as an internal
-asset management system. 
-For direct cost tradeoffs, one might conduct a cost-benefit analysis of whether the additional acuity provides value 
-more than its cost. Sometimes, tradeoffs are not directly cost-based. 
+asset management system.
+For direct cost tradeoffs, one might conduct a cost-benefit analysis of whether the additional acuity provides value
+more than its cost. Sometimes, tradeoffs are not directly cost-based.
 
 The quality and readiness for use of the information can also vary. Structured, low resolution public data might be
 easier to incorporate into a decision model than unstructured data that requires a lot of manual analysis.
-At the CERT/CC, we have observed otherwise high quality threat intelligence provided as PDF files with threat indicators 
+At the CERT/CC, we have observed otherwise high quality threat intelligence provided as PDF files with threat indicators
 embedded as screenshots of text, which would be difficult to extract and use in a decision model.
 
 Another tradeoff is that sometimes one decision point can serve as a close-enough proxy for another decision point that
-is more costly or difficult to acquire. For example, in a given deployment context, 
-[_Value Density_](../reference/decision_points/value_density.md) might be more readily discerned than
-[_Mission Impact_](../reference/decision_points/mission_impact.md) for some stakeholders because it's easier to 
+is more costly or difficult to acquire. For example, in a given deployment context,
+[*Value Density*](../reference/decision_points/value_density.md) might be more readily discerned than
+[*Mission Impact*](../reference/decision_points/mission_impact.md) for some stakeholders because it's easier to
 count how many of something there are than to estimate the impact of a loss of specific instances of the thing.
-Alternately, information about _Value Density_ might be available from another source, such as a CVSS v4 scoring provider,
-whereas _Mission Impact_ might require a more detailed understanding of the stakeholder's mission and environment.
-An organization might start with _Value Density_ as a proxy for _Mission Impact_ and then, as they develop a better
-understanding of their environment, they could replace _Value Density_ with _Mission Impact_ in their decision model.
-
+Alternately, information about *Value Density* might be available from another source, such as a CVSS v4 scoring provider,
+whereas *Mission Impact* might require a more detailed understanding of the stakeholder's mission and environment.
+An organization might start with *Value Density* as a proxy for *Mission Impact* and then, as they develop a better
+understanding of their environment, they could replace *Value Density* with *Mission Impact* in their decision model.
 
 ## An Acuity Ramp in Action
 
-The _acuity ramp_ idea is a way to show how a stakeholder could "grow into" their desired decision function as their
+The *acuity ramp* idea is a way to show how a stakeholder could "grow into" their desired decision function as their
 data collection and analysis capabilities increase. We demonstrate this with the following example.
 
 !!! example "An Acuity Ramp for a Growing System Deployer Organization"
@@ -146,16 +145,15 @@ data collection and analysis capabilities increase. We demonstrate this with the
 
     In this way, the organization can grow into a more detailed decision model as their understanding and capabilities improve.
 
-
 ## Conclusion
 
-The _acuity ramp_ concept is a way to show how a stakeholder could "grow into" their desired decision function as their
+The *acuity ramp* concept is a way to show how a stakeholder could "grow into" their desired decision function as their
 data collection and analysis capabilities improve. It is a way to show how a decision model can be adapted to the
 context of the decision maker, and how the decision maker can make trade-offs between the cost of gathering information
 and the quality of the decision they are able to make.
 
-The example above is just a single illustration of the _acuity ramp_ concept. There are many other ways that an
-organization might evolve their decision model from a simple starting point toward a more detailed decision model for 
+The example above is just a single illustration of the *acuity ramp* concept. There are many other ways that an
+organization might evolve their decision model from a simple starting point toward a more detailed decision model for
 any particular decision. Substituting one decision point for another, adding decision points over time, or even
 customizing decision points to better fit the organization's specific context are all ways that an organization might
 grow from a simple decision model to a more robust one.
diff --git a/docs/howto/bootstrap/collect.md b/docs/howto/bootstrap/collect.md
index 53381718..cc28d073 100644
--- a/docs/howto/bootstrap/collect.md
+++ b/docs/howto/bootstrap/collect.md
@@ -11,10 +11,10 @@ While the actual collection of operational data is outside the scope of SSVC, it
 of the process.
 SSVC is designed to be flexible enough to accommodate a variety of data collection methods.
 The [Data Mapping](prepare.md) step defines the data that is needed to assign a value to each decision point.
-The Data Operations process collects that data so that it can be used to assign values to decision points in the 
+The Data Operations process collects that data so that it can be used to assign values to decision points in the
 [Use SSVC](use.md) step.
 
-We include a feedback loop on the data collection node to indicate that it is expected to be a continuous process. 
+We include a feedback loop on the data collection node to indicate that it is expected to be a continuous process.
 
 ```mermaid
 flowchart LR
@@ -59,7 +59,6 @@ That caveat notwithstanding, some automation is possible.
     At least, for those vulnerabilities that are not “automatically” PoC-ready, such as on-path attackers for TLS or network
     replays.
 
-
 Some of the decision points require a substantial upfront analysis effort to gather risk assessment or organizational
 data.
 However, once gathered, this information can be efficiently reused across many vulnerabilities and only refreshed
@@ -70,7 +69,6 @@ occasionally.
     An obvious example of this is the [Mission Impact](../../reference/decision_points/mission_impact.md) decision point.
     To answer this, a deployer must analyze their Mission Essential Functions (MEFs), how they interrelate, and how they are supported.
 
-
 !!! example "Evidence of System Exposure"
 
     [System Exposure](../../reference/decision_points/system_exposure.md) is similar; answering that decision point requires an asset inventory, adequate understanding of the network
@@ -78,7 +76,6 @@ occasionally.
     Independently operated scans, such as Shodan or Shadowserver, may play a role in evaluating exposure, but the entire
     exposure question cannot be reduced to a binary question of whether an organization’s assets appear in such databases.
 
-
 Once the deployer has the situational awareness to understand their Mission Essential Functions or System Exposure, selecting the answer for each individual
 vulnerability is usually straightforward.
 
@@ -98,7 +95,7 @@ In the case where no information is available or the organization has not yet ma
 we can suggest something like defaults for some decision points.
 
 !!! tip "Default Exploitation Values"
-    
+
     [*Exploitation*](../../reference/decision_points/exploitation.md) needs no special default; if adequate searches are made for exploit code and none is
     found, the answer is [*none*](../../reference/decision_points/exploitation.md).
 
@@ -108,7 +105,6 @@ we can suggest something like defaults for some decision points.
     means they do not know where the devices are or how they are controlled, so they should assume
     [*System Exposure*](../../reference/decision_points/system_exposure.md) is [*open*](../../reference/decision_points/system_exposure.md).
 
-
 !!! tip "Default Automatable Values"
 
     If nothing is known about [*Automatable*](../../reference/decision_points/automatable.md), the safer answer to assume is [*yes*](../../reference/decision_points/automatable.md).
@@ -127,7 +123,6 @@ we can suggest something like defaults for some decision points.
     Similarly, with [*Mission Impact*](../../reference/decision_points/mission_impact.md), the deployer should assume that the software is in use at the
     organization for a reason, and that it supports essential functions unless they have evidence otherwise.
     With a total lack of information, assume [*support crippled*](../../reference/decision_points/mission_impact.md) as a default.
-   
 
 !!! example "Using Defaults"
 
diff --git a/docs/howto/bootstrap/index.md b/docs/howto/bootstrap/index.md
index 95042e6c..293d4afb 100644
--- a/docs/howto/bootstrap/index.md
+++ b/docs/howto/bootstrap/index.md
@@ -21,4 +21,4 @@ Using SSVC to prioritize vulnerability response requires a few steps. The steps
 {% include-markdown "howto/bootstrap/_steps_table.md" %}
 
 We cover each of these in the following sections, starting with [Prepare to Use SSVC](prepare.md).
-If you want to skip ahead to the full process, see [Bootstrapping SSVC Summary](summary.md).
\ No newline at end of file
+If you want to skip ahead to the full process, see [Bootstrapping SSVC Summary](summary.md).
diff --git a/docs/howto/bootstrap/prepare.md b/docs/howto/bootstrap/prepare.md
index 710aab40..79f144ea 100644
--- a/docs/howto/bootstrap/prepare.md
+++ b/docs/howto/bootstrap/prepare.md
@@ -18,7 +18,6 @@ the information you need to make that decision, and the policy you want to use t
     bring to the decision making process is essential. SSVC adoption is not just a process for the security team or
     technical staff.
 
-
 Here is a diagram of the preparation process:
 
 ```mermaid
@@ -53,7 +52,7 @@ We will go through each step in detail.
 ## Choose a Decision to Model
 
 !!! example inline end
-    
+
     Decisions we have modeled with SSVC include:
    
     - [Patch Supplier Prioritization](../supplier_tree.md)
@@ -120,7 +119,7 @@ flowchart LR
     oss --> cos
 ```
 
-!!! example 
+!!! example
 
      Imagine two different Service Providers, each of which is responsible for managing vulnerabilities in their
      respective environments.
@@ -140,7 +139,7 @@ A single decision point enumerates a set of options for a particular aspect of t
 We have defined a number of decision points in the [SSVC documentation](../../reference/decision_points/index.md).
 You can choose from these decision points, or you can define your own decision points to meet your needs.
 
-Whether you choose from the existing decision points or define your own, the set of decision points you use to make a 
+Whether you choose from the existing decision points or define your own, the set of decision points you use to make a
 decision is called a Decision Point Set.
 
 ```mermaid
@@ -182,7 +181,6 @@ flowchart LR
      device safety regulations. So, the medical device manufacturer might define a decision point called _Regulated_ with
      the values _Regulated Device_, _Non-Regulated Device_, and _Support Service_.
 
-
 ## Define Policy
 
 So far, you have chosen a decision to model, defined the possible outcomes for that decision, and defined the information you need to make that decision.
@@ -223,14 +221,14 @@ flowchart LR
      example&mdash;that is, the mapping from decision point values to outcomes&mdash;is not appropriate for their needs
      because it has too few _Immediate_ outcomes to suit their policy.
      Therefore, the bank decides to reuse the same decision point set and outcome set but define their own policy.
-     
+
 ## Map Data to Model Inputs
 
 In SSVC, data mapping is the process of defining what data can be used to assign a value to each decision point.
 The resulting data map indicates which data sources are relevant to each decision point, and how to interpret the data
 from each data source to assign a value to the decision point.
 
-```mermaid 
+```mermaid
 ---
 title: Data Mapping Process
 ---
@@ -252,7 +250,7 @@ flowchart LR
     dd --> ddf
     ddf --> dp2d
     dp2d --> dpm
-```    
+```
 
 !!! example
 
@@ -270,7 +268,6 @@ flowchart LR
     containing the SLA data, and document that the script they wrote will assign a value to the _Service Level_ decision
     point based on the SLA data.
 
-
 !!! tip inline end "CERT RMM on Vulnerability Analysis and Resolution"
 
     The process of maintaining SSVC decision models is a governance process.
@@ -291,11 +288,11 @@ flowchart LR
 ## Establish Governance
 
 The final step in preparing to use SSVC is to establish a governance process for the decision model.
-This process should ensure that the decision model remains relevant to the organization's needs and that the data 
+This process should ensure that the decision model remains relevant to the organization's needs and that the data
 used to make decisions is accurate and up-to-date.
 It need not be complex or burdensome.
 
-A lightweight governance process might resemble a review of this _Prepare_ step for each decision modeled using
+A lightweight governance process might resemble a review of this *Prepare* step for each decision modeled using
 SSVC. Each of the items we discussed above could be reviewed in turn, ensuring that:
 
 - The decision itself remains relevant to the organization
@@ -304,7 +301,7 @@ SSVC. Each of the items we discussed above could be reviewed in turn, ensuring t
 - The policy remains relevant to the organization's needs
 - The data sources remain relevant to informing the decision points
 
-Depending on the review, any necessary adjustments can be made to the outcomes, decision points, policy, data map, 
+Depending on the review, any necessary adjustments can be made to the outcomes, decision points, policy, data map,
 or operational processes.
 
 ```mermaid
@@ -368,6 +365,3 @@ um --> po
         - Are there new data sources we should consider?
         - Are there data sources we are using that are no longer relevant?
         - Is our data mapping still appropriate?
-
-
-
diff --git a/docs/howto/bootstrap/summary.md b/docs/howto/bootstrap/summary.md
index 409c7fe6..1de97b42 100644
--- a/docs/howto/bootstrap/summary.md
+++ b/docs/howto/bootstrap/summary.md
@@ -8,42 +8,41 @@ We covered each of these in the previous sections, see the links in the table ab
 
 The diagram below shows the complete process of using SSVC.
 
-
 ```mermaid
 flowchart TD
 start([Start])
 subgraph prep [Prepare to use SSVC]
-	dcd{{Choose Decision to Model}}
-	d[/Decision/]
+ dcd{{Choose Decision to Model}}
+ d[/Decision/]
     l4((1))
-	subgraph outcomes [Define Outcomes]
-		oc1[/Use available<br/>outcome sets?\]
-		dos{{Define Outcome Sets}}
-		oss[\Outcome Sets/]
-		cos{{Choose Outcome Set}}
-		os[/Outcome Set/]
-	end
+ subgraph outcomes [Define Outcomes]
+  oc1[/Use available<br/>outcome sets?\]
+  dos{{Define Outcome Sets}}
+  oss[\Outcome Sets/]
+  cos{{Choose Outcome Set}}
+  os[/Outcome Set/]
+ end
     l5((1))
-	subgraph decisionpoints [Define Inputs]
-		dp1[/Use available<br/>decision points?\]
-		ddp{{Define Decision Points}}
-		dpt[\Decision Points/]
-		cdp{{Choose Decision Points}}
-		dps[/Decision Point Set/]
-	end
+ subgraph decisionpoints [Define Inputs]
+  dp1[/Use available<br/>decision points?\]
+  ddp{{Define Decision Points}}
+  dpt[\Decision Points/]
+  cdp{{Choose Decision Points}}
+  dps[/Decision Point Set/]
+ end
     l6((1))
-	subgraph dataeng [Data Mapping]
-		dd1[/Use existing data?\]
-		dpm[/Data Map/]
-		dp2d{{Map Decision Points to Data}}
-		dd{{Define Data}}
-		ddf[/Data Definition/]
-	end
+ subgraph dataeng [Data Mapping]
+  dd1[/Use existing data?\]
+  dpm[/Data Map/]
+  dp2d{{Map Decision Points to Data}}
+  dd{{Define Data}}
+  ddf[/Data Definition/]
+ end
     l7((1))
-	subgraph policy [Policy Development]
-		dfp{{Define Policy}}
-		p[/Policy/]
-	end
+ subgraph policy [Policy Development]
+  dfp{{Define Policy}}
+  p[/Policy/]
+ end
     subgraph gov [Governance]
         eg{{Establish Governance Process}}
         gp[[Governance Process]]
@@ -52,17 +51,17 @@ subgraph prep [Prepare to use SSVC]
 
 end
 subgraph dataops [Data Operations]
-	cd[Collect Data]
-	vd[/Vulnerability Data/]
-	ed[/Environment Data/]
+ cd[Collect Data]
+ vd[/Vulnerability Data/]
+ ed[/Environment Data/]
     dt[\Available Data/]
 
 end
 subgraph runtime [Use SSVC]
-	mdp[[Apply Decision Point Mapping to Data]]
-	dp[/Decision Point Values/]
-	ap[[Apply Policy]]
-	oc[/Outcome/]
+ mdp[[Apply Decision Point Mapping to Data]]
+ dp[/Decision Point Values/]
+ ap[[Apply Policy]]
+ oc[/Outcome/]
 end
 r[Vulnerability Response]
 start --> dcd
@@ -115,4 +114,3 @@ r --> l1((2))
 l2((2)) --> cd
 l6 --> dd1
 ```
-
diff --git a/docs/howto/bootstrap/use.md b/docs/howto/bootstrap/use.md
index 0f7ed8d1..6b75cba6 100644
--- a/docs/howto/bootstrap/use.md
+++ b/docs/howto/bootstrap/use.md
@@ -30,9 +30,8 @@ flowchart LR
     ap --> oc
 ```
 
-
 !!! example
-    
+
     A government agency has a need to prioritize vulnerability response as part of their vulnerability management process.
     Certain vulnerabilities require special handling as a matter of government policy, and the agency wants to make sure
     that they are not overlooked.
@@ -90,7 +89,7 @@ Not every stakeholder will use the decision points to make comparable decisions.
 [Suppliers](../supplier_tree.md) and [deployers](../deployer_tree.md) make interdependent decisions, but the actions of one group are not strictly dependent on the other.
 Recall that one reason for this is that SSVC is about prioritizing a vulnerability response action in general, not specifically applying a patch that a supplier produced.
 [Coordinators](../coordination_intro.md) are particularly interested in facilitating communication because that is their core function.
-This section handles three aspects of this challenge: 
+This section handles three aspects of this challenge:
 
 - formats for communicating SSVC
 - how to handle partial or incomplete information
@@ -106,7 +105,7 @@ This section discusses the situation where one stakeholder, usually a supplier o
 We provide a structured communication format for SSVC information using JSON schemas.
 The goal of this format is to capture all the context and details about a decision or work item in a clear and machine-readable way.
 
-- The [provision schema](https://github.com/CERTCC/SSVC/blob/main/data/schema/SSVC_Provision.schema.json) is equivalent to a decision model and documents the full set of logical statements that a 
+- The [provision schema](https://github.com/CERTCC/SSVC/blob/main/data/schema/SSVC_Provision.schema.json) is equivalent to a decision model and documents the full set of logical statements that a
 stakeholder uses to make decisions.
 - The [computed schema](https://github.com/CERTCC/SSVC/blob/main/data/schema/SSVC_Computed.schema.json) expresses a set of information about a work item or vulnerability at a point in time.
 A computed schema should identify the provision schema used, so the options from which the information was computed are specified.
@@ -123,8 +122,7 @@ A computed schema should identify the provision schema used, so the options from
 
     The `value` term is derived the same way as `decision point` except start with the value name as given in the relevant decision point subsection of [Likely Decision Points and Relevant Data](../../reference/decision_points/index.md).
 
-
-### Partial or Incomplete Information    
+### Partial or Incomplete Information
 
 What an analyst knows about a vulnerability may not be complete.
 However, the vulnerability management community may still benefit from partial information.
@@ -217,14 +215,13 @@ Risk tolerance and risk appetite are primarily reflected in the priority labels
 | [*Utility*](../../reference/decision_points/utility.md)                           | every 6 months |
 | [*Public Safety Impact*](../../reference/decision_points/public_safety_impact.md) | every 1 year |
 
-
 ### Decision Points Under Direct Control
 
 The following decision points are usually in the control of the organization running SSVC and should be re-evaluated when a relevant change is made or during annual reviews of assets.
 
- - [*Situated Safety Impact*](../../reference/decision_points/safety_impact.md)
- - [*Mission Impact*](../../reference/decision_points/mission_impact.md)
- - [*System Exposure*](../../reference/decision_points/system_exposure.md)
+- [*Situated Safety Impact*](../../reference/decision_points/safety_impact.md)
+- [*Mission Impact*](../../reference/decision_points/mission_impact.md)
+- [*System Exposure*](../../reference/decision_points/system_exposure.md)
 
 ### Timestamping SSVC Information
 
diff --git a/docs/howto/coordination_intro.md b/docs/howto/coordination_intro.md
index abccf08a..e290b5b2 100644
--- a/docs/howto/coordination_intro.md
+++ b/docs/howto/coordination_intro.md
@@ -5,7 +5,6 @@ Since coordinators neither supply nor deploy the vulnerable component in questio
 [suppliers'](supplier_tree.md) or [deployers'](deployer_tree.md) decisions.
 This section provides a window into CERT/CC's decisions as an example of how a coordinator might use SSVC to make its own decisions.
 
-
 Coordinators vary quite a lot, and their use of SSVC may likewise vary.
 A coordinator may want to gather and publish information about SSVC decision points that it does not use internally in order to assist its constituents.
 Furthermore, a coordinator may only publish some of the information it uses to make decisions.
@@ -13,9 +12,9 @@ Consistent with other stakeholder perspectives (supplier and deployer), SSVC pro
 For more information about types of coordinators and their facilitation actions within vulnerability management, see
 [The CERT Guide to Coordinated Vulnerability Disclosure](https://certcc.github.io/CERT-Guide-to-CVD/topics/roles/coordinator/)
 
-The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are 
+The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are
 
-1. [Coordination Triage](coordination_triage_decision.md) - The initial triage of vulnerability reports. This initial coordination decision is a prioritization decision, but it 
+1. [Coordination Triage](coordination_triage_decision.md) - The initial triage of vulnerability reports. This initial coordination decision is a prioritization decision, but it
    does not have the same values as prioritization by a [deployer](deployer_tree.md) or [supplier](supplier_tree.md).
 2. [Publication](publication_decision.md) - Whether a publication about a vulnerability is warranted. The publication decision for us is a binary yes/no.
 
@@ -25,9 +24,7 @@ These two decisions are not the entirety of vulnerability coordination, but we l
 
     For another example of how a coordinator is using SSVC, see the [CISA SSVC](https://www.cisa.gov/ssvc) website.
 
-
 Different coordinators have different scopes and constituencies.
 See [The CERT Guide to Coordinated Vulnerability Disclosure](https://certcc.github.io/CERT-Guide-to-CVD/topics/roles/coordinator/) for a listing of different coordinator types.
 If a coordinator receives a report that is outside its own work scope or constituency, it should make an effort to route the report to a more suitable coordinator.
 The decisions in this section assume the report or vulnerability in question is within the work scope or constituency for the coordinator.
-
diff --git a/docs/howto/coordination_triage_decision.md b/docs/howto/coordination_triage_decision.md
index ec5bf7f1..6ad72cdc 100644
--- a/docs/howto/coordination_triage_decision.md
+++ b/docs/howto/coordination_triage_decision.md
@@ -11,20 +11,18 @@ This decision is also known as triage.
     In this case, the stakeholder is the **Coordinator** and the decision is 
     the **priority of coordinating a vulnerability report**.
 
-
-## Coordinator Triage Units of Work 
+## Coordinator Triage Units of Work
 
 !!! info inline end "Coordinator Unit of Work"
 
     The unit of work for a Coordinator is usually a single report to be coordinated.
 
 Coordinator units of work tend to coincide with whatever arrives in a single report, which spans the range from a single
-vulnerability affecting a specific version of an individual product from one Supplier all the way to fundamental design 
+vulnerability affecting a specific version of an individual product from one Supplier all the way to fundamental design
 flaws in system specifications that could affect every Supplier and product that uses or implements the flawed specification.
 Coordinators may need to reorganize reports (e.g., merge, split, expand, or contract) according to their workflow demands.
 SSVC can be applied to either the initial report or to the results of such refinement.
 
-
 ## Coordinator Triage Decision Outcomes
 
 We take three priority levels in our decision about whether and how to [coordinate](https://certcc.github.io/CERT-Guide-to-CVD/tutorials/cvd_is_a_process/)
@@ -38,17 +36,15 @@ a vulnerability based on an incoming report:
     | Track           | Receive information about the vulnerability and monitor for status changes but do not take any overt actions. |
     | Coordinate      | Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, notifying vendors, publication, and assist another party. |
 
-
- - *Decline* — Do not act on the report. May take different forms, including ignoring the report as well as an 
+- *Decline* — Do not act on the report. May take different forms, including ignoring the report as well as an
    acknowledgement to the reporter that we will not act and suggest the reporter to go to vendor or publish if unresponsive.
- - *Track* — Receive information about the vulnerability and monitor for status changes but do not take any overt actions.
- - *Coordinate* — Take action on the report. “Action” may include any one or more of: technical analysis, reproduction,
-   notifying vendors, lead coordination (notify, communicate, and publish), publish only (amplify public message), 
+- *Track* — Receive information about the vulnerability and monitor for status changes but do not take any overt actions.
+- *Coordinate* — Take action on the report. “Action” may include any one or more of: technical analysis, reproduction,
+   notifying vendors, lead coordination (notify, communicate, and publish), publish only (amplify public message),
    advise only, secondary coordinator (assist another lead coordinator).
    See the [FIRST CSIRT Services Framework](https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1#7-Service-Area-Vulnerability-Management)
    for additional vulnerability management services a coordinator may provide.
 
-
 ## Coordinator Triage Decision Points
 
 !!! tip inline end "Prior CERT/CC Work on Prioritizing Coordination Decisions"
@@ -68,19 +64,19 @@ In addition to using some of the decision points common to [Suppliers](supplier_
 The first two function as gating questions:
 
 - [Report Public](../reference/decision_points/report_public.md): If a report is already public, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md).
-- [Supplier Contacted](../reference/decision_points/supplier_contacted.md): If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md). 
+- [Supplier Contacted](../reference/decision_points/supplier_contacted.md): If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, [*super effective*](../reference/decision_points/system_exposure.md) [Utility](../reference/decision_points/utility.md), and [*significant*](../reference/decision_points/public_safety_impact.md) [Public Safety Impact](../reference/decision_points/public_safety_impact.md).
   In this case, CERT/CC may encourage the reporter to contact the supplier and submit a new case request if the supplier is unresponsive.
 
-These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage 
+These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage
 tree can be compressed slightly, as the decision model below shows.
 
 The remaining five decision points are:
 
 - [Report Credibility](../reference/decision_points/report_credibility.md): If the report is not credible, then CERT/CC will decline the case.
-- [Supplier Cardinality](../reference/decision_points/supplier_cardinality.md): Cases involving multiple suppliers can get complicated very quickly, so we are more likely to get involved in those cases. 
+- [Supplier Cardinality](../reference/decision_points/supplier_cardinality.md): Cases involving multiple suppliers can get complicated very quickly, so we are more likely to get involved in those cases.
 - [Supplier Engagement](../reference/decision_points/supplier_engagement.md): If the suppliers are already engaged in a case, there is usually less for a coordinator to do, making it less likely that we will coordinate a case.
 - [Utility](../reference/decision_points/utility.md): If the vulnerability has high utility, then CERT/CC is more likely to coordinate the case.
-- [Public Safety Impact](../reference/decision_points/public_safety_impact.md): If the vulnerability has significant 
+- [Public Safety Impact](../reference/decision_points/public_safety_impact.md): If the vulnerability has significant
    public safety impact, then CERT/CC is more likely to coordinate the case.
 
 More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
diff --git a/docs/howto/deployer_tree.md b/docs/howto/deployer_tree.md
index e6683150..961a475e 100644
--- a/docs/howto/deployer_tree.md
+++ b/docs/howto/deployer_tree.md
@@ -18,7 +18,7 @@ in their infrastructure.
 Deployers are usually in the position of receiving remediations or mitigations from their [Suppliers](supplier_tree.md)
 for products they have deployed.
 They must then decide whether to deploy the remediation or mitigation to a particular instance (or not).
-Whether they have the option of deploying only part of a remediation such as a fix bundle depends on whether the 
+Whether they have the option of deploying only part of a remediation such as a fix bundle depends on whether the
 Supplier has engineered their release process to permit that degree of flexibility.
 For example, if service packs are fix bundles, the Supplier might choose to release individually deployable fixes as well.
 
@@ -35,12 +35,11 @@ The vulnerability management process for deployers has at its core the collation
 The first must be collected by the Deployer, while the latter two most often originate from the product Supplier.
 Managing this information is generally called **asset management**.
 
-
-In turn, Deployers must resolve this information into specific actions in which a remediation or mitigation is slated 
+In turn, Deployers must resolve this information into specific actions in which a remediation or mitigation is slated
 for deployment to replace or modify a particular instance of the product.
-The Deployer model described below considers the mission and safety risks inherent to the category of systems to which those 
+The Deployer model described below considers the mission and safety risks inherent to the category of systems to which those
 deployed instances belong.
-For this reason, we recommend that the pairing of remediation or mitigation to a product version instance constitutes 
+For this reason, we recommend that the pairing of remediation or mitigation to a product version instance constitutes
 the unit of work most appropriate for the Deployer.
 
 ## Deployer Decision Outcomes
@@ -58,16 +57,15 @@ While we've used the same priority names, the meaning of the priority may have d
     | Out-of-cycle     | Act more quickly than usual to apply the mitigation or remediation out-of-cycle, during the next available opportunity, working overtime if necessary. |
     | Immediate        | Act immediately; focus all resources on applying the fix as quickly as possible, including, if necessary, pausing regular organization operations. |
 
-
-When remediation is available, usually the action is to apply it. 
+When remediation is available, usually the action is to apply it.
 When remediation is not yet available, the action space is more diverse, but it should involve mitigating the vulnerability
 (e.g., shutting down services or applying additional security controls) or accepting the risk of not mitigating the vulnerability.
 
-Applying mitigations may change the value of decision points. 
-A mitigation that successfully changes the value of a decision point may shift the priority of further action to a 
-reduced state. 
-If applying a mitigation reduces the priority to *defer*, the deployer may not need to apply a remediation if it later 
-becomes available. 
+Applying mitigations may change the value of decision points.
+A mitigation that successfully changes the value of a decision point may shift the priority of further action to a
+reduced state.
+If applying a mitigation reduces the priority to *defer*, the deployer may not need to apply a remediation if it later
+becomes available.
 
 !!! example "Mitigation Examples"
 
@@ -125,7 +123,7 @@ for dp in [EXP, SE, U, HI]:
     print(example_block(dp))
 ```
 
-In the _Human Impact_ table above, *MEF* stands for Mission Essential Function.
+In the *Human Impact* table above, *MEF* stands for Mission Essential Function.
 
 ## Deployer Decision Model
 
@@ -138,7 +136,6 @@ Below we provide an example deployer prioritization policy that maps the decisio
     - An [_active_](../reference/decision_points/exploitation.md) state of [*Exploitation*](../reference/decision_points/exploitation.md) will never result in a *defer* priority.
     - A [_none_](../reference/decision_points/exploitation.md) state of [*Exploitation*](../reference/decision_points/exploitation.md) (no evidence of exploitation) will result in either *defer* or *scheduled* priority—unless the state of [*Human Impact*](../reference/decision_points/human_impact.md) is [_very high_](../reference/decision_points/human_impact.md), resulting in an *out-of-cycle* priority.
 
-
 {% include-markdown "../_includes/_tree_notation_tip.md" %}
 
 <embed src="../../pdf/ssvc_2_deployer_SeEUMss.pdf" alt="Suggested deployer tree"
@@ -149,4 +146,4 @@ Below we provide an example deployer prioritization policy that maps the decisio
 ### Table of Values
 
 <!-- relative to /data/csvs/ -->
-{{ read_csv('deployer-options.csv') }}
\ No newline at end of file
+{{ read_csv('deployer-options.csv') }}
diff --git a/docs/howto/index.md b/docs/howto/index.md
index b3331037..17946887 100644
--- a/docs/howto/index.md
+++ b/docs/howto/index.md
@@ -31,7 +31,7 @@ At its core are the concepts of:
 - [**Stakeholder Roles**](../topics/enumerating_stakeholders.md): Different participants in the vulnerability response process have different needs and priorities.
   Roles can include patch suppliers, deployers, coordinators, and others.
 - [**Decisions**](../topics/enumerating_decisions.md): Each stakeholder role has a set of decisions to make about how to respond to vulnerabilities.
-  For a supplier, the decision might be about how to prioritize the creation of patches. For a deployer, the 
+  For a supplier, the decision might be about how to prioritize the creation of patches. For a deployer, the
   decision might be about how to prioritize the deployment of patches. Coordinators usually need to decide whether
   to coordinate a response, and whether to publish information about a vulnerability they've coordinated.
 - [**Decision Points**](../reference/decision_points/index.md): Each decision is made based on a set of inputs, or decision points. These are the factors
@@ -41,18 +41,18 @@ At its core are the concepts of:
   For example, a decision about whether to deploy a patch might have outcomes like "immediate", "scheduled", "deferred",
   and "out-of-cycle".
 
-Given these concepts, we can combine them into decision models to help stakeholders make decisions about the priority 
+Given these concepts, we can combine them into decision models to help stakeholders make decisions about the priority
 with which to act.
 The definition of choices can take a logical form, such as:
 
- - IF
-    
-     - ([*Exploitation*](../reference/decision_points/exploitation.md) IS *Public PoC*) AND
-     - ([*System Exposure*](../reference/decision_points/system_exposure.md) IS *controlled*) AND
-     - ([*Automatable*](../reference/decision_points/automatable.md) IS *no*) AND
-     - ([*Human Impact*](../reference/decision_points/human_impact.md) IS *medium*)
+- IF
+
+  - ([*Exploitation*](../reference/decision_points/exploitation.md) IS *Public PoC*) AND
+  - ([*System Exposure*](../reference/decision_points/system_exposure.md) IS *controlled*) AND
+  - ([*Automatable*](../reference/decision_points/automatable.md) IS *no*) AND
+  - ([*Human Impact*](../reference/decision_points/human_impact.md) IS *medium*)
 
- - THEN priority is *scheduled*.
+- THEN priority is *scheduled*.
 
 <!-- csv file has a header row, so the line numbers and row numbers are off by one. -->
 This example logical statement is captured in [row 34 of the deployer `.csv` file](https://github.com/CERTCC/SSVC/blob/main/data/csvs/deployer-options.csv#L35).
diff --git a/docs/howto/publication_decision.md b/docs/howto/publication_decision.md
index f727af0b..1673302a 100644
--- a/docs/howto/publication_decision.md
+++ b/docs/howto/publication_decision.md
@@ -11,7 +11,6 @@ While other stakeholders may also have to make a publication decision, here we f
     the combination of the stakeholder and the decision being modeled. In this case, the stakeholder is the 
     **Coordinator** and the decision is **whether to publish an advisory about the vulnerability**.
 
-
 ## Policy Constraints and Publication Decisions
 
 !!! tip inline end "Other Stakeholders' Publication Decisions"
@@ -22,7 +21,7 @@ While other stakeholders may also have to make a publication decision, here we f
     A vulnerability finder may have to decide whether to publish information about a vulnerability they have discovered.
     Each of these decisions is likely to be different from the coordinator's decision.
 
-The decision to publish information about a vulnerability is a policy choice, and is likely to differ from organization 
+The decision to publish information about a vulnerability is a policy choice, and is likely to differ from organization
 to organization.
 Two points where CERT/CC policy clearly influences the publication decision are embargo periods and scope.
 
@@ -30,9 +29,9 @@ Two points where CERT/CC policy clearly influences the publication decision are
 
 As a matter of policy, CERT/CC will support an embargo from the public of information about a vulnerability through its
 choice not to publish that information while a number of conditions hold:
-   
-  - A negotiated embargo timer has not expired. The CERT/CC default embargo period is [45 days](https://certcc.github.io/CERT-Guide-to-CVD/reference/certcc_disclosure_policy/).
-  - Other exceptions have not been met, including active exploitation of the vulnerability in the wild or other public
+
+- A negotiated embargo timer has not expired. The CERT/CC default embargo period is [45 days](https://certcc.github.io/CERT-Guide-to-CVD/reference/certcc_disclosure_policy/).
+- Other exceptions have not been met, including active exploitation of the vulnerability in the wild or other public
     discussion of the vulnerability details.
 
 Regardless, the decision described in this section assumes the embargo period is over, one way or another.
@@ -43,11 +42,9 @@ The second point is related to the [Coordination Triage Decision](coordination_t
 CERT/CC only expects to publish about vulnerabilities with a [*coordinate*](coordination_triage_decision.md) status.
 While an issue that is tracked or declined may be reevaluated at a later date and status changed to [*coordinate*](coordination_triage_decision.md),
 unless that happens we would not publish about the vulnerability.
-Other organizations, such as [NVD](https://nvd.nist.gov/), would have different publication criteria and may want to include decision 
+Other organizations, such as [NVD](https://nvd.nist.gov/), would have different publication criteria and may want to include decision
 points or the decision itself from the [Coordination Triage Decision](coordination_triage_decision.md) in their publication decision.
 
-
-
 ## Coordinator Publication Units of Work
 
 !!! info inline end "Coordinator Publication Unit of Work"
@@ -57,11 +54,11 @@ points or the decision itself from the [Coordination Triage Decision](coordinati
 
 In the CERT/CC's vulnerability coordination practice, a single report leads to a single coordination case which leads to a
 single publication. Therefore the unit of work for the publication decision is often the same as the unit of work for the
-[coordination triage decision](coordination_triage_decision.md). 
+[coordination triage decision](coordination_triage_decision.md).
 
-That is sometimes not the case, however. For example, there could be multiple reports of multiple vulnerabilities and 
-the coordinator might choose to publish a single advisory covering all of them if the vulnerabilities are variations on 
-a central theme and have a common set of affected products. 
+That is sometimes not the case, however. For example, there could be multiple reports of multiple vulnerabilities and
+the coordinator might choose to publish a single advisory covering all of them if the vulnerabilities are variations on
+a central theme and have a common set of affected products.
 
 !!! example "Multiple Reports, Single Advisory"
 
@@ -74,7 +71,7 @@ a central theme and have a common set of affected products.
 
 Another possibility is that a single report could lead to multiple advisories, for example if
 the product is a library that is used in multiple other products, and the coordinator chooses to publish separate advisories
-based on some other criteria. 
+based on some other criteria.
 
 !!! example "Single Report, Multiple Advisories"
 
@@ -122,17 +119,16 @@ For the CERT/CC, the publication decision is binary: publish or do not publish.
     a single decision with multiple outcomes, each of which would lead to a different publication vehicle. This is an example
     of how SSVC can be customized to the needs of the organization using it.
 
-
 ## Coordinator Publication Decision Points
 
-The publication decision reuses the [*Exploitation*](../reference/decision_points/exploitation.md) decision point 
-and adds two new ones ([*Supplier Involvement*](../reference/decision_points/supplier_involvement.md) and 
+The publication decision reuses the [*Exploitation*](../reference/decision_points/exploitation.md) decision point
+and adds two new ones ([*Supplier Involvement*](../reference/decision_points/supplier_involvement.md) and
 [*Public Value Added*](../reference/decision_points/public_value_added.md)).
 
 - [*Supplier Involvement*](../reference/decision_points/supplier_involvement.md) - If the supplier is involved and likely to publish already, there is less need for the CERT/CC to publish.
 - [*Exploitation*](../reference/decision_points/exploitation.md) - If the vulnerability is being actively exploited, the CERT/CC is more likely to publish.
 - [*Public Value Added*](../reference/decision_points/public_value_added.md) - If there is already significant public discussion of the vulnerability, there might not be
-  much for the CERT/CC to add, making us less likely to publish. 
+  much for the CERT/CC to add, making us less likely to publish.
 
 More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
 
@@ -149,7 +145,7 @@ for dp in [SI, EXP, PVA]:
 
 ## Coordinator Publication Decision Model
 
-An example coordinator publication decision model is shown below. The policy described by the model is based on CERT/CC 
+An example coordinator publication decision model is shown below. The policy described by the model is based on CERT/CC
 publication decisions. Other organizations may have different publication criteria and may want to include other decision points
 in their publication decision model.
 
@@ -157,7 +153,6 @@ in their publication decision model.
 style="width: 100%;"
 height = "600" />
 
-
 <!--
 adh note 20240221:
 Temporarily commenting out the mermaid diagram below because we don't have the rest of the diagrams
@@ -267,6 +262,7 @@ flowchart LR
     va9 -->|precedence| p25
     va9 -->|ampliative| p26
     va9 -->|limited| p27
+
 ```
 --> 
 
@@ -274,4 +270,3 @@ flowchart LR
 
 <!-- relative to /data/csvs/ -->
 {{ read_csv('coord-publish-options.csv') }}
-
diff --git a/docs/howto/supplier_tree.md b/docs/howto/supplier_tree.md
index fc165e57..e714e907 100644
--- a/docs/howto/supplier_tree.md
+++ b/docs/howto/supplier_tree.md
@@ -43,11 +43,11 @@ Suppliers may also produce mitigations, such as recommended configuration change
 
 ## Supplier Decision Outcomes
 
-At a basic level, the decision at a software development organization is whether to issue a work order and what 
+At a basic level, the decision at a software development organization is whether to issue a work order and what
 resources to expend to remediate a vulnerability in the organization’s software.
 Prioritization is required because, at least in the current history of software engineering,
 the effort to patch all known vulnerabilities will exceed available resources.
-The organization considers several other factors to build the patch; refactoring a large portion of the code base may 
+The organization considers several other factors to build the patch; refactoring a large portion of the code base may
 be necessary for some patches, while others require relatively small changes.
 We focus only on the priority of building the patch, and we consider four categories of priority, as outlined in the table below.
 
@@ -90,13 +90,12 @@ for dp in [EXP, U, TI, PSI]:
 
 ## Supplier Decision Model
 
-The example supplier decision model below shows a prioritization policy for the supplier. 
-We display the decision model as a decision tree, which provides a compact representation of the policy, 
+The example supplier decision model below shows a prioritization policy for the supplier.
+We display the decision model as a decision tree, which provides a compact representation of the policy,
 showing the relative priority of different situations.
 
 {% include-markdown "../_includes/_tree_notation_tip.md" %}
 
-
 <embed src="../../pdf/ssvc_2_supplier.pdf" alt="Suggested supplier tree" type="application/pdf"
 style="width: 100%;"
 height = "700" />
diff --git a/docs/howto/tree_customization.md b/docs/howto/tree_customization.md
index 35016ecd..5c4ebe68 100644
--- a/docs/howto/tree_customization.md
+++ b/docs/howto/tree_customization.md
@@ -15,7 +15,7 @@ A stakeholder community may come together and, if there is broad consensus, add
 
 ## Customizing a Decision Model
 
-Which decision points are involved in a vulnerability management team's 
+Which decision points are involved in a vulnerability management team's
 decision and the priority label for each resulting situation are, for all intents and purposes, totally at the discretion of the team.
 We have provided some examples for different stakeholder communities here.
 What decision points a team considers reflects what it cares about and the risks prioritizes.
@@ -27,7 +27,7 @@ The other aspect of risk management that SSVC allows a team to customize is its
 
 A team's risk appetite is reflected directly by the priority labels for each combination of decision values.
 For example, a vulnerability with
-[no or minor](../reference/decision_points/public_safety_impact.md) 
+[no or minor](../reference/decision_points/public_safety_impact.md)
 [*Public Safety Impact*](../reference/decision_points/public_safety_impact.md),
 [total](../reference/decision_points/technical_impact.md)
 [*Technical Impact*](../reference/decision_points/technical_impact.md),
@@ -57,10 +57,11 @@ To that end, we briefly examine the qualities for which decision tree measuremen
 
 ## Decision Tree Construction Concerns
 
-Decision tree construction methods must address five significant concerns: 
-- feature selection 
-- feature type 
-- overfitting 
+Decision tree construction methods must address five significant concerns:
+
+- feature selection
+- feature type
+- overfitting
 - parsimony
 - versioning
 
@@ -87,7 +88,7 @@ The use of ordinal features is a key assumption behind our use of the parsimony
 When decision trees are used in a machine learning context, overfitting increases tree complexity by incorporating the noise in the training data set into the decision points in a tree.
 In our case, our “data” is just the set of outcomes as decided by humans, so overfitting is less of a concern, assuming the feature selection has been done with care.
 
-### Parsimony 
+### Parsimony
 
 Parsimony is, in essence, Occam's Razor applied to tree selection. Given the choice between two trees that have identical outputs, one should choose the tree with fewer decisions.
 One way to evaluate the parsimony of a tree is by applying the concept of feature importance to ensure that each feature is contributing adequately to the result.
@@ -106,9 +107,11 @@ More likely, however, is that some subset of features will be of relatively equa
 In this case, the lowest importance feature should be considered for refinement or elimination.
 It is possible that adjusting the definition of a feature or its available values (whether redefining, adding, or removing options) could increase its importance.
 Reasons to retain a low-importance feature include:
-* the feature is relevant to a small set of important circumstances that a tree without the feature would otherwise be unable to discriminate
-* the effort required to determine the correct value for the feature is relatively small, for example information that might be collected automatically
-* the feature enables other features to be defined more clearly
+
+- the feature is relevant to a small set of important circumstances that a tree without the feature would otherwise be unable to discriminate
+- the effort required to determine the correct value for the feature is relatively small, for example information that might be collected automatically
+- the feature enables other features to be defined more clearly
+
 Features that meet none of the above criteria may be good candidates for elimination.
 
 Customizing a tree by changing the outcome priority labels can also affect the importance of a feature.
@@ -126,12 +129,14 @@ SSVC trees should be identifiable by name and version. A tree name is simply a s
 
 Communities of shared interest may desire to share information about decision points or even create custom trees to share within their community.
 Examples include:
+
 - an Information Sharing and Analysis Organization (ISAO) within a critical infrastructure sector might want to define a custom decision point relevant to their constituents' regulatory compliance.
 - a corporate Computer Security Incident Response Team (CSIRT) might choose to adjust decision priorities for an existing tree for use by its subsidiaries.
 - a government department might define a separate tree using existing decision points to address a particular governance process within their constituent agencies.
-- a regional coordinator might want to produce decision point information as a product of its threat analysis work and provide this information to its constituency in an advisory. 
+- a regional coordinator might want to produce decision point information as a product of its threat analysis work and provide this information to its constituency in an advisory.
 
 In these and other scenarios, there are two scopes to consider:
+
 1. Decision Point Scope
 2. Decision Tree Scope
 
@@ -139,19 +144,21 @@ In these and other scenarios, there are two scopes to consider:
 
 Each decision point defined in this document has a characteristic scope, either *stakeholder-agnostic* or *stakeholder-specific*.
 
-- **Stakeholder-agnostic decision points** describe the state of the world outside the stakeholder's environment. 
+- **Stakeholder-agnostic decision points** describe the state of the world outside the stakeholder's environment.
 One might think of them as global facts that form the background context in which the stakeholder is making a prioritization decision.
-Nearly all stakeholders should agree on the assignment of specific values to these decision points. 
+Nearly all stakeholders should agree on the assignment of specific values to these decision points.
 - **Stakeholder-specific decision points** are expected to be contextual to some set of stakeholders.
 Information about a stakeholder-specific decision point can still be inherited by other stakeholders using the same tree.
 For example in the corporate CSIRT scenario above, the [*System Exposure*](../reference/decision_points/system_exposure.md) value might be consistent across all subsidiaries for a centrally managed service.
 
 We generally consider the following decision points to be *stakeholder-agnostic*:
+
 - [*Exploitation*](../reference/decision_points/exploitation.md)
 - [*Technical Impact*](../reference/decision_points/technical_impact.md)
 - [*Automatable*](../reference/decision_points/automatable.md)
 
 On the contrary, we consider the following decision points to be *stakeholder-specific*:
+
 - [*Value Density*](../reference/decision_points/value_density.md)
 - [Utility](../reference/decision_points/utility.md)
 - [*Safety Impact*](../reference/decision_points/safety_impact.md)
@@ -163,13 +170,14 @@ On the contrary, we consider the following decision points to be *stakeholder-sp
 
 We anticipate that most custom decision points created by stakeholders for themselves or a constituency will be of the *stakeholder-specific* variety.
 Examples of these sorts of custom decision points include
+
 - A decision point indicating whether a system or mission context is affected by regulatory oversight that might alter the decision priority.
 E.g., a healthcare-focused ISAO might define a decision point about whether a vulnerability affects patient data privacy protection.
 - A decision point that incorporates the concept of change risk to a deployer.
 E.g., a financial institution might have a very low tolerance for changes to a transaction clearing system.
 - A decision point that indicates whether the affected software belongs to a list of critical software for a specific constituency.
 E.g., an open-source consortium might want to prioritize fix development for a set of key projects.
- 
+
 ### Decision Tree Scope
 
 Two kinds of modifications are possible at the decision tree level.
@@ -178,7 +186,7 @@ Two kinds of modifications are possible at the decision tree level.
 For example, an organization with sufficient resources to efficiently deploy fixes might choose to defer fewer cases than the default tree would recommend.
 - *Tree Customization* can be done in one of three ways:
   1. incorporating an already-defined decision point into an existing tree that does not already contain it.
-  2. defining a new decision point and adding it to an existing tree. 
+  2. defining a new decision point and adding it to an existing tree.
 Note that adding or removing an option from an existing decision point should be treated as creating a new decision point.
 The new decision point should be given a distinct name as well.
   3. defining a new tree entirely from existing or new decision points.
@@ -188,4 +196,3 @@ Because tree customization changes the tree structure and implies the addition o
 Risk-shifted or customized trees can be shared among a community of interest, of course.
 Further customization within each stakeholder remains an option as well, although there is likely a diminishing return on more than a few layers of customization for the same basic decision.
 Of course, SSVC users might choose to construct other trees to inform other decisions.
-
diff --git a/docs/index.md b/docs/index.md
index c6faf6d3..8713f65b 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,17 +1,16 @@
 # Stakeholder-Specific Vulnerability Categorization
 
-SSVC stands for A Stakeholder-Specific Vulnerability Categorization. 
+SSVC stands for A Stakeholder-Specific Vulnerability Categorization.
 It is a methodology for prioritizing vulnerabilities based on the needs of the stakeholders involved in the vulnerability management process.
 SSVC is designed to be used by any stakeholder in the vulnerability management process, including finders, vendors, coordinators, deployers, and others.
 
-
 ## Where to go from here
 
 We have organized the SSVC documentation into four main sections:
 
 <div class="grid cards" markdown>
 
-- :material-television-shimmer:{ .lg .middle } __Get Started with SSVC__
+- :material-television-shimmer:{ .lg .middle } **Get Started with SSVC**
 
     ---
 
@@ -20,7 +19,7 @@ We have organized the SSVC documentation into four main sections:
 
     [:octicons-arrow-right-24: Learning SSVC](tutorials/index.md)
 
-- :material-clipboard-check:{ .lg .middle } __SSVC How To__
+- :material-clipboard-check:{ .lg .middle } **SSVC How To**
 
     ---
 
@@ -29,7 +28,7 @@ We have organized the SSVC documentation into four main sections:
 
     [:octicons-arrow-right-24: SSVC How To](howto/index.md)
 
-- :fontawesome-solid-book:{ .lg .middle } __Learn More about SSVC__
+- :fontawesome-solid-book:{ .lg .middle } **Learn More about SSVC**
 
     ---
 
@@ -38,7 +37,7 @@ We have organized the SSVC documentation into four main sections:
 
     [:octicons-arrow-right-24: Understanding SSVC](topics/index.md)
 
-- :material-book-open-page-variant:{ .lg .middle } __SSVC Reference__
+- :material-book-open-page-variant:{ .lg .middle } **SSVC Reference**
 
     ---
 
@@ -49,5 +48,4 @@ We have organized the SSVC documentation into four main sections:
 
 </div>
 
-
 {% include-markdown "_includes/helping_out.md" heading-offset=1 %}
diff --git a/docs/reference/code/analyze_csv.md b/docs/reference/code/analyze_csv.md
index 1f47e1ab..8bee1a2c 100644
--- a/docs/reference/code/analyze_csv.md
+++ b/docs/reference/code/analyze_csv.md
@@ -1,4 +1,3 @@
 # SSVC CSV Analyzer
 
 ::: ssvc.csv_analyzer
-
diff --git a/docs/reference/code/doctools.md b/docs/reference/code/doctools.md
index edd3b5e0..a589b962 100644
--- a/docs/reference/code/doctools.md
+++ b/docs/reference/code/doctools.md
@@ -1,4 +1,3 @@
 # Doctools
 
 ::: ssvc.doctools
-
diff --git a/docs/reference/code/index.md b/docs/reference/code/index.md
index 726664c0..8f2f47ad 100644
--- a/docs/reference/code/index.md
+++ b/docs/reference/code/index.md
@@ -6,4 +6,4 @@ These include:
 - [CSV Analyzer](analyze_csv.md)
 - [Policy Generator](policy_generator.md)
 - [Outcomes](outcomes.md)
-- [Doctools](doctools.md)
\ No newline at end of file
+- [Doctools](doctools.md)
diff --git a/docs/reference/code/policy_generator.md b/docs/reference/code/policy_generator.md
index fa6e8477..4520599f 100644
--- a/docs/reference/code/policy_generator.md
+++ b/docs/reference/code/policy_generator.md
@@ -5,5 +5,4 @@ policy (a decision tree) from a set of input parameters.
 
 It is intended to be used as a library, for example within a Jupyter notebook.
 
-
-::: ssvc.policy_generator
\ No newline at end of file
+::: ssvc.policy_generator
diff --git a/docs/reference/decision_points/automatable.md b/docs/reference/decision_points/automatable.md
index 171c7cbb..f3b1cedd 100644
--- a/docs/reference/decision_points/automatable.md
+++ b/docs/reference/decision_points/automatable.md
@@ -1,6 +1,5 @@
 # Automatable
 
-
 ```python exec="true" idprefix=""
 from ssvc.decision_points.automatable import LATEST
 from ssvc.doc_helpers import example_block
@@ -8,13 +7,11 @@ from ssvc.doc_helpers import example_block
 print(example_block(LATEST))
 ```
 
-
 !!! tip "See also"
 
     Automatable combines with [Value Density](./value_density.md) to inform 
     [Utility](./utility.md)
 
-
 *Automatable* captures the answer to the question “Can an attacker reliably automate creating exploitation events for this vulnerability?”
 
 !!! question "What are Steps 1-4 of the Kill Chain?"
@@ -29,13 +26,11 @@ print(example_block(LATEST))
     2. weaponization may require human direction for each target
     3. delivery may require channels that widely deployed network security configurations block
     4. exploitation is not reliable, due to exploit-prevention techniques (e.g., ASLR) enabled by default
-    
 
 !!! question "When is Automatable *yes*?"
 
     If the vulnerability allows remote code execution or command injection, the expected response should be yes.
 
-
 Due to vulnerability chaining, there is some nuance as to whether reconnaissance can be automated.
 
 !!! example "Vulnerability Chaining"
@@ -78,4 +73,3 @@ for version in versions:
 
     *Virulence* is superseded by *Automatable*, which clarified the concept we 
     we were attempting to capture. 
-    
\ No newline at end of file
diff --git a/docs/reference/decision_points/compound_decision_points.md b/docs/reference/decision_points/compound_decision_points.md
index cca71dfe..43f0e385 100644
--- a/docs/reference/decision_points/compound_decision_points.md
+++ b/docs/reference/decision_points/compound_decision_points.md
@@ -7,4 +7,3 @@ Examples of compound decision points include:
 - [Human Impact](human_impact.md)
 - [Public Safety Impact](public_safety_impact.md)
 - [Utility](utility.md)
-
diff --git a/docs/reference/decision_points/exploitation.md b/docs/reference/decision_points/exploitation.md
index bed76396..478d4033 100644
--- a/docs/reference/decision_points/exploitation.md
+++ b/docs/reference/decision_points/exploitation.md
@@ -1,5 +1,4 @@
-# Exploitation 
-
+# Exploitation
 
 ```python exec="true" idprefix=""
 from ssvc.decision_points.exploitation import LATEST
@@ -36,10 +35,8 @@ The intent of this measure is the present state of exploitation of the vulnerabi
 
 ## CWE-IDs for *PoC*
 
-
 The table below lists CWE-IDs that could be used to mark a vulnerability as *PoC* if the vulnerability is described by the CWE-ID.
 
-
 !!! example "CWE-295"
 
     For example, [CWE-295 Improper Certificate Validation
diff --git a/docs/reference/decision_points/human_impact.md b/docs/reference/decision_points/human_impact.md
index 7f970a6b..04057d11 100644
--- a/docs/reference/decision_points/human_impact.md
+++ b/docs/reference/decision_points/human_impact.md
@@ -15,7 +15,7 @@ print(example_block(LATEST))
 Note: This is a compound decision point[^1], therefore it is a notational convenience.
 
 *Human Impact* is a combination of how a vulnerability can affect an organization's mission essential functions as well as
-safety considerations, whether for the organization's personnel or the public at large. 
+safety considerations, whether for the organization's personnel or the public at large.
 We observe that the day-to-day operations of an organization often have already built in a degree of tolerance to small-scale variance in mission impacts.
 Thus in our opinion we need only concern ourselves with discriminating well at the upper end of the scale.
 Therefore we combine the two lesser mission impacts of degraded and MEF support crippled into a single category, while retaining the distinction between MEF Failure and Mission Failure at the extreme.
@@ -30,10 +30,9 @@ The mapping is shown in the table above.
 [^1]: In pilot implementations of SSVC, we received feedback that organizations tend to think of mission and safety impacts as
 if they were combined into a single factor: in other words, the priority increases regardless which of the two  impact factors was increased.
 We therefore combine [Safety Impact](safety_impact.md) and
-[Mission Impact](mission_impact.md) for deployers into a single _Human Impact_ factor
+[Mission Impact](mission_impact.md) for deployers into a single *Human Impact* factor
 as a dimension reduction step.
 
-
 ## Safety and Mission Impact Decision Points for Industry Sectors
 
 We expect to encounter diversity in both safety and mission impacts across different organizations.
@@ -45,7 +44,6 @@ provide SSVC information tailored as appropriate to their constituency's safety
 For considerations on how organizations might communicate SSVC information to their constituents,
 see [Guidance on Communicating Results](../../howto/bootstrap/use.md).
 
-
 ## Prior Versions
 
 ```python exec="true" idprefix=""
diff --git a/docs/reference/decision_points/index.md b/docs/reference/decision_points/index.md
index ec64f9a7..1f002796 100644
--- a/docs/reference/decision_points/index.md
+++ b/docs/reference/decision_points/index.md
@@ -41,7 +41,7 @@ decision points.
     Sometimes this is a "better" or "worse" dimension, but it seems to generalize to
     a "more likely to act" or "less likely to act" of dimension.
 
-!!! question "Where are the _Unknown_ options?"
+!!! question "Where are the *Unknown* options?"
 
     One important omission from the values for each category is an *unknown* option.
     Instead, we recommend explicitly identifying an option that is a reasonable assumption based on prior events.
diff --git a/docs/reference/decision_points/mission_impact.md b/docs/reference/decision_points/mission_impact.md
index 9af10310..f4aa3a48 100644
--- a/docs/reference/decision_points/mission_impact.md
+++ b/docs/reference/decision_points/mission_impact.md
@@ -12,31 +12,30 @@ print(example_block(LATEST))
     Mission Impact combines with [Safety Impact](./safety_impact.md) to inform 
     [Human Impact](./human_impact.md)
 
-A **mission essential function (MEF)** is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter” [@FCD2_2017, page A-1]. 
-Identification and prioritization of mission essential functions enables effective continuity planning or crisis planning. 
+A **mission essential function (MEF)** is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter” [@FCD2_2017, page A-1].
+Identification and prioritization of mission essential functions enables effective continuity planning or crisis planning.
 Mission Essential Functions are in effect critical activities within an organization that are used to identify key assets, supporting tasks, and resources that an organization requires to remain operational in a crises situation, and so must be included in its planning process.
 During an event, key resources may be limited and personnel may be unavailable, so organizations must consider these factors and validate assumptions when identifying, validating, and prioritizing MEFs.
 
-When reviewing the list of organizational functions, an organization must first identify whether a function is essential or non-essential. 
-The distinction between these two categories is whether or not an organization must perform a function during a disruption to normal operations and must continue performance during emergencies [@FCD2_2017, page B-2]. 
+When reviewing the list of organizational functions, an organization must first identify whether a function is essential or non-essential.
+The distinction between these two categories is whether or not an organization must perform a function during a disruption to normal operations and must continue performance during emergencies [@FCD2_2017, page B-2].
 Essential functions are both important and urgent.
 Functions that can be deferred until after an emergency are identified as non-essential.
 For example, DoD defines MEFs in [DoD Directive 3020.26 DoD Continuity Policy](https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodd/302026p.pdf) using similar terminology to [FCD-2](https://www.fema.gov/sites/default/files/2020-07/Federal_Continuity_Directive-2_June132017.pdf) [@dod3026_26_2018].
 
-As mission essential functions are most clearly defined for government agencies, stakeholders in other sectors may be familiar with different terms of art from continuity planning. 
-For example, infrastructure providers in the US may better align with [National Critical Functions](https://www.cisa.gov/national-critical-functions). 
-Private sector businesses may better align with [operational and financial impacts](https://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf) in a [business continuity plan](https://www.ready.gov/business-continuity-plan). 
+As mission essential functions are most clearly defined for government agencies, stakeholders in other sectors may be familiar with different terms of art from continuity planning.
+For example, infrastructure providers in the US may better align with [National Critical Functions](https://www.cisa.gov/national-critical-functions).
+Private sector businesses may better align with [operational and financial impacts](https://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf) in a [business continuity plan](https://www.ready.gov/business-continuity-plan).
 
 While the processes, terminology, and audience for these different frameworks differ, they all can provide a sense of the criticality of an asset or assets within the scope of the stakeholder conducting the cyber vulnerability prioritization with SSVC.
-In that sense they all function quite similarly within SSVC. Organizations should use whatever is most appropriate for their stakeholder context, with Mission Essential Function analysis serving as a fully worked example in the SSVC documents. 
-
+In that sense they all function quite similarly within SSVC. Organizations should use whatever is most appropriate for their stakeholder context, with Mission Essential Function analysis serving as a fully worked example in the SSVC documents.
 
 ## Gathering Information About Mission Impact
 
-The factors that influence the mission impact level are diverse. 
-This paper does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work. 
-At a minimum, understanding mission impact should include gathering information about the critical paths that involve vulnerable components, viability of contingency measures, and resiliency of the systems that support the mission. 
-There are various sources of guidance on how to gather this information; see for example the FEMA guidance in Continuity Directive 2 [@FCD2_2017] or OCTAVE FORTE [@tucker2018octave]. 
+The factors that influence the mission impact level are diverse.
+This paper does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work.
+At a minimum, understanding mission impact should include gathering information about the critical paths that involve vulnerable components, viability of contingency measures, and resiliency of the systems that support the mission.
+There are various sources of guidance on how to gather this information; see for example the FEMA guidance in Continuity Directive 2 [@FCD2_2017] or OCTAVE FORTE [@tucker2018octave].
 This is part of risk management more broadly.
 It should require the vulnerability management team to interact with more senior management to understand mission priorities and other aspects of risk mitigation.
 
diff --git a/docs/reference/decision_points/public_safety_impact.md b/docs/reference/decision_points/public_safety_impact.md
index 9943ddac..5564ac7f 100644
--- a/docs/reference/decision_points/public_safety_impact.md
+++ b/docs/reference/decision_points/public_safety_impact.md
@@ -16,9 +16,9 @@ This is a compound decision point, therefore it is a notational convenience.
 Suppliers necessarily have a rather coarse-grained perspective on the broadly defined [Safety Impact](safety_impact.md) Decision Point.
 Therefore we simplify the above into a binary categorization:
 
-- _Significant_ is when any impact meets the criteria for an impact of Marginal, Critical, or Catastrophic in the
+- *Significant* is when any impact meets the criteria for an impact of Marginal, Critical, or Catastrophic in the
   [Safety Impact](safety_impact.md) table.
-- _Minimal_ is when none do.
+- *Minimal* is when none do.
 
 ## Prior Versions
 
diff --git a/docs/reference/decision_points/public_value_added.md b/docs/reference/decision_points/public_value_added.md
index ad5759a9..0284c0da 100644
--- a/docs/reference/decision_points/public_value_added.md
+++ b/docs/reference/decision_points/public_value_added.md
@@ -7,12 +7,11 @@ from ssvc.doc_helpers import example_block
 print(example_block(LATEST))
 ```
 
-
-The intent of the definition is that one rarely if ever transitions from _limited_ to _ampliative_ or _ampliative_ to _precedence_.
-A vulnerability could transition from _precedence_ to _ampliative_ and _ampliative_ to _limited_.
+The intent of the definition is that one rarely if ever transitions from *limited* to *ampliative* or *ampliative* to *precedence*.
+A vulnerability could transition from *precedence* to *ampliative* and *ampliative* to *limited*.
 That is, *Public Value Added* should only be downgraded through future iterations or re-evaluations.
 This directionality is because once other organizations make something public, they cannot effectively un-publish it
 (it'll be recorded and people will know about it, even if they take down a webpage).
-The rare case where *Public Value Added* increases would be if an organization published viable information, but 
+The rare case where *Public Value Added* increases would be if an organization published viable information, but
 then published additional misleading or obscuring information at a later time.
 Then one might go from *limited* to *ampliative* in the interest of pointing to the better information.
diff --git a/docs/reference/decision_points/report_credibility.md b/docs/reference/decision_points/report_credibility.md
index 647360a1..acce744c 100644
--- a/docs/reference/decision_points/report_credibility.md
+++ b/docs/reference/decision_points/report_credibility.md
@@ -7,7 +7,6 @@ from ssvc.doc_helpers import example_block
 print(example_block(LATEST))
 ```
 
-
 An analyst should start with a presumption of credibility and proceed toward disqualification.
 The reason for this is that, as a coordinator, occasionally doing a bit of extra work on a bad report is preferable to rejecting legitimate reports.
 This is essentially stating a preference for false positives over false negatives with respect to credibility determination.
@@ -30,35 +29,35 @@ The indicators for or against are not commensurate, and so they cannot be put on
     If neither of these confirmations are available, then the value of the [*Report Credibility*](#report-credibility) decision point depends on a balancing test among the following indicators.
 
 **Indicators *for* Credibility** include:
- 
- - The report is specific about what is affected
- - The report provides sufficient detail to reproduce the vulnerability.
- - The report describes an attack scenario.
- - The report suggests mitigations.
- - The report includes proof-of-concept exploit code or steps to reproduce.
- - Screenshots and videos, if provided, support the written text of the report and do not replace it.
- - The report neither exaggerates nor understates the impact.
+
+- The report is specific about what is affected
+- The report provides sufficient detail to reproduce the vulnerability.
+- The report describes an attack scenario.
+- The report suggests mitigations.
+- The report includes proof-of-concept exploit code or steps to reproduce.
+- Screenshots and videos, if provided, support the written text of the report and do not replace it.
+- The report neither exaggerates nor understates the impact.
 
 **Indicators *against* Credibility** include:
 
- - The report is “spammy” or exploitative (for example, the report is an attempt to upsell the receiver on some product or service).
- - The report is vague or ambiguous about which vendors, products, or versions are affected (for example, the report claims that all “cell phones” or “wifi” or “routers” are affected).
- - The report is vague or ambiguous about the preconditions necessary to exploit the vulnerability.
- - The report is vague or ambiguous about the impact if exploited.
- - The report exaggerates the impact if exploited.
- - The report makes extraordinary claims without correspondingly extraordinary evidence (for example, the report claims that exploitation could result in catastrophic damage to some critical system without a clear causal connection between the facts presented and the impacts claimed).
- - The report is unclear about what the attacker gains by exploiting the vulnerability. What do they get that they didn't already have? For example, an attacker with system privileges can already do lots of bad things, so a report that assumes system privileges as a precondition to exploitation needs to explain what else this gives the attacker.
- - The report depends on preconditions that are extremely rare in practice, and lacks adequate evidence for why those preconditions might be expected to occur (for example, the vulnerability is only exposed in certain non-default configurations—unless there is evidence that a community of practice has established a norm of such a non-default setup).
- - The report claims dire impact for a trivially found vulnerability. It is not impossible for this to occur, but most products and services that have been around for a while have already had their low-hanging fruit major vulnerabilities picked. One notable exception would be if the reporter applied a completely new method for finding vulnerabilities to discover the subject of the report.
- - The report is rambling and is more about a narrative than describing the vulnerability. One description is that the report reads like a food recipe with the obligatory search engine optimization preamble.
- - The reporter is known to have submitted low-quality reports in the past.
- - The report conspicuously misuses technical terminology. This is evidence that the reporter may not understand what they are talking about.
- - The analyst's professional colleagues consider the report to be not credible.
- - The report consists of mostly raw tool output. Fuzz testing outputs are not vulnerability reports.
- - The report lacks sufficient detail for someone to reproduce the vulnerability.
- - The report is just a link to a video or set of images, or lacks written detail while claiming “it's all in the video”. Imagery should support a written description, not replace it.
- - The report describes a bug with no discernible security impact.
- - The report fails to describe an attack scenario, and none is obvious.
+- The report is “spammy” or exploitative (for example, the report is an attempt to upsell the receiver on some product or service).
+- The report is vague or ambiguous about which vendors, products, or versions are affected (for example, the report claims that all “cell phones” or “wifi” or “routers” are affected).
+- The report is vague or ambiguous about the preconditions necessary to exploit the vulnerability.
+- The report is vague or ambiguous about the impact if exploited.
+- The report exaggerates the impact if exploited.
+- The report makes extraordinary claims without correspondingly extraordinary evidence (for example, the report claims that exploitation could result in catastrophic damage to some critical system without a clear causal connection between the facts presented and the impacts claimed).
+- The report is unclear about what the attacker gains by exploiting the vulnerability. What do they get that they didn't already have? For example, an attacker with system privileges can already do lots of bad things, so a report that assumes system privileges as a precondition to exploitation needs to explain what else this gives the attacker.
+- The report depends on preconditions that are extremely rare in practice, and lacks adequate evidence for why those preconditions might be expected to occur (for example, the vulnerability is only exposed in certain non-default configurations—unless there is evidence that a community of practice has established a norm of such a non-default setup).
+- The report claims dire impact for a trivially found vulnerability. It is not impossible for this to occur, but most products and services that have been around for a while have already had their low-hanging fruit major vulnerabilities picked. One notable exception would be if the reporter applied a completely new method for finding vulnerabilities to discover the subject of the report.
+- The report is rambling and is more about a narrative than describing the vulnerability. One description is that the report reads like a food recipe with the obligatory search engine optimization preamble.
+- The reporter is known to have submitted low-quality reports in the past.
+- The report conspicuously misuses technical terminology. This is evidence that the reporter may not understand what they are talking about.
+- The analyst's professional colleagues consider the report to be not credible.
+- The report consists of mostly raw tool output. Fuzz testing outputs are not vulnerability reports.
+- The report lacks sufficient detail for someone to reproduce the vulnerability.
+- The report is just a link to a video or set of images, or lacks written detail while claiming “it's all in the video”. Imagery should support a written description, not replace it.
+- The report describes a bug with no discernible security impact.
+- The report fails to describe an attack scenario, and none is obvious.
 
 We considered adding poor grammar or spelling as an indicator of non-credibility.
 On further reflection, we do not recommend that poor grammar or spelling be used as an indicator of low report quality, as many reporters may not be native to the coordinator's language.
@@ -78,7 +77,5 @@ Furthermore, a report may be factual but not identify any security implications;
 
 A coordinator also has a scope defined by their specific constituency and mission.
 A report can be entirely credible yet remain out of scope for your coordination practice.
-Decide what to do about out of scope reports separately, before the vulnerability coordination triage decision begins. 
+Decide what to do about out of scope reports separately, before the vulnerability coordination triage decision begins.
 If a report arrives and would be out of scope even if true, there will be no need to proceed with judging its credibility.
-
-
diff --git a/docs/reference/decision_points/safety_impact.md b/docs/reference/decision_points/safety_impact.md
index 425dd7a0..1601cde4 100644
--- a/docs/reference/decision_points/safety_impact.md
+++ b/docs/reference/decision_points/safety_impact.md
@@ -7,7 +7,6 @@ from ssvc.doc_helpers import example_block
 print(example_block(LATEST))
 ```
 
-
 !!! tip "See also"
 
     - Safety Impact combines with [Mission Impact](./mission_impact.md) to 
@@ -46,7 +45,7 @@ If the stakeholder is contractually or legally responsible for safe operation of
 For software used in a wide variety of sectors and deployments, the stakeholder may need to estimate an aggregate safety impact.
 Aggregation suggests that the stakeholder’s response to this decision point cannot be less than the most severe credible safety impact, but we leave the specific aggregation method or function as a domain-specific extension for future work.
 
-### Gathering Information About Safety Impact
+## Gathering Information About Safety Impact
 
 The factors that influence the safety impact level are diverse.
 This paper does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work.
@@ -58,7 +57,6 @@ The decision values for safety impact are based on the hazard categories for air
 To assign a value to [*Safety Impact*](safety_impact.md), at least one type of harm must reach that value. For example, for a [*Safety Impact*](safety_impact.md) of [*major*](safety_impact.md), at least one type of harm must reach [*major*](safety_impact.md) level.
 All types of harm do not need to rise to the level of [*major*](safety_impact.md), just one type of harm does.
 
-
 <!-- Literal HTML is only included by pandoc etc in HTML output, so the below is correct but not portable -->
 <!--
 <a name="table-safety-impact"></a> Safety Impact Decision Values
@@ -211,13 +209,11 @@ resiliency</td>
 </table>
 -->
 
-
 ### Situated Safety Impact
 
 Deployers are anticipated to have a more fine-grained perspective on the safety impacts broadly defined in *Safety Impact*.
 We defer this topic for now because we combine it with [*Mission Impact*](mission_impact.md) to simplify implementation for deployers.
 
-
 ## Prior Versions
 
 ```python exec="true" idprefix=""
@@ -229,4 +225,3 @@ for version in versions:
     print(example_block(version))
     print("\n---\n")
 ```
-
diff --git a/docs/reference/decision_points/supplier_contacted.md b/docs/reference/decision_points/supplier_contacted.md
index def0c2b6..f75e1615 100644
--- a/docs/reference/decision_points/supplier_contacted.md
+++ b/docs/reference/decision_points/supplier_contacted.md
@@ -7,9 +7,6 @@ from ssvc.doc_helpers import example_block
 print(example_block(LATEST))
 ```
 
-
 !!! tip "Quality Contact Method"
 
     A quality contact method is a publicly posted known good email address, public portal on vendor website, etc.
-
-
diff --git a/docs/reference/decision_points/system_exposure.md b/docs/reference/decision_points/system_exposure.md
index 4595895b..9a2f52dd 100644
--- a/docs/reference/decision_points/system_exposure.md
+++ b/docs/reference/decision_points/system_exposure.md
@@ -7,7 +7,6 @@ from ssvc.doc_helpers import example_block
 print(example_block(LATEST))
 ```
 
-
 Measuring the attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access.
 Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed.
 For example, the exposure of a device on a vehicle's CAN bus will vary depending on the presence of a cellular telemetry device on the same bus.
@@ -18,7 +17,6 @@ Therefore, a deployer’s response to Exposure may change if such mitigations ar
 If a mitigation changes exposure and thereby reduces the priority of a vulnerability, that mitigation can be considered a success.
 Whether that mitigation allows the deployer to defer further action varies according to each case.
 
-
 ## Gathering Information About System Exposure
 
 *System Exposure* is primarily used by Deployers, so the question is about whether some specific system is in fact exposed, not a hypothetical or aggregate question about systems of that type.
@@ -32,13 +30,14 @@ An analyst should also choose *open* for a phone or PC that connects to the web
 Distinguishing between *small* and *controlled* is more nuanced.
 If *open* has been ruled out, some suggested heuristics for differentiating the other two are as follows.
 Apply these heuristics in order and stop when one of them applies.
- - If the system's networking and communication interfaces have been physically removed or disabled, choose *small*.
- - If [*Automatable*](automatable.md) is [*yes*](automatable.md), then choose *controlled*. The reasoning behind this heuristic is that if reconnaissance through exploitation is automatable, then the usual deployment scenario exposes the system sufficiently that access can be automated, which contradicts the expectations of *small*.
- - If the vulnerable component is on a network where other hosts can browse the web or receive email, choose *controlled*.
- - If the vulnerable component is in a third party library that is unreachable because the feature is unused in the surrounding product, choose *small*.
+
+- If the system's networking and communication interfaces have been physically removed or disabled, choose *small*.
+- If [*Automatable*](automatable.md) is [*yes*](automatable.md), then choose *controlled*. The reasoning behind this heuristic is that if reconnaissance through exploitation is automatable, then the usual deployment scenario exposes the system sufficiently that access can be automated, which contradicts the expectations of *small*.
+- If the vulnerable component is on a network where other hosts can browse the web or receive email, choose *controlled*.
+- If the vulnerable component is in a third party library that is unreachable because the feature is unused in the surrounding product, choose *small*.
 
 The unreachable vulnerable component scenario may be a point of concern for stakeholders like patch suppliers who often find it more cost-effective to simply update the included library to an existing fixed version rather than try to explain to customers why the vulnerable code is unreachable in their own product.
-In those cases, we suggest the stakeholder reviews the decision outcomes of the tree to ensure the appropriate action is taken (paying attention to [_defer_](../../howto/supplier_tree.md) vs [_scheduled_](../../howto/supplier_tree.md), for example).
+In those cases, we suggest the stakeholder reviews the decision outcomes of the tree to ensure the appropriate action is taken (paying attention to [*defer*](../../howto/supplier_tree.md) vs [*scheduled*](../../howto/supplier_tree.md), for example).
 
 If you have suggestions for further heuristics, or potential counterexamples to these,  please describe the example and reasoning in an issue on the [SSVC GitHub](https://github.com/CERTCC/SSVC/issues).
 
diff --git a/docs/reference/decision_points/technical_impact.md b/docs/reference/decision_points/technical_impact.md
index 5fc482f1..4b1dcaf6 100644
--- a/docs/reference/decision_points/technical_impact.md
+++ b/docs/reference/decision_points/technical_impact.md
@@ -16,7 +16,6 @@ Our definition of **vulnerability** is based on the determination that some secu
 We consider a security policy violation to be a technical impact—or at least, a security policy violation must have some technical instantiation.
 Therefore, if there is a vulnerability then there must be some technical impact.
 
-
 !!! tip "Gathering Information About Technical Impact"
 
     Assessing *Technical Impact* amounts to assessing the degree of control over the vulnerable component the attacker stands to gain by exploiting the vulnerability.
@@ -33,4 +32,3 @@ Therefore, if there is a vulnerability then there must be some technical impact.
     If you find a vulnerability that should have *total* *Technical Impact* but that does not answer yes to any of 
     these questions, please describe the example and what question we might add to this list in an issue on the
     [SSVC GitHub](https://github.com/CERTCC/SSVC/issues).
-
diff --git a/docs/reference/decision_points/utility.md b/docs/reference/decision_points/utility.md
index 4779439f..1c465d41 100644
--- a/docs/reference/decision_points/utility.md
+++ b/docs/reference/decision_points/utility.md
@@ -12,7 +12,6 @@ print(example_block(LATEST))
     Utility is a combination of [Automatable](./automatable.md) and
     [Value Density](./value_density.md)
 
-
 This is a compound decision point, therefore it is a notational convenience.
 
 *Utility* estimates an adversary's benefit compared to their effort based on the assumption that they can exploit the vulnerability.
@@ -30,7 +29,6 @@ This framing makes it easier to analytically derive these categories from a desc
 Roughly, *Utility* is a combination of two things: (1) the value of each exploitation event and (2) the ease and speed with which the adversary can cause exploitation events.
 We define *Utility* as laborious, efficient, or super effective, as described in the table above.
 
-
 ## Alternative Utility Outputs
 
 Alternative heuristics can plausibly be used as proxies for adversary utility.
@@ -45,8 +43,6 @@ Price does not only track the [*Value Density*](value_density.md) of the system,
 Currently, we simplify the analysis and ignore these factors.
 However, future work should look for and prevent large mismatches between the outputs of the *Utility* decision point and the exploit markets.
 
-
-
 ## Previous Versions
 
 ```python exec="true" idprefix=""
@@ -62,4 +58,4 @@ for version in versions:
 !!! tip "See also"
 
     Utility v1.0.0 was a combination of [Virulence](./automatable.md) and
-    [Value Density](./value_density.md)
\ No newline at end of file
+    [Value Density](./value_density.md)
diff --git a/docs/reference/index.md b/docs/reference/index.md
index af7ff33b..26a2efc0 100644
--- a/docs/reference/index.md
+++ b/docs/reference/index.md
@@ -11,19 +11,18 @@
 In this section, we provide reference documentation for SSVC.
 We have organized the reference documentation into two main sections:
 
-
 <div class="grid cards" markdown>
 
--    :material-arrow-decision-outline: [**Decision Points**](decision_points/index.md)
+- :material-arrow-decision-outline: [**Decision Points**](decision_points/index.md)
 
      ---
-      
+
      A list of all the decision points, values, and versions.
 
--    :material-language-python: [**Code Documentation**](code/index.md)
-    
+- :material-language-python: [**Code Documentation**](code/index.md)
+
      ---
   
      Documentation for the SSVC Python modules.
 
-</div>
\ No newline at end of file
+</div>
diff --git a/docs/ssvc-calc/README.md b/docs/ssvc-calc/README.md
index db57b28d..f4e9d740 100644
--- a/docs/ssvc-calc/README.md
+++ b/docs/ssvc-calc/README.md
@@ -1,20 +1,19 @@
-# Dryad 
+# Dryad
+
 Stakeholder-Specific Vulnerability Categorization Calculator
 
 Dryad is a SSVC calculator app that guides you through the simple steps needed in making
 a vulnerability priority decision.  The result of applying SSVC is a priority decision,
 providing you with a recommended action. See the demo in our [SSVC calc website](https://democert.org/ssvc/)
 
-Some examples of actions are 
+Some examples of actions are
 defer, scheduled, out-of-cycle, and immediate.
 
-* The top drop-down allows you to select from multiple decision trees that map to an appropriate Role in SSVC.
-* To explore the decision tree, use the button "Show Full Tree" This will show all the branches, nodes and edges that make up the decision tree. A small zoom control horizontal range slider that can help with very large decision trees.
-* A drop-down allows you to move from Graphic mode to Simple mode.
-* There are also a number of sample CVE in a dropdown that will auto-select a number of steps in the decision tree
-* Use the "Start Decision" to navigate the tree for assesing your prioritization for a vulnerability.
-* You can also import custom decision trees and custom CVE samples for the current decision tree.
-* There is a [data](../data/) folder where there is a number of examples both of schema and examples of exported outputs.
-* You can install this directory as a folder in your public website directory. and expose it. All referenced url's are relative in the scripts and HTML files.
-
-
+- The top drop-down allows you to select from multiple decision trees that map to an appropriate Role in SSVC.
+- To explore the decision tree, use the button "Show Full Tree" This will show all the branches, nodes and edges that make up the decision tree. A small zoom control horizontal range slider that can help with very large decision trees.
+- A drop-down allows you to move from Graphic mode to Simple mode.
+- There are also a number of sample CVE in a dropdown that will auto-select a number of steps in the decision tree
+- Use the "Start Decision" to navigate the tree for assesing your prioritization for a vulnerability.
+- You can also import custom decision trees and custom CVE samples for the current decision tree.
+- There is a [data](../data/) folder where there is a number of examples both of schema and examples of exported outputs.
+- You can install this directory as a folder in your public website directory. and expose it. All referenced url's are relative in the scripts and HTML files.
diff --git a/docs/ssvc-calc/index.md b/docs/ssvc-calc/index.md
index 2152c657..7e9df37f 100644
--- a/docs/ssvc-calc/index.md
+++ b/docs/ssvc-calc/index.md
@@ -1,4 +1,5 @@
 # SSVC Calculator
+
 <style>
 .sembed {
   min-width: 1200px;
@@ -11,7 +12,7 @@
 </style>
 
 <iframe src="findex.html" class="sembed" style="border: 0px"></iframe>
-    
+
 <script>
   console.log("Loaded");
 </script>
diff --git a/docs/topics/asset_management.md b/docs/topics/asset_management.md
index a86cddaa..5e697623 100644
--- a/docs/topics/asset_management.md
+++ b/docs/topics/asset_management.md
@@ -37,4 +37,3 @@ If an organization does not have an asset management or risk management
 (see also [Gathering Information About Mission Impact](../reference/decision_points/mission_impact.md))
 plan and process in place, then SSVC provides some guidance as to what information is important to vulnerability
 management decisions and the organization should start capturing, storing, and managing.
-
diff --git a/docs/topics/decision_points_as_bricks.md b/docs/topics/decision_points_as_bricks.md
index c60bc044..47aafdea 100644
--- a/docs/topics/decision_points_as_bricks.md
+++ b/docs/topics/decision_points_as_bricks.md
@@ -1,8 +1,8 @@
 # Putting the Pieces Together
 
 As we have continued to refine our concept of SSVC, we have an increasing understanding of the importance of
-[_Decision Points_](../reference/decision_points/index.md) as the foundational blocks from which the rest of the 
-SSVC concept is built. A second, but less foundational, concept are the [_Outcomes_](../reference/code/outcomes.md) that
+[*Decision Points*](../reference/decision_points/index.md) as the foundational blocks from which the rest of the
+SSVC concept is built. A second, but less foundational, concept are the [*Outcomes*](../reference/code/outcomes.md) that
 provide a vocabulary to describe the results of a decision.
 
 ## Decision Points and Outcomes as Bricks
@@ -14,13 +14,13 @@ Over time, we have come to think of decision points and outcomes as the LEGO&reg
     LEGO&reg; is a trademark of the [LEGO](https://www.lego.com/) Group of companies which does not sponsor, authorize or endorse this site.
 
 LEGO&reg; Bricks come in different shapes and sizes, and they can be combined in different ways to build different structures.
-Similarly, decision points come in different shapes and sizes, and they can be combined in different ways to build 
+Similarly, decision points come in different shapes and sizes, and they can be combined in different ways to build
 different decision models.
-And just as some bricks can be substituted for others to add variation, some decision points are substitutable for others. 
+And just as some bricks can be substituted for others to add variation, some decision points are substitutable for others.
 
 We have realized that part of the value of enumerated decision points is that they provide a way to organize the information that is
 relevant to a decision. This organization is important because it helps us to understand the decision and to communicate
-the decision model to others. 
+the decision model to others.
 
 Decision points and outcomes have a few key characteristics that make them useful for organizing information:
 
@@ -32,8 +32,8 @@ Decision points and outcomes have a few key characteristics that make them usefu
 - **Well-Definedness**: Each decision point has a clear meaning and a clear, ordered set of possible values. This means that the decision
   point values are not ambiguous or open to interpretation.
 
-In our brick analogy, the toy bricks are similarly independent, discrete, and well-defined. 
-Independence means that different bricks can serve different purposes in the model. 
+In our brick analogy, the toy bricks are similarly independent, discrete, and well-defined.
+Independence means that different bricks can serve different purposes in the model.
 The pips on the bricks provide discrete points of attachment to allow bricks to connect together.
 Well-definedness (specification and manufacturing consistency) allows bricks to be combined effectively.
 
@@ -72,15 +72,15 @@ In that scenario, they might think of the kit more as a supply of specific brick
 Advanced builders need to understand more about what they are trying to build and how the bricks can be combined to build it.
 
 The point is that the model kits serve as a starting point with a lot of flexibility, but it is up to the builder
-to decide how much of that flexibility to use. 
+to decide how much of that flexibility to use.
 
 ## SSVC Decision Models as Kits
 
 Similarly, SSVC provides a set of "bricks" in the form of [decision points](../reference/decision_points/index.md)
-and [outcomes](../reference/code/outcomes.md). 
+and [outcomes](../reference/code/outcomes.md).
 We have provided a set of [example decision models](../howto/index.md) and [policies](../howto/index.md) to get you started.
 You might choose to simply use what we've provided as a starting point.
-Or you might already recognize that our example gets the structure of the decision model right, 
+Or you might already recognize that our example gets the structure of the decision model right,
 but you need to adapt the outcomes or policy to better fit your situation.
 
 You might also recognize that you need to combine different example decision models to build the model you need.
@@ -89,19 +89,18 @@ with the [deployer decision model](../howto/deployer_tree.md) to
 build a model that is relevant to your situation as both a supplier and a deployer.
 
 Or, perhaps you have a decision problem that we have not yet addressed with any of our examples.
-In that case, you might examine the [decision points](../reference/decision_points/index.md) we've provided and 
+In that case, you might examine the [decision points](../reference/decision_points/index.md) we've provided and
 decide which ones are relevant to your situation.
 You could choose to customize a decision point to better fit your situation, or you might choose to add a new decision point
 to better suit your needs.
 
-This is the embodiment of the _Stakeholder-Specific_ concept in [SSVC](../index.md): 
+This is the embodiment of the *Stakeholder-Specific* concept in [SSVC](../index.md):
 SSVC provides the components for you to build your own decision models, and we provide some examples to get you started.
 If the examples are sufficient for your needs, then you can simply use them as they are.
 
-But we recognize that you are the expert in your own situation, and that you are in a better position than we are to 
+But we recognize that you are the expert in your own situation, and that you are in a better position than we are to
 decide how to combine the provided components to build the decision model you need.
 If you need to adapt the components we've provided, or if you need to add new components, then we encourage you to do so.
 And if you think that your adaptations or additions would be useful to others, then we encourage you to share your
 [suggestions](https://github.com/CERTCC/SSVC/issues), [ideas](https://github.com/CERTCC/SSVC/discussions), and
 [changes](https://github.com/CERTCC/SSVC/pulls) with the [community](https://github.com/CERTCC/SSVC).
-
diff --git a/docs/topics/decision_trees.md b/docs/topics/decision_trees.md
index e6be7d96..8e03ce6c 100644
--- a/docs/topics/decision_trees.md
+++ b/docs/topics/decision_trees.md
@@ -24,9 +24,11 @@ Examples are located in [SSVC/data](https://github.com/CERTCC/SSVC/tree/main/dat
 An interoperable CSV format is also flexible enough to support a variety of uses.
 Every situation in SSVC is defined by the values for each decision point and the priority label (outcome) for that situation (as defined in [Likely Decision Points and Relevant Data](../reference/decision_points/index.md)).
 A CSV will typically be 30-100 rows that each look something like:
+
 ```
 2,none,laborious,partial,significant,scheduled
 ```
+
 Where “2” is the row number, [*none*](../reference/decision_points/exploitation.md) through [*significant*](../reference/decision_points/public_safety_impact.md) are values for decision points, and *scheduled* is a priority label or outcome.
 Different stakeholders will have different decision points (and so different options for values) and different outcomes, but this is the basic shape of a CSV file to define SSVC stakeholder decisions.
 
@@ -36,6 +38,7 @@ The tree visualization options are more diverse.
 We provide an example format, and codified it in [src/SSVC_csv-to-latex.py](https://github.com/CERTCC/SSVC/tree/main/src).
 Why have we gone to this trouble when (for example) the R data.tree package has a handy print-to-ASCII function?
 Because this function produces output like the following:
+
 ```
 1    start                                        
 2     ¦--AV:N                                     
diff --git a/docs/topics/enumerating_decisions.md b/docs/topics/enumerating_decisions.md
index 9ce6de99..3e228a97 100644
--- a/docs/topics/enumerating_decisions.md
+++ b/docs/topics/enumerating_decisions.md
@@ -12,8 +12,6 @@ Some decision makers may have different responsibilities in relation to differen
     - A web browser developer makes decisions about applying patches to DNS lookup libraries and transport layer security (TLS) libraries.
     - A video game developer makes decisions about applying patches released to the Unreal Engine.
     - A medical device developer makes decisions about applying patches to the Linux kernel.
-   
-
 
 One might view applying patches as including some development and distribution of the updated product.
 Or one might take the converse view, that development includes updating libraries.
@@ -33,7 +31,6 @@ SSVC models the decision of
 to be agnostic to whether or not a patch is available.
 If their decisions are explicit, then the decision makers can use the recommendations from this documentation that are relevant to them.
 
-
 !!! tip "The Stakeholder Role / Decision Identity"
 
     As we have continued to develop SSVC and received feedback from SSVC implementers, we've found that similar
@@ -57,7 +54,6 @@ If their decisions are explicit, then the decision makers can use the recommenda
     - [Coordinator deciding whether to coordinate a case](../howto/coordination_triage_decision.md)
     - [Coordinator deciding whether to publish about a case](../howto/publication_decision.md)
 
-    
 ## Enumerating Vulnerability Management Units of Work
 
 !!! example inline end "Stakeholder Units of Work"
@@ -80,9 +76,9 @@ Coordinators might make triage decisions on individual reports, but then make pu
 
 ### Aggregation of SSVC Across Units of Work
 
-SSVC users should answer the suggested questions for whatever discrete unit of work they are considering. 
-There is not necessarily a reliable function to aggregate a recommendation about remediation out of its constituent 
-vulnerabilities. 
+SSVC users should answer the suggested questions for whatever discrete unit of work they are considering.
+There is not necessarily a reliable function to aggregate a recommendation about remediation out of its constituent
+vulnerabilities.
 For the sake of simplicity of examples, we treat the remediation as a patch of one vulnerability, and comment on any
 difficulty in generalizing our advice to a more complex patch where appropriate.
 
@@ -99,8 +95,6 @@ difficulty in generalizing our advice to a more complex patch where appropriate.
     Mitigating actions may include software configuration changes, adding firewall ACLs, or otherwise limiting the system's
     exposure to reduce the risk of the impact of the vulnerability; or accepting the risk.
 
-
-
 ## Enumerating Action Priority
 
 !!! example inline end "Decision Outcomes and Action Priority"
@@ -120,10 +114,9 @@ lead to different priorities.
 
 For example, some suppliers might need to map their vulnerability response decisions onto a specific set of service
 level expectations (SLEs) set by their contractual obligations to their customers. Similarly, deployers might need to integrate
-their decisions into a broader risk management framework or 
+their decisions into a broader risk management framework or
 [IT Service Management](https://en.wikipedia.org/wiki/IT_service_management) (ITSM) process.
 
-
 !!! example "SSVC, Vulnerability Response, and Risk Management Processes"
 
     A few examples from the US Government of organizational process requirements that can affect the decision 
@@ -137,6 +130,3 @@ their decisions into a broader risk management framework or
 
     SSVC implementers in organizations subject to requirements like these may need to adapt their decision models to
     ensure that they are consistent with the requirements of the organization's broader risk management and ITSM processes.
-
-
-
diff --git a/docs/topics/enumerating_stakeholders.md b/docs/topics/enumerating_stakeholders.md
index 91adc98f..e6e05a74 100644
--- a/docs/topics/enumerating_stakeholders.md
+++ b/docs/topics/enumerating_stakeholders.md
@@ -36,5 +36,3 @@ In [Enumerating Decisions](./enumerating_decisions.md), we describe the decision
     While C-level executives and public policy professionals often make, shape, or incentivize decisions about managing information systems, they are not the target audience, either.
     To the extent that decision trees for vulnerability management help higher level policy decisions, we believe the best way to help policy makers is by making technical decisions more transparent and explainable.
     Policy makers may see indirect benefits, but they are not our primary audience and we are not designing an approach for them directly.
-
-
diff --git a/docs/topics/evaluation_of_draft_trees.md b/docs/topics/evaluation_of_draft_trees.md
index d4ea0bc3..8de54a65 100644
--- a/docs/topics/evaluation_of_draft_trees.md
+++ b/docs/topics/evaluation_of_draft_trees.md
@@ -1,5 +1,4 @@
 
-
 # Evaluation of the Draft Trees
 
 We conducted a pilot test on the adequacy of the hypothesized decision trees.
@@ -39,13 +38,13 @@ In some domains, namely exploit availability, we have started that work in paral
 
 The structure of the pilot test is as follows. The next table provides an example of the information provided to each analyst. The supplier portfolio details use ~~strikeout font~~ because this decision item was removed after the pilot. The decision procedure for each case is as follows: for each analyst, for each vulnerability, for each stakeholder group, do the following.
 
-1.  Start at the root node of the relevant decision tree (deployer or supplier).
+1. Start at the root node of the relevant decision tree (deployer or supplier).
 
-2.  Document the decision branch that matches the vulnerability for this stakeholder context.
+2. Document the decision branch that matches the vulnerability for this stakeholder context.
 
-3.  Document the evidence that supports that decision.
+3. Document the evidence that supports that decision.
 
-4.  Repeat this decision-and-evidence process until the analyst reaches a leaf node in the tree.
+4. Repeat this decision-and-evidence process until the analyst reaches a leaf node in the tree.
 
 Table: Example of Scenario Information Provided to Analysts (Using
 [CVE-2019-9042](https://nvd.nist.gov/vuln/detail/CVE-2019-9042) as the Example)
@@ -130,7 +129,6 @@ This solution identifies another difficulty of Fleiss’ kappa, namely that it d
 
 Nonetheless, *k* provides some way to measure improvement on this a conceptual engineering task. The pilot evaluation can be repeated, with more diverse groups of stakeholders after the descriptions have been refined by stakeholder input, to measure fit to this goal. For a standard to be reliably applied across different analyst backgrounds, skill sets, and cultures, a set of decision point descriptions should ideally achieve *k* of 1 for each item in multiple studies with diverse participants. Such a high level of agreement would be difficult to achieve, but it would ensure that when two analysts assign a priority with the system that they get the same answer. Such agreement is not the norm with CVSS currently [@allodi2018effect].
 
-
 Table: SSVC pilot scores compared with the CVSS base scores for the vulnerabilities provided by NVD.
 
 | CVE-ID                                                            | Representative SSVC decision values  | SSVC recommendation (supplier, deployer)  | NVD’s CVSS base score  |
@@ -153,19 +151,19 @@ Based on these results, we made about ten changes, some bigger than others. We d
 
 The following changes were reflected in the version 1 Section "Decision Trees for Vulnerability Management."
 
-  - Technical impact: We clarified that partial/total is decided regarding the system scope definition, which considers a database or a web server program as the “whole” system. Furthermore, “total” also includes any technical impact that exposes authentication credentials to the adversary, if those credentials are to the whole system.
+- Technical impact: We clarified that partial/total is decided regarding the system scope definition, which considers a database or a web server program as the “whole” system. Furthermore, “total” also includes any technical impact that exposes authentication credentials to the adversary, if those credentials are to the whole system.
 
-  - We added advice for information gathering to answer safety impact and mission impact questions. This change is needed because of the particularly wide variety of background assumptions analysts made that influenced results and agreement.
+- We added advice for information gathering to answer safety impact and mission impact questions. This change is needed because of the particularly wide variety of background assumptions analysts made that influenced results and agreement.
 
-  - We clarified that “MEF failure” refers to any **one** essential function failing, not failure of all of them. We changed most severe mission impact to “mission failure” to better reflect the relationship between MEFs and the organization’s mission.
+- We clarified that “MEF failure” refers to any **one** essential function failing, not failure of all of them. We changed most severe mission impact to “mission failure” to better reflect the relationship between MEFs and the organization’s mission.
 
-  - We removed the “supplier portfolio value” question since it had poor agreement, and there is no clear way to correct it. We replaced this question with *Utility*, which better captures the relevant kinds of value (namely, to the adversary) of the affected component while remaining amenable to pragmatic analysis.
+- We removed the “supplier portfolio value” question since it had poor agreement, and there is no clear way to correct it. We replaced this question with *Utility*, which better captures the relevant kinds of value (namely, to the adversary) of the affected component while remaining amenable to pragmatic analysis.
 
-  - We clarified that “proof of concept” (see *Exploitation*) includes cases in which existing tooling counts as a PoC. The examples listed are suggestive, not exhaustive.
+- We clarified that “proof of concept” (see *Exploitation*) includes cases in which existing tooling counts as a PoC. The examples listed are suggestive, not exhaustive.
 
-  - We reorganized the decision trees based on which items are easier to gather information for or which ones have a widely verifiable state. This change moved *exploitation* to the first question.
+- We reorganized the decision trees based on which items are easier to gather information for or which ones have a widely verifiable state. This change moved *exploitation* to the first question.
 
-  - We changed the decision tree results such that if exposure is “small,” then the resulting priority is lower than before the pilot study. That is, “small” exposure has a stronger effect on reducing urgency.
+- We changed the decision tree results such that if exposure is “small,” then the resulting priority is lower than before the pilot study. That is, “small” exposure has a stronger effect on reducing urgency.
 
 ### Questions Removed as Ineffective
 
diff --git a/docs/topics/formalization_options.md b/docs/topics/formalization_options.md
index b96676bb..75d8d14e 100644
--- a/docs/topics/formalization_options.md
+++ b/docs/topics/formalization_options.md
@@ -45,4 +45,3 @@ We use decision trees in the tradition of decision analysis, not ML.
 | *Other ML*                   | :x: | Maybe | :x: | :x: | :x: | :x: |
 | *Boolean First Order Logics* | Maybe | Maybe | :white_check_mark: | :white_check_mark: | :white_check_mark: | Maybe |
 | *Decision Trees*             | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-
diff --git a/docs/topics/future_work.md b/docs/topics/future_work.md
index 61588546..05d09574 100644
--- a/docs/topics/future_work.md
+++ b/docs/topics/future_work.md
@@ -2,7 +2,7 @@
 
 We intend SSVC to offer a workable baseline from which to improve and refine a vulnerability-prioritization methodology.
 We are working to improve SSVC.
-Several of the future work items in this section have issues associated with them on the SSVC GitHub page (https://github.com/CERTCC/SSVC/issues), which is a good place to go to check on progress or help.
+Several of the future work items in this section have issues associated with them on the SSVC GitHub page (<https://github.com/CERTCC/SSVC/issues>), which is a good place to go to check on progress or help.
 Plans for future work focus on further requirements gathering, analysis of types of risk, and further testing of the reliability of the decision process.
 
 ## Requirements Gathering via Sociological Research
@@ -10,9 +10,9 @@ Plans for future work focus on further requirements gathering, analysis of types
 The community should know what users of a vulnerability prioritization system want.
 To explore their needs, it is important to understand how people actually use CVSS and what they think it tells them.
 In general, such empirical, grounded evidence about what practitioners and decision makers want from vulnerability scoring is lacking.
-We have based SSVC’s methodology on multiple decades of professional experience and myriad informal conversations with practitioners. 
-Such evidence is not a bad place to start, but it does not lend itself to examination and validation by others. 
-The purpose of understanding practitioner expectations is to inform what a vulnerability-prioritization methodology should actually provide by matching it to what people need or expect. 
+We have based SSVC’s methodology on multiple decades of professional experience and myriad informal conversations with practitioners.
+Such evidence is not a bad place to start, but it does not lend itself to examination and validation by others.
+The purpose of understanding practitioner expectations is to inform what a vulnerability-prioritization methodology should actually provide by matching it to what people need or expect.
 The method this future work should take is long-form, structured interviews.
 We do not expect anyone to have access to enough consumers of CVSS to get statistically valid results out of a short survey, nor to pilot a long survey.
 
@@ -43,7 +43,6 @@ The “credible effects” to consider are those of all vulnerabilities remediat
 How exactly to aggregate these different effects is not currently specified except to say that the unit of analysis is the whole work item.
 Future work should provide some examples of how this holistic analysis of multiple vulnerabilities remediated in one patch should be conducted.
 
-
 ## Further Decision Tree Testing
 
 More testing with diverse analysts is necessary before the decision trees are reliable. In this context, **reliable** means that two analysts, given the same vulnerability description and decision process description, will reach the same decision. Such reliability is important if scores and priorities are going to be useful. If they are not reliable, they will vary widely over time and among analysts. Such variability makes it impossible to tell whether a difference in scores is really due to one vulnerability being higher priority than other.
diff --git a/docs/topics/index.md b/docs/topics/index.md
index eff8e9f3..d1e73a6d 100644
--- a/docs/topics/index.md
+++ b/docs/topics/index.md
@@ -11,7 +11,6 @@
     [SSVC How-To](../howto/index.md) provides practical guidance for implementing SSVC in your organization.
     For technical reference, see [Reference](../reference/index.md).
 
-
 This documentation defines a testable Stakeholder-Specific Vulnerability Categorization (SSVC) for prioritizing actions during vulnerability management.
 The stakeholders in vulnerability management are diverse.
 This diversity must be accommodated in the main functionality, rather than squeezed into hard-to-use optional features.
@@ -23,7 +22,6 @@ As such, the modeling framework is important but difficult to pin down.
 We approach this problem as a satisficing process.
 We do not seek optimal formalisms, but an adequate formalism.
 
-
 ## Key Concepts in SSVC Decision Models
 
 SSVC models individual vulnerability management decisions. It is built around the following concepts:
@@ -34,14 +32,13 @@ SSVC models individual vulnerability management decisions. It is built around th
   are an ordered set of enumerated values. They are ordered because they are sortable in some dimension, usually
   having to do with priority or urgency. They are enumerated because they are finite and discrete.
 - **Outcomes** are the dependent variables that are relevant to the decision. Each outcome represents a different
-  possible result of the decision. 
-- **Outcome Values** are the possible values for an Outcome. Outcomes are similarly defined as an ordered set of 
+  possible result of the decision.
+- **Outcome Values** are the possible values for an Outcome. Outcomes are similarly defined as an ordered set of
   enumerated values, usually indicating a priority or urgency.
 - A **Policy** is a mapping from each combination of decision point values to the set of outcome values.
 - A **Decision Function** is a function that accepts a set of decision point values and returns an outcome value based
   on a policy.
 
-
 ```mermaid
 ---
 title: Decision Points and Values
@@ -69,7 +66,6 @@ flowchart LR
     Policy --> Outcomes
 ```
 
-
 !!! question "Where do the trees come in?"
 
     Our initial concept for SSVC's decision modeling was based on decision trees.
@@ -89,7 +85,7 @@ flowchart LR
     convenient way to visualize the decision function, but they are not a requirement of the model.
 
 ## Topics Overview
- 
+
 The remainder of this section is organized as follows:
 
 <div class="grid cards" markdown>
diff --git a/docs/topics/information_sources.md b/docs/topics/information_sources.md
index 2e080f6f..3ed11424 100644
--- a/docs/topics/information_sources.md
+++ b/docs/topics/information_sources.md
@@ -21,7 +21,6 @@ Although the lists are all different, we expect they are all valid information s
 We are not aware of a comparative study of the different lists of active exploits; however, we expect they have similar properties to block lists of network touchpoints [@metcalf2015blocklist] and malware [@kuhrer2014paint].
 Namely, each list has a different view and vantage on the problem, which makes them appear to be different, but each list accurately represents its particular vantage at a point in time.
 
-
 ## System Exposure
 
 [*System Exposure*](../reference/decision_points/system_exposure.md) could be informed by the various scanning platforms such as Shodan and Shadowserver.
@@ -30,6 +29,7 @@ Such scans do not find all [*open*](../reference/decision_points/system_exposure
 Scanning software, such as the open-source tool Nessus, could be used to scan for connectivity inside an organization to catalogue what devices should be scored [*controlled*](../reference/decision_points/system_exposure.md) if, say, the scan finds them on an internal network where devices regularly connect to the Internet.
 
 ---
+
 ## Adapting other Information Sources
 
 Some information sources that were not designed with SSVC in mind can be adapted to work with it.
@@ -54,16 +54,16 @@ The interpretation is different for CVSS version 3 than version 4.
 
     That is, if the vulnerability leads to a high impact on the confidentiality and integrity of the vulnerable system, then that is equivalent to total technical impact on the system.
 
-The following considerations are accounted for in this recommendation. 
+The following considerations are accounted for in this recommendation.
 
 1. A denial of service condition is modeled as a *partial* [*Technical Impact*](../reference/decision_points/technical_impact.md).
 Therefore, a high availability impact to the vulnerable system should not be mapped to *total* [*Technical Impact*](../reference/decision_points/technical_impact.md) on its own.
-2. There may be situations in which a high confidentiality impact is sufficient for total technical impact; for example, disclosure of the root or administrative password for the system leads to total technical control of the system. 
-So this suggested mapping is a useful heuristic, but there may be exceptions, depending on exactly what the CVSS v4 metric value assignment norms are and become for these situations. 
+2. There may be situations in which a high confidentiality impact is sufficient for total technical impact; for example, disclosure of the root or administrative password for the system leads to total technical control of the system.
+So this suggested mapping is a useful heuristic, but there may be exceptions, depending on exactly what the CVSS v4 metric value assignment norms are and become for these situations.
 3. While the Subsequent System impact metric group in CVSS v4 is useful, those concepts are not captured by [*Technical Impact*](../reference/decision_points/technical_impact.md).
-Subsequent System impacts are captured, albeit in different framings, by decision points such as [*Situated Safety Impact*](../reference/decision_points/safety_impact.md), [*Mission Impact*](../reference/decision_points/mission_impact.md), and [*Value Density*](../reference/decision_points/value_density.md). 
-There is not a direct mapping between the subsequent system impact metric group and these decision points, except in the case of [*Public Safety Impact*](../reference/decision_points/public_safety_impact.md) and the CVSS v4 environmental metrics for Safety Impact in the subsequent system metric group. 
-In that case, both definitions map back to the same safety impact standard for definitions (IEC 61508) and so are easily mapped to each other. 
+Subsequent System impacts are captured, albeit in different framings, by decision points such as [*Situated Safety Impact*](../reference/decision_points/safety_impact.md), [*Mission Impact*](../reference/decision_points/mission_impact.md), and [*Value Density*](../reference/decision_points/value_density.md).
+There is not a direct mapping between the subsequent system impact metric group and these decision points, except in the case of [*Public Safety Impact*](../reference/decision_points/public_safety_impact.md) and the CVSS v4 environmental metrics for Safety Impact in the subsequent system metric group.
+In that case, both definitions map back to the same safety impact standard for definitions (IEC 61508) and so are easily mapped to each other.
 
 #### CVSS v3 and Technical Impact
 
@@ -72,10 +72,10 @@ For CVSS v3, the impact metric group cannot be directly mapped to [*Technical Im
 If the CVSS version 3 value of “Scope” is “Unchanged,” then the recommendation is the same as that for CVSS v4, above, as the impact metric group is information exclusively about the vulnerable system.
 If the CVSS version 3 value of “Scope” is “Changed,” then the impact metrics may be about either the vulnerable system or the subsequent systems, based on whichever makes the final score higher.
 Since [*Technical Impact*](../reference/decision_points/technical_impact.md) is based only on the vulnerable system impacts, if "Scope" is "Changed" then the ambiguity between vulnerable and subsequent system impacts is not documented in the vector string.
-This ambiguity makes it impossible to cleanly map the [*Technical Impact*](../reference/decision_points/technical_impact.md) value in this case. 
+This ambiguity makes it impossible to cleanly map the [*Technical Impact*](../reference/decision_points/technical_impact.md) value in this case.
 
 !!! tip "Mapping CVSS v3 to Technical Impact"
-    
+
     Summarizing the discussion above, the mapping between CVSS v3 and [*Technical Impact*](../reference/decision_points/technical_impact.md) is
 
     | CVSS Scope | Confidentiality<br/>(C) | Integrity<br/>(I) | Availability<br/>(A) | [*Technical Impact*](../reference/decision_points/technical_impact.md) |
@@ -85,7 +85,6 @@ This ambiguity makes it impossible to cleanly map the [*Technical Impact*](../re
     | Unchanged  | Low (L) or None (N)    | High (H)           | *any*                 | Partial                                                                |
     | Changed    | *any*                  | *any*              | *any*                 | (ambiguous)                                                            |
 
-
 ### CWE and Exploitation
 
 As mentioned in the discussion of [*Exploitation*](../reference/decision_points/exploitation.md), [CWE](https://cwe.mitre.org/) could be used to inform one of the conditions that satisfy [*proof of concept*](../reference/decision_points/exploitation.md).
diff --git a/docs/topics/items_with_same_priority.md b/docs/topics/items_with_same_priority.md
index 87641842..e1b3f661 100644
--- a/docs/topics/items_with_same_priority.md
+++ b/docs/topics/items_with_same_priority.md
@@ -31,5 +31,3 @@ The priority is equivalent.
     fine-grained priorities within qualitative categories anyway.
 
 With our system, organizations can be more deliberate about conveniently organizing work that is of equivalent priority.
-
-
diff --git a/docs/topics/limitations.md b/docs/topics/limitations.md
index c6b365fd..2b2d0bf5 100644
--- a/docs/topics/limitations.md
+++ b/docs/topics/limitations.md
@@ -25,16 +25,16 @@ This is not a calculation of any kind, just an assignment of a label which may m
 Of course, these labels are dangerous, as they may be misused as numbers.
 Therefore, we prefer the use *defer*, *scheduled*, etc., as listed in
 [Enumerating Vulnerability Management Actions](../howto/deployer_tree.md).
- 
+
 ## Expanded Context
 
 We incorporated a wider variety of inputs from contexts beyond the affected component.
 Some organizations are not prepared or configured to reliably produce such data (e.g., around mission impact or safety impact). There is adequate guidance for how to elicit and curate this type information from various risk management frameworks, including OCTAVE [@caralli2007octave]. Not every organization is going to have sufficiently mature risk management functions to apply SSVC.\
-    
+
 This second limitation should be approached with two strategies:
 
 1. Organizations should be encouraged and enabled to mature their risk management capabilities
-2. In the meantime, organizations such as NIST could consider developing default advice. 
+2. In the meantime, organizations such as NIST could consider developing default advice.
    The most practical framing of this approach might be for the NIST NVD to produce scores from the perspective of a
-   new stakeholder&mdash;something like “national security” or “public well-being” that is explicitly a sort of default 
+   new stakeholder&mdash;something like “national security” or “public well-being” that is explicitly a sort of default
    advice for otherwise uninformed organizations that can then explicitly account for national priorities, such as critical infrastructure.
diff --git a/docs/topics/related_systems.md b/docs/topics/related_systems.md
index 4a4ed6ee..16c71596 100644
--- a/docs/topics/related_systems.md
+++ b/docs/topics/related_systems.md
@@ -107,7 +107,6 @@ CVSS is one-size-fits-all by design.
 These customization efforts struggle with adapting CVSS because it was not designed to be adaptable to different stakeholder considerations.
 The SSVC section [Tree Construction and Customization Guidance](../howto/tree_customization.md) explains how stakeholders or stakeholder communities can adapt SSVC in a reliable way that still promotes repeatability and communication.
 
-
 ## vPrioritizer
 
 vPrioritizer is an open-source project that attempts to integrate asset management and vulnerablity prioritization.
@@ -118,5 +117,3 @@ In that sense, it is compatible with any of methods mentioned above or SSVC.
 However, SSVC would be better suited to address vPrioritizer's broad spectrum asset management data.
 For example, vPrioritizer aims to collect data points on topics such as asset significance.
 Asset significance could be expressed through the SSVC decision points of  [*Mission Impact*](../reference/decision_points/mission_impact.md) and situated [*Well-being Impact*](../reference/decision_points/human_impact.md), but it does not have a ready expression in CVSS, EPSS, or VPR.
-
-
diff --git a/docs/topics/representing_information.md b/docs/topics/representing_information.md
index 0d09753f..d5c6f471 100644
--- a/docs/topics/representing_information.md
+++ b/docs/topics/representing_information.md
@@ -1,7 +1,7 @@
 # Representing Information for Decisions About Vulnerabilities
 
 We propose that decisions about vulnerabilities—rather than their severity—are a more useful approach.
-Our design goals for the decision-making process are to 
+Our design goals for the decision-making process are to
 
 - clearly define whose decisions are involved
 - properly use evidentiary categories
@@ -35,23 +35,22 @@ Therefore, under a Gaussian error distribution, 8.9 is really 60\% high and 40\%
 SSVC decisions should be distinct and crisp, without such statistical overlaps.
 
 We avoid numerical representations for either inputs or outputs of a vulnerability management decision process.
-Quantified metrics are more useful when 
+Quantified metrics are more useful when
 
-1. data for decision making is available, and 
+1. data for decision making is available, and
 2. the stakeholders agree on how to measure.
 
 Vulnerability management does not yet meet either criterion.
 Furthermore, it is not clear to what extent measurements about a vulnerability can be informative about other vulnerabilities.
 Each vulnerability has a potentially unique relationship to the socio-technical system in which it exists, including the Internet.
 
-
 ## Be Based on Reliably Available Evidence
 
 Vulnerability management decisions are often contextual: given what is known at the time, the decision is to do X.
 But what is known can change over time, which can and should influence the decision.
 The context of the vulnerability, and the systems it impacts, are inextricably linked to managing it.
 Some information about the context will be relatively static over time, such as the contribution of a system to an organization's mission.
-Other information can change rapidly as events occur, such as the public release of an exploit or observation of attacks. 
+Other information can change rapidly as events occur, such as the public release of an exploit or observation of attacks.
 Temporal and environmental considerations should be primary, not optional as they are in CVSS.
 We discuss the temporal aspects further in [Information Changes over Time](../howto/bootstrap/use.md).
 
@@ -65,9 +64,9 @@ Transparency should improve trust in the results.
 Finally, any result of a decision-making process should be **explainable**
 Explainable is defined and used with its common meaning, not as it is used in the research area of explainable artificial intelligence.
 An explanation should make the process intelligible to an interested, competent, non-expert person.
-There are at least two reasons common explainability is important: 
+There are at least two reasons common explainability is important:
 
-1. for troubleshooting and error correction and 
+1. for troubleshooting and error correction and
 2. for justifying proposed decisions.
 
 ## Summary
@@ -75,17 +74,16 @@ There are at least two reasons common explainability is important:
 To summarize, the following are our design goals for a vulnerability
 management process:
 
-  - Outputs are decisions.
+- Outputs are decisions.
 
-  - Pluralistic recommendations are made among a manageable number of
+- Pluralistic recommendations are made among a manageable number of
     stakeholder groups.
 
-  - Inputs are qualitative.
+- Inputs are qualitative.
 
-  - Outputs are qualitative, and there are no (unjustified) shifts to
+- Outputs are qualitative, and there are no (unjustified) shifts to
     quantitative calculations.
 
-  - Process justification is transparent.
-
-  - Results are explainable.
+- Process justification is transparent.
 
+- Results are explainable.
diff --git a/docs/topics/risk_tolerance_and_priority.md b/docs/topics/risk_tolerance_and_priority.md
index 631be2dc..e738e411 100644
--- a/docs/topics/risk_tolerance_and_priority.md
+++ b/docs/topics/risk_tolerance_and_priority.md
@@ -21,11 +21,10 @@ A successful vulnerability management practice must balance at least two risks:
    problems that could arise from making changes to production systems.
 2. **Vulnerability risk**: the potential costs of incidents resulting from exploitation of vulnerable systems
 
-
 In developing the decision trees in this document, we had in mind stakeholders with a moderate tolerance for risk. The resulting trees reflect that assumption. Organizations may of course be more or less conservative in their own vulnerability management practices, and we cannot presume to determine how an organization should balance their risk.
 
 We therefore remind our readers that the labels on the trees (defer, immediate, etc.) can and should be customized to
-suit the needs of individual stakeholders wherever necessary and appropriate. 
+suit the needs of individual stakeholders wherever necessary and appropriate.
 
 <!-- hr for vertical space -->
 ---
@@ -37,5 +36,3 @@ suit the needs of individual stakeholders wherever necessary and appropriate.
     the most urgent response.
     - On the other hand, an organization with a high aversion to vulnerability risk could elevate the priority of many 
     branches to ensure fixes are deployed quickly.
-
-
diff --git a/docs/topics/state_of_practice.md b/docs/topics/state_of_practice.md
index e2009777..a9c0997e 100644
--- a/docs/topics/state_of_practice.md
+++ b/docs/topics/state_of_practice.md
@@ -1,5 +1,4 @@
 
-
 # Current state of practice
 
 **Vulnerability management** covers “the discovery, analysis, and handling of new or reported security vulnerabilities in information systems \[and\] the detection of and response to known vulnerabilities in order to prevent them from being exploited” [@csirtservices_v2].
diff --git a/docs/topics/vulnerability_management_decisions.md b/docs/topics/vulnerability_management_decisions.md
index 9744d8fd..6edc2258 100644
--- a/docs/topics/vulnerability_management_decisions.md
+++ b/docs/topics/vulnerability_management_decisions.md
@@ -8,4 +8,3 @@ The “what” is about the scope, both in how the affected system is defined an
 
 While we strive to make our examples realistic, we invite the community to engage and conduct empirical assessments to test them.
 The following construction should be treated as an informed hypothesis rather than a conclusion.
-
diff --git a/docs/topics/worked_example.md b/docs/topics/worked_example.md
index 21542a34..ba00739b 100644
--- a/docs/topics/worked_example.md
+++ b/docs/topics/worked_example.md
@@ -43,7 +43,7 @@ use its installation to remotely identify targets.
 However, since most of the hospital’s clients have not installed the app, and for nearly all cases, physical proximity
 to the device is necessary; therefore, we select [*small*](../reference/decision_points/system_exposure.md) and move on to ask about mission impact.
 
-According to the fictional pilot scenario, 
+According to the fictional pilot scenario,
 
 > Our mission dictates that the first and foremost priority is to contribute to human welfare and to uphold the Hippocratic oath (do no harm).
 
diff --git a/docs/tutorials/index.md b/docs/tutorials/index.md
index ba3c6f09..802ff565 100644
--- a/docs/tutorials/index.md
+++ b/docs/tutorials/index.md
@@ -44,9 +44,6 @@ SSVC can be used in conjunction with other tools and methodologies to help prior
     This information can be used to inform the [Exploitation](../reference/decision_points/exploitation.md) decision point in the
     [Supplier](../howto/supplier_tree.md), [Deployer](../howto/deployer_tree.md), and [Coordinator Publication](../howto/publication_decision.md) decision models.
 
-
-
-
 ## Videos
 
 Provided below are videos that provide an overview of SSVC and the implementation of decision models.
@@ -71,6 +68,6 @@ We've collected a list of articles and blog posts that provide additional inform
 | SEI           | [Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization](https://insights.sei.cmu.edu/blog/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization/)         |
 | CISA          | [Stakeholder-Specific Vulnerability Categorization (SSVC)](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc)                                                                                                 |
 | Qualys        | [Effective Vulnerability Management with Stakeholder Specific Vulnerability Categorization (SSVC) and Qualys TruRisk](https://blog.qualys.com/product-tech/2022/11/30/effective-vulnerability-management-with-ssvc-and-qualys-trurisk)  |
-| Vulcan Cyber  | [The SSVC risk prioritization method: what it is, when to use it, and alternatives](https://vulcan.io/blog/the-ssvc-risk-prioritization-method-what-it-is-when-to-use-it-and-alternatives/)                 |                              
+| Vulcan Cyber  | [The SSVC risk prioritization method: what it is, when to use it, and alternatives](https://vulcan.io/blog/the-ssvc-risk-prioritization-method-what-it-is-when-to-use-it-and-alternatives/)                 |
 
-Have a link to something we missed? Let us know in an [issue](https://github.com/CERTCC/SSVC/issues/new).
\ No newline at end of file
+Have a link to something we missed? Let us know in an [issue](https://github.com/CERTCC/SSVC/issues/new).
diff --git a/src/README.md b/src/README.md
index 84b8f226..e90e39d1 100644
--- a/src/README.md
+++ b/src/README.md
@@ -7,13 +7,14 @@ This directory holds helper scripts that can make managing or using SSVC easier.
 This python script takes a CSV of the format in the `../data` directory and gets you (most of the way) to a pretty decision tree visualization. It creates a LaTeX file that can create a PDF (and from there, a PNG or whatever you want).
 
 `python SSVC_csv-to-latex.py --help` works and should explain all your options.
-When the script finishes, it will also print a message with instructions for creating the PDF or PNG from the tex. A potential future improvement is to call `latexmk` directly from the python script. 
+When the script finishes, it will also print a message with instructions for creating the PDF or PNG from the tex. A potential future improvement is to call `latexmk` directly from the python script.
 
 Example usage:
+
 ```
  python SSVC_csv-to-latex.py --input=../data/ssvc_2_deployer_simplified.csv --output=tmp.tex --delim="," --columns="0,2,1" --label="3" --header-row --priorities="defer, scheduled, out-of-cycle, immediate"
 ```
 
 Dependencies: LaTeX.
-To install latex, see https://www.latex-project.org/get/
-`latexmk` is a helper script that is not included in all distributions by default; if you need it, see https://ctan.org/pkg/latexmk/?lang=en
+To install latex, see <https://www.latex-project.org/get/>
+`latexmk` is a helper script that is not included in all distributions by default; if you need it, see <https://ctan.org/pkg/latexmk/?lang=en>

From 9c3f608d95ce42dad7908ea85151d2c7f300e66f Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <ahouseholder@users.noreply.github.com>
Date: Wed, 19 Feb 2025 15:34:51 -0500
Subject: [PATCH 22/31] add semantic versioning validator to _Versioned mixin
 (#696)

---
 requirements.txt    |  1 +
 src/ssvc/_mixins.py | 20 +++++++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 0799221f..c22d2613 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -14,3 +14,4 @@ scikit-learn==1.6.1
 jsonschema==4.23.0
 networkx==3.4.2
 pydantic==2.10.6
+semver==3.0.2
\ No newline at end of file
diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py
index 6eb4c507..414c99e1 100644
--- a/src/ssvc/_mixins.py
+++ b/src/ssvc/_mixins.py
@@ -17,7 +17,8 @@
 
 from typing import Optional
 
-from pydantic import BaseModel, ConfigDict
+from pydantic import BaseModel, ConfigDict, field_validator
+from semver import Version
 
 from . import _schemaVersion
 
@@ -30,6 +31,23 @@ class _Versioned(BaseModel):
     version: str = "0.0.0"
     schemaVersion: str = _schemaVersion
 
+    @field_validator("version")
+    @classmethod
+    def validate_version(cls, value):
+        """
+        Validate the version field.
+        Args:
+            value: a string representing a version number
+
+        Returns:
+            a fully qualified version number
+
+        Raises:
+            ValueError: if the value is not a valid version number
+        """
+        version = Version.parse(value, optional_minor_and_patch=True)
+        return version.__str__()
+
 
 class _Namespaced(BaseModel):
     """

From c97ea2af8877d28496e9a05cd60135edbfa2002c Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <ahouseholder@users.noreply.github.com>
Date: Thu, 20 Feb 2025 15:56:52 -0500
Subject: [PATCH 23/31] Add CVSS vector elements as decision point docs (#691)

* add markdown-exec plugin and doc_helpers in prep for inlining examples

* add consistent VERSIONS and LATEST to decision point modules

* use inline python to generate examples

* replace markdown includes with inline python

* remove generated static examples

now provided at site build time using inline python

* regenerate some json examples based on recent changes to python

* update doctools.py to only generate the .json example files

inline examples are now down with inline python in markdown

* roll cvss decision point generation into doctools.py

* make cvss decision points consistent with VERSIONS and LATEST names

* add end-of-file newlines

* add / fix unit tests

* update cvss supplementals

* reorder urgency to be low-to-high

* add cvss decision point docs

* remove unused impact decision point version

* black reformat

* fix tests

* `markdownlint --fix .`

* add semver checks to dp_diff helper method

* s/derived from/was developed alongside/

* clarify safety connection
---
 docs/_includes/automatable_cvss_ssvc.md       |   8 +
 docs/_includes/safety_cvss_ssvc.md            |  15 ++
 docs/_includes/value_density_cvss_ssvc.md     |   8 +
 docs/reference/decision_points/automatable.md |   4 +-
 .../decision_points/cvss/attack_complexity.md |  21 +++
 .../cvss/attack_requirements.md               |   8 +
 .../decision_points/cvss/attack_vector.md     |  22 +++
 .../decision_points/cvss/authentication.md    |  22 +++
 .../decision_points/cvss/automatable.md       |  10 ++
 .../cvss/availability_impact.md               |  22 +++
 .../cvss/availability_requirement.md          |  22 +++
 .../cvss/collateral_damage_potential.md       |  22 +++
 .../cvss/confidentiality_impact.md            |  22 +++
 .../cvss/confidentiality_requirement.md       |  22 +++
 .../decision_points/cvss/exploit_maturity.md  |  22 +++
 .../decision_points/cvss/impact_bias.md       |   8 +
 docs/reference/decision_points/cvss/index.md  |  77 +++++++++
 .../decision_points/cvss/integrity_impact.md  |  22 +++
 .../cvss/integrity_requirement.md             |  22 +++
 .../cvss/privileges_required.md               |  22 +++
 .../decision_points/cvss/provider_urgency.md  |   8 +
 .../decision_points/cvss/recovery.md          |   8 +
 .../decision_points/cvss/remediation_level.md |  22 +++
 .../decision_points/cvss/report_confidence.md |  22 +++
 docs/reference/decision_points/cvss/safety.md |  23 +++
 docs/reference/decision_points/cvss/scope.md  |   8 +
 .../cvss/subsequent_availability_impact.md    |   8 +
 .../cvss/subsequent_confidentiality_impact.md |   8 +
 .../cvss/subsequent_integrity_impact.md       |   8 +
 .../cvss/target_distribution.md               |  22 +++
 .../decision_points/cvss/user_interaction.md  |  22 +++
 .../decision_points/cvss/value_density.md     |  10 ++
 .../cvss/vulnerability_response_effort.md     |   8 +
 .../decision_points/public_safety_impact.md   |   4 +-
 .../decision_points/safety_impact.md          |   4 +-
 .../decision_points/value_density.md          |   4 +-
 mkdocs.yml                                    |  35 ++++
 .../decision_points/cvss/attack_vector.py     |   1 +
 .../cvss/availability_impact.py               |  15 +-
 .../cvss/confidentiality_impact.py            |  10 +-
 ...{exploitability.py => exploit_maturity.py} |   0
 .../decision_points/cvss/integrity_impact.py  |  11 +-
 .../cvss/integrity_requirement.py             |   2 +-
 .../cvss/subsequent_availability_impact.py    |   2 +-
 .../cvss/supplemental/automatable.py          |  23 ++-
 .../cvss/supplemental/provider_urgency.py     |  29 +++-
 .../cvss/supplemental/recovery.py             |  24 ++-
 .../cvss/supplemental/safety.py               |  19 ++-
 .../cvss/supplemental/value_density.py        |  19 ++-
 .../vulnerability_response_effort.py          |  34 ++--
 src/ssvc/decision_points/helpers.py           |  50 ++++--
 src/ssvc/decision_points/high_value_asset.py  |   1 +
 src/ssvc/doc_helpers.py                       |   4 +-
 src/ssvc/doctools.py                          |   3 +-
 src/ssvc/dp_groups/cvss/collections.py        |  14 +-
 src/ssvc/md_gen.py                            | 154 ++++++++++++++++++
 src/ssvc/outcomes/groups.py                   |  12 +-
 src/ssvc/policy_generator.py                  |  16 +-
 src/test/test_doc_helpers.py                  |   8 +-
 src/test/test_schema.py                       |  22 ++-
 60 files changed, 982 insertions(+), 116 deletions(-)
 create mode 100644 docs/_includes/automatable_cvss_ssvc.md
 create mode 100644 docs/_includes/safety_cvss_ssvc.md
 create mode 100644 docs/_includes/value_density_cvss_ssvc.md
 create mode 100644 docs/reference/decision_points/cvss/attack_complexity.md
 create mode 100644 docs/reference/decision_points/cvss/attack_requirements.md
 create mode 100644 docs/reference/decision_points/cvss/attack_vector.md
 create mode 100644 docs/reference/decision_points/cvss/authentication.md
 create mode 100644 docs/reference/decision_points/cvss/automatable.md
 create mode 100644 docs/reference/decision_points/cvss/availability_impact.md
 create mode 100644 docs/reference/decision_points/cvss/availability_requirement.md
 create mode 100644 docs/reference/decision_points/cvss/collateral_damage_potential.md
 create mode 100644 docs/reference/decision_points/cvss/confidentiality_impact.md
 create mode 100644 docs/reference/decision_points/cvss/confidentiality_requirement.md
 create mode 100644 docs/reference/decision_points/cvss/exploit_maturity.md
 create mode 100644 docs/reference/decision_points/cvss/impact_bias.md
 create mode 100644 docs/reference/decision_points/cvss/index.md
 create mode 100644 docs/reference/decision_points/cvss/integrity_impact.md
 create mode 100644 docs/reference/decision_points/cvss/integrity_requirement.md
 create mode 100644 docs/reference/decision_points/cvss/privileges_required.md
 create mode 100644 docs/reference/decision_points/cvss/provider_urgency.md
 create mode 100644 docs/reference/decision_points/cvss/recovery.md
 create mode 100644 docs/reference/decision_points/cvss/remediation_level.md
 create mode 100644 docs/reference/decision_points/cvss/report_confidence.md
 create mode 100644 docs/reference/decision_points/cvss/safety.md
 create mode 100644 docs/reference/decision_points/cvss/scope.md
 create mode 100644 docs/reference/decision_points/cvss/subsequent_availability_impact.md
 create mode 100644 docs/reference/decision_points/cvss/subsequent_confidentiality_impact.md
 create mode 100644 docs/reference/decision_points/cvss/subsequent_integrity_impact.md
 create mode 100644 docs/reference/decision_points/cvss/target_distribution.md
 create mode 100644 docs/reference/decision_points/cvss/user_interaction.md
 create mode 100644 docs/reference/decision_points/cvss/value_density.md
 create mode 100644 docs/reference/decision_points/cvss/vulnerability_response_effort.md
 rename src/ssvc/decision_points/cvss/{exploitability.py => exploit_maturity.py} (100%)
 create mode 100644 src/ssvc/md_gen.py

diff --git a/docs/_includes/automatable_cvss_ssvc.md b/docs/_includes/automatable_cvss_ssvc.md
new file mode 100644
index 00000000..61cf80b2
--- /dev/null
+++ b/docs/_includes/automatable_cvss_ssvc.md
@@ -0,0 +1,8 @@
+!!! tip "CVSS:Automatable vs SSVC:Automatable"
+
+    The [CVSS Automatable](../reference/decision_points/cvss/automatable.md) 
+    vector element was developed alongside the identically named
+    [Automatable](../reference/decision_points/automatable.md) decision point in
+    SSVC. We intend for these two decision points to be interchangeable.
+    The main difference is that the CVSS Automatable accomodates an explicit
+    _Not Defined_ value, whereas the SSVC Automatable does not.
diff --git a/docs/_includes/safety_cvss_ssvc.md b/docs/_includes/safety_cvss_ssvc.md
new file mode 100644
index 00000000..9a2af5f4
--- /dev/null
+++ b/docs/_includes/safety_cvss_ssvc.md
@@ -0,0 +1,15 @@
+!!! tip "CVSS:Safety vs SSVC:Public Safety Impact vs SSVC:Safety Impact"
+
+    The [CVSS Safety](../reference/decision_points/cvss/safety.md) vector element
+    is semantically interchangeable with the
+    [SSVC Public Safety Impact](../reference/decision_points/public_safety_impact.md)
+    decision point.
+    The main difference is that the [CVSS Safety](../reference/decision_points/cvss/safety.md)
+    vector element accomodates an explicit _Not Defined_ value, whereas the
+    [SSVC Public Safety Impact](../reference/decision_points/public_safety_impact.md)
+    does not.
+
+    The [SSVC Safety Impact](../reference/decision_points/safety_impact.md) decision point provides a higher-resolution view of the safety impact.
+    The [SSVC Public Safety Impact](../reference/decision_points/public_safety_impact.md) and
+    [CVSS Safety](../reference/decision_points/cvss/safety.md) decision points are
+    lower-resolution views of the safety impact.
diff --git a/docs/_includes/value_density_cvss_ssvc.md b/docs/_includes/value_density_cvss_ssvc.md
new file mode 100644
index 00000000..11fb85e0
--- /dev/null
+++ b/docs/_includes/value_density_cvss_ssvc.md
@@ -0,0 +1,8 @@
+!!! tip "CVSS:Value Density vs SSVC:Value Density"
+
+    The [CVSS Value Density](../reference/decision_points/cvss/value_density.md)
+    vector element was developed alongside the identically named
+    [Value Density](../reference/decision_points/value_density.md) decision 
+    point in SSVC. We intend for these two decision points to be interchangeable.
+    The main difference is that the CVSS Value Density accomodates an explicit
+    _Not Defined_ value, whereas the SSVC Value Density does not.
diff --git a/docs/reference/decision_points/automatable.md b/docs/reference/decision_points/automatable.md
index f3b1cedd..69259cfa 100644
--- a/docs/reference/decision_points/automatable.md
+++ b/docs/reference/decision_points/automatable.md
@@ -1,4 +1,4 @@
-# Automatable
+# Automatable (SSVC)
 
 ```python exec="true" idprefix=""
 from ssvc.decision_points.automatable import LATEST
@@ -12,6 +12,8 @@ print(example_block(LATEST))
     Automatable combines with [Value Density](./value_density.md) to inform 
     [Utility](./utility.md)
 
+{% include-markdown "../../_includes/automatable_cvss_ssvc.md" %}
+
 *Automatable* captures the answer to the question “Can an attacker reliably automate creating exploitation events for this vulnerability?”
 
 !!! question "What are Steps 1-4 of the Kill Chain?"
diff --git a/docs/reference/decision_points/cvss/attack_complexity.md b/docs/reference/decision_points/cvss/attack_complexity.md
new file mode 100644
index 00000000..909f3a5a
--- /dev/null
+++ b/docs/reference/decision_points/cvss/attack_complexity.md
@@ -0,0 +1,21 @@
+# Attack Complexity
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.attack_complexity import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.attack_complexity import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+```
diff --git a/docs/reference/decision_points/cvss/attack_requirements.md b/docs/reference/decision_points/cvss/attack_requirements.md
new file mode 100644
index 00000000..8474666b
--- /dev/null
+++ b/docs/reference/decision_points/cvss/attack_requirements.md
@@ -0,0 +1,8 @@
+# Attack Requirements
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.attack_requirements import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/cvss/attack_vector.md b/docs/reference/decision_points/cvss/attack_vector.md
new file mode 100644
index 00000000..515e39d9
--- /dev/null
+++ b/docs/reference/decision_points/cvss/attack_vector.md
@@ -0,0 +1,22 @@
+# Attack Vector
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.attack_vector import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.attack_vector import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/authentication.md b/docs/reference/decision_points/cvss/authentication.md
new file mode 100644
index 00000000..f7c92e09
--- /dev/null
+++ b/docs/reference/decision_points/cvss/authentication.md
@@ -0,0 +1,22 @@
+# Authentication
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.authentication import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.authentication import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/automatable.md b/docs/reference/decision_points/cvss/automatable.md
new file mode 100644
index 00000000..cc3ccc25
--- /dev/null
+++ b/docs/reference/decision_points/cvss/automatable.md
@@ -0,0 +1,10 @@
+# Automatable (CVSS)
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.supplemental.automatable import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+{% include-markdown "../../../_includes/automatable_cvss_ssvc.md" %}
diff --git a/docs/reference/decision_points/cvss/availability_impact.md b/docs/reference/decision_points/cvss/availability_impact.md
new file mode 100644
index 00000000..5f71b52b
--- /dev/null
+++ b/docs/reference/decision_points/cvss/availability_impact.md
@@ -0,0 +1,22 @@
+# Availability Impact to the Vulnerable System
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.availability_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.availability_impact import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/availability_requirement.md b/docs/reference/decision_points/cvss/availability_requirement.md
new file mode 100644
index 00000000..caf0730e
--- /dev/null
+++ b/docs/reference/decision_points/cvss/availability_requirement.md
@@ -0,0 +1,22 @@
+# Availability Requirement
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.availability_requirement import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.availability_requirement import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/collateral_damage_potential.md b/docs/reference/decision_points/cvss/collateral_damage_potential.md
new file mode 100644
index 00000000..b34cd7c5
--- /dev/null
+++ b/docs/reference/decision_points/cvss/collateral_damage_potential.md
@@ -0,0 +1,22 @@
+# Collateral Damage Potential
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.collateral_damage_potential import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.collateral_damage_potential import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/confidentiality_impact.md b/docs/reference/decision_points/cvss/confidentiality_impact.md
new file mode 100644
index 00000000..a2d85474
--- /dev/null
+++ b/docs/reference/decision_points/cvss/confidentiality_impact.md
@@ -0,0 +1,22 @@
+# Confidentiality Impact to the Vulnerable System
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.confidentiality_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.confidentiality_impact import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/confidentiality_requirement.md b/docs/reference/decision_points/cvss/confidentiality_requirement.md
new file mode 100644
index 00000000..e65e354a
--- /dev/null
+++ b/docs/reference/decision_points/cvss/confidentiality_requirement.md
@@ -0,0 +1,22 @@
+# Confidentiality Requirement
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.confidentiality_requirement import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.confidentiality_requirement import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/exploit_maturity.md b/docs/reference/decision_points/cvss/exploit_maturity.md
new file mode 100644
index 00000000..5d8ddab2
--- /dev/null
+++ b/docs/reference/decision_points/cvss/exploit_maturity.md
@@ -0,0 +1,22 @@
+# Exploit Maturity
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.exploit_maturity import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.exploit_maturity import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/impact_bias.md b/docs/reference/decision_points/cvss/impact_bias.md
new file mode 100644
index 00000000..65ac3599
--- /dev/null
+++ b/docs/reference/decision_points/cvss/impact_bias.md
@@ -0,0 +1,8 @@
+# Impact Bias
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.impact_bias import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/cvss/index.md b/docs/reference/decision_points/cvss/index.md
new file mode 100644
index 00000000..74c9fa53
--- /dev/null
+++ b/docs/reference/decision_points/cvss/index.md
@@ -0,0 +1,77 @@
+# CVSS Decision Points
+
+!!! tip inline end "For more information"
+
+    For more information on the CVSS specification, please refer to the
+    [CVSS Specifications](https://www.first.org/cvss/).
+
+For convenience, we have provide a list of decision points that are based
+on the CVSS specification. These decision points can be used to model various
+decisions based on CVSS vector elements.
+
+## Decision Points
+
+The following list of CVSS vector elements have been modeled as SSVC decision
+points for use in vulnerability response and security decision modeling.
+We have organized them into groups according to where they belong in the
+[CVSS v4.0 specification document](https://www.first.org/cvss/v4.0/specification-document).
+
+!!! info "About CVSS Decision Point Versions"
+
+    We have modeled our CVSS-based decision points using the SSVC versioning scheme.
+    Therefore, some decision points may have multiple versions as the concepts have
+    been refined over different versions of the CVSS specification. These versions
+    do _not_ correspond the CVSS specification versions (2.0, 3.0, 3.1, 4.0 etc.).
+
+### Base Metrics
+
+<div class="grid cards" markdown>
+- [Attack Vector](attack_vector.md)
+- [Attack Complexity](attack_complexity.md)
+- [Attack Requirements](attack_requirements.md)
+- [Privileges Required](privileges_required.md)
+- [User Interaction](user_interaction.md)
+- [Confidentiality Impact](confidentiality_impact.md)
+- [Subsequent Confidentiality Impact](subsequent_confidentiality_impact.md)
+- [Integrity Impact](integrity_impact.md)
+- [Subsequent Integrity Impact](subsequent_integrity_impact.md)
+- [Availability Impact](availability_impact.md)
+- [Subsequent Availability Impact](subsequent_availability_impact.md)
+</div>
+
+### Threat Metrics
+
+<div class="grid cards" markdown>
+- [Exploit Maturity](exploit_maturity.md)
+</div>
+
+### Environmental Metrics
+
+<div class="grid cards" markdown>
+- [Confidentiality Requirement](confidentiality_requirement.md)
+- [Integrity Requirement](integrity_requirement.md)
+- [Availability Requirement](availability_requirement.md)
+</div>
+
+### Supplemental Metrics
+
+<div class="grid cards" markdown>
+- [Safety](safety.md)
+- [Automatable](automatable.md)
+- [Provider Urgency](provider_urgency.md)
+- [Recovery](recovery.md)
+- [Value Density](value_density.md)
+- [Vulnerability Response Effort](vulnerability_response_effort.md)
+</div>
+
+### Older Metrics
+
+<div class="grid cards" markdown>
+- [Authentication](authentication.md)
+- [Collateral Damage Potential](collateral_damage_potential.md)
+- [Impact Bias](impact_bias.md)
+- [Remediation Level](remediation_level.md)
+- [Report Confidence](report_confidence.md)
+- [Scope](scope.md)
+- [Target Distribution](target_distribution.md)
+</div>
diff --git a/docs/reference/decision_points/cvss/integrity_impact.md b/docs/reference/decision_points/cvss/integrity_impact.md
new file mode 100644
index 00000000..f31dbdc3
--- /dev/null
+++ b/docs/reference/decision_points/cvss/integrity_impact.md
@@ -0,0 +1,22 @@
+# Integrity Impact to the Vulnerable System
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.integrity_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.integrity_impact import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/integrity_requirement.md b/docs/reference/decision_points/cvss/integrity_requirement.md
new file mode 100644
index 00000000..99e031f1
--- /dev/null
+++ b/docs/reference/decision_points/cvss/integrity_requirement.md
@@ -0,0 +1,22 @@
+# Integrity Requirement
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.integrity_requirement import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.integrity_requirement import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/privileges_required.md b/docs/reference/decision_points/cvss/privileges_required.md
new file mode 100644
index 00000000..a3704e84
--- /dev/null
+++ b/docs/reference/decision_points/cvss/privileges_required.md
@@ -0,0 +1,22 @@
+# Privileges Required
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.privileges_required import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.privileges_required import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/provider_urgency.md b/docs/reference/decision_points/cvss/provider_urgency.md
new file mode 100644
index 00000000..f0fd62fd
--- /dev/null
+++ b/docs/reference/decision_points/cvss/provider_urgency.md
@@ -0,0 +1,8 @@
+# Provider Urgency
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.supplemental.provider_urgency import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/cvss/recovery.md b/docs/reference/decision_points/cvss/recovery.md
new file mode 100644
index 00000000..6798a108
--- /dev/null
+++ b/docs/reference/decision_points/cvss/recovery.md
@@ -0,0 +1,8 @@
+# Recovery
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.supplemental.recovery import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/cvss/remediation_level.md b/docs/reference/decision_points/cvss/remediation_level.md
new file mode 100644
index 00000000..0f06a9f1
--- /dev/null
+++ b/docs/reference/decision_points/cvss/remediation_level.md
@@ -0,0 +1,22 @@
+# Remediation Level
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.remediation_level import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.remediation_level import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/report_confidence.md b/docs/reference/decision_points/cvss/report_confidence.md
new file mode 100644
index 00000000..a95ac406
--- /dev/null
+++ b/docs/reference/decision_points/cvss/report_confidence.md
@@ -0,0 +1,22 @@
+# Report Confidence
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.report_confidence import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.report_confidence import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/safety.md b/docs/reference/decision_points/cvss/safety.md
new file mode 100644
index 00000000..e205d7b3
--- /dev/null
+++ b/docs/reference/decision_points/cvss/safety.md
@@ -0,0 +1,23 @@
+# Safety
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.supplemental.safety import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+{% include-markdown "../../../_includes/safety_cvss_ssvc.md" %}
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.supplemental.safety import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+```
diff --git a/docs/reference/decision_points/cvss/scope.md b/docs/reference/decision_points/cvss/scope.md
new file mode 100644
index 00000000..e7168659
--- /dev/null
+++ b/docs/reference/decision_points/cvss/scope.md
@@ -0,0 +1,8 @@
+# Scope
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.scope import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/cvss/subsequent_availability_impact.md b/docs/reference/decision_points/cvss/subsequent_availability_impact.md
new file mode 100644
index 00000000..3eb241b2
--- /dev/null
+++ b/docs/reference/decision_points/cvss/subsequent_availability_impact.md
@@ -0,0 +1,8 @@
+# Availability Impact to the Subsequent System
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.subsequent_availability_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/cvss/subsequent_confidentiality_impact.md b/docs/reference/decision_points/cvss/subsequent_confidentiality_impact.md
new file mode 100644
index 00000000..e0b6e8a8
--- /dev/null
+++ b/docs/reference/decision_points/cvss/subsequent_confidentiality_impact.md
@@ -0,0 +1,8 @@
+# Confidentiality Impact to the Subsequent System
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.subsequent_confidentiality_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/cvss/subsequent_integrity_impact.md b/docs/reference/decision_points/cvss/subsequent_integrity_impact.md
new file mode 100644
index 00000000..43083663
--- /dev/null
+++ b/docs/reference/decision_points/cvss/subsequent_integrity_impact.md
@@ -0,0 +1,8 @@
+# Integrity Impact to the Subsequent System
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.subsequent_integrity_impact import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/cvss/target_distribution.md b/docs/reference/decision_points/cvss/target_distribution.md
new file mode 100644
index 00000000..4c27649e
--- /dev/null
+++ b/docs/reference/decision_points/cvss/target_distribution.md
@@ -0,0 +1,22 @@
+# Target Distribution
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.target_distribution import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.target_distribution import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/user_interaction.md b/docs/reference/decision_points/cvss/user_interaction.md
new file mode 100644
index 00000000..0f03c589
--- /dev/null
+++ b/docs/reference/decision_points/cvss/user_interaction.md
@@ -0,0 +1,22 @@
+# User Interaction
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.user_interaction import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+## Previous Versions
+
+Following are the previous versions of the decision point:
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.user_interaction import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\n---\n")
+```
diff --git a/docs/reference/decision_points/cvss/value_density.md b/docs/reference/decision_points/cvss/value_density.md
new file mode 100644
index 00000000..885b3bf0
--- /dev/null
+++ b/docs/reference/decision_points/cvss/value_density.md
@@ -0,0 +1,10 @@
+# Value Density (CVSS)
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.supplemental.value_density import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+{% include-markdown "../../../_includes/value_density_cvss_ssvc.md" %}
diff --git a/docs/reference/decision_points/cvss/vulnerability_response_effort.md b/docs/reference/decision_points/cvss/vulnerability_response_effort.md
new file mode 100644
index 00000000..b9b49f93
--- /dev/null
+++ b/docs/reference/decision_points/cvss/vulnerability_response_effort.md
@@ -0,0 +1,8 @@
+# Vulnerability Response Effort
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.supplemental.vulnerability_response_effort import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
diff --git a/docs/reference/decision_points/public_safety_impact.md b/docs/reference/decision_points/public_safety_impact.md
index 5564ac7f..44b774b0 100644
--- a/docs/reference/decision_points/public_safety_impact.md
+++ b/docs/reference/decision_points/public_safety_impact.md
@@ -7,9 +7,7 @@ from ssvc.doc_helpers import example_block
 print(example_block(LATEST))
 ```
 
-!!! tip "See also"
-
-    - [Safety Impact](./safety_impact.md)
+{% include-markdown "../../_includes/safety_cvss_ssvc.md" %}
 
 This is a compound decision point, therefore it is a notational convenience.
 
diff --git a/docs/reference/decision_points/safety_impact.md b/docs/reference/decision_points/safety_impact.md
index 1601cde4..2c9418c4 100644
--- a/docs/reference/decision_points/safety_impact.md
+++ b/docs/reference/decision_points/safety_impact.md
@@ -7,12 +7,12 @@ from ssvc.doc_helpers import example_block
 print(example_block(LATEST))
 ```
 
+{% include-markdown "../../_includes/safety_cvss_ssvc.md" %}
+
 !!! tip "See also"
 
     - Safety Impact combines with [Mission Impact](./mission_impact.md) to 
       inform [Human Impact](./human_impact.md).
-    - [Public Safety Impact](./public_safety_impact.md) provides a simplified
-      version of this decision point.
 
 We take an expansive view of safety, in which a safety violation is a violation of what the United States [Centers for Disease Control (CDC)](https://www.cdc.gov/hrqol/wellbeing.htm) calls **well-being**. Physical well-being violations are common safety violations, but we also consider economic, social, emotional, and psychological well-being to be important. Weighing fine differences among these categories is probably not possible, so we will not try. Each decision option lists examples of the effects that qualify for that value/answer in the various types of violations of well-being. These examples should not be considered comprehensive or exhaustive, but rather as suggestive.
 <!--The CDC webpage is better called a lit review. It has 74 citations on well-being across various fields. The following citations could reasonably be cited directly, rather than just referencing the CDC page:
diff --git a/docs/reference/decision_points/value_density.md b/docs/reference/decision_points/value_density.md
index 34339b35..11b02a3b 100644
--- a/docs/reference/decision_points/value_density.md
+++ b/docs/reference/decision_points/value_density.md
@@ -1,4 +1,4 @@
-# Value Density
+# Value Density (SSVC)
 
 ```python exec="true" idprefix=""
 from ssvc.decision_points.value_density import LATEST
@@ -12,6 +12,8 @@ print(example_block(LATEST))
     Value Density combines with [Automatability](./automatable.md) to inform 
     [Utility](./utility.md).
 
+{% include-markdown "../../_includes/value_density_cvss_ssvc.md" %}
+
 !!! info "User vs. System Operator"
 
     A “user” is anyone whose professional task is something other than the maintenance of the system or component.
diff --git a/mkdocs.yml b/mkdocs.yml
index 922b7a98..1b896cf1 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -71,6 +71,41 @@ nav:
         - Human Impact: 'reference/decision_points/human_impact.md'
         - Public Safety Impact: 'reference/decision_points/public_safety_impact.md'
         - Utility: 'reference/decision_points/utility.md'
+      - CVSS-based decision points:
+          - 'reference/decision_points/cvss/index.md'
+          - Base Metrics:
+            - Attack Vector: 'reference/decision_points/cvss/attack_vector.md'
+            - Attack Complexity: 'reference/decision_points/cvss/attack_complexity.md'
+            - Attack Requirements: 'reference/decision_points/cvss/attack_requirements.md'
+            - Privileges Required: 'reference/decision_points/cvss/privileges_required.md'
+            - User Interaction: 'reference/decision_points/cvss/user_interaction.md'
+            - Confidentiality Impact: 'reference/decision_points/cvss/confidentiality_impact.md'
+            - Subsequent Confidentiality Impact: 'reference/decision_points/cvss/subsequent_confidentiality_impact.md'
+            - Integrity Impact: 'reference/decision_points/cvss/integrity_impact.md'
+            - Subsequent Integrity Impact: 'reference/decision_points/cvss/subsequent_integrity_impact.md'
+            - Availability Impact: 'reference/decision_points/cvss/availability_impact.md'
+            - Subsequent Availability Impact: 'reference/decision_points/cvss/subsequent_availability_impact.md'
+          - Threat Metrics:
+            - Exploit Maturity: 'reference/decision_points/cvss/exploit_maturity.md'
+          - Environmental Metrics:
+            - Confidentiality Requirement: 'reference/decision_points/cvss/confidentiality_requirement.md'
+            - Integrity Requirement: 'reference/decision_points/cvss/integrity_requirement.md'
+            - Availability Requirement: 'reference/decision_points/cvss/availability_requirement.md'
+          - Supplemental Metrics:
+            - Safety: 'reference/decision_points/cvss/safety.md'
+            - Automatable: 'reference/decision_points/cvss/automatable.md'
+            - Provider Urgency: 'reference/decision_points/cvss/provider_urgency.md'
+            - Recovery: 'reference/decision_points/cvss/recovery.md'
+            - Value Density: 'reference/decision_points/cvss/value_density.md'
+            - Vulnerability Response Effort: 'reference/decision_points/cvss/vulnerability_response_effort.md'
+          - Older Metrics:
+            - Authentication: 'reference/decision_points/cvss/authentication.md'
+            - Collateral Damage Potential: 'reference/decision_points/cvss/collateral_damage_potential.md'
+            - Impact Bias: 'reference/decision_points/cvss/impact_bias.md'
+            - Remediation Level: 'reference/decision_points/cvss/remediation_level.md'
+            - Report Confidence: 'reference/decision_points/cvss/report_confidence.md'
+            - Scope: 'reference/decision_points/cvss/scope.md'
+            - Target Distribution: 'reference/decision_points/cvss/target_distribution.md'
     - Code:
         - Intro: 'reference/code/index.md'
         - CSV Analyzer: 'reference/code/analyze_csv.md'
diff --git a/src/ssvc/decision_points/cvss/attack_vector.py b/src/ssvc/decision_points/cvss/attack_vector.py
index d7b81b81..f20a102d 100644
--- a/src/ssvc/decision_points/cvss/attack_vector.py
+++ b/src/ssvc/decision_points/cvss/attack_vector.py
@@ -200,6 +200,7 @@
     ATTACK_VECTOR_3,
     ATTACK_VECTOR_3_0_1,
 )
+LATEST = VERSIONS[-1]
 
 
 def main():
diff --git a/src/ssvc/decision_points/cvss/availability_impact.py b/src/ssvc/decision_points/cvss/availability_impact.py
index e744c341..bc689915 100644
--- a/src/ssvc/decision_points/cvss/availability_impact.py
+++ b/src/ssvc/decision_points/cvss/availability_impact.py
@@ -114,12 +114,12 @@
 )
 
 
-AVAILABILITY_IMPACT_2_0_1 = CvssDecisionPoint(
-    name="Availability Impact",
+AVAILABILITY_IMPACT_3_0_0 = CvssDecisionPoint(
+    name="Availability Impact to the Vulnerable System",
     description="This metric measures the impact to the availability of the impacted system resulting from a "
     "successfully exploited vulnerability.",
-    key="A",
-    version="2.0.1",
+    key="VA",
+    version="3.0.0",
     values=(
         _NONE_3,
         _LOW_2,
@@ -127,7 +127,12 @@
     ),
 )
 
-VERSIONS = (AVAILABILITY_IMPACT_1, AVAILABILITY_IMPACT_2, AVAILABILITY_IMPACT_2_0_1)
+
+VERSIONS = (
+    AVAILABILITY_IMPACT_1,
+    AVAILABILITY_IMPACT_2,
+    AVAILABILITY_IMPACT_3_0_0,
+)
 LATEST = VERSIONS[-1]
 
 
diff --git a/src/ssvc/decision_points/cvss/confidentiality_impact.py b/src/ssvc/decision_points/cvss/confidentiality_impact.py
index 955ab72a..c56abb6a 100644
--- a/src/ssvc/decision_points/cvss/confidentiality_impact.py
+++ b/src/ssvc/decision_points/cvss/confidentiality_impact.py
@@ -122,14 +122,14 @@
     description="There is no loss of confidentiality within the impacted component.",
 )
 
-CONFIDENTIALITY_IMPACT_2_0_1 = CvssDecisionPoint(
-    name="Confidentiality Impact",
+CONFIDENTIALITY_IMPACT_3_0_0 = CvssDecisionPoint(
+    name="Confidentiality Impact to the Vulnerable System",
     description="This metric measures the impact to the confidentiality of the information managed by the system due "
     "to a successfully exploited vulnerability. Confidentiality refers to limiting information access "
     "and disclosure to only authorized users, as well as preventing access by, or disclosure to, "
     "unauthorized ones.",
-    key="C",
-    version="2.0.1",
+    key="VC",
+    version="3.0.0",
     values=(
         _CI_NONE_3,
         _LOW_1,
@@ -141,7 +141,7 @@
 VERSIONS = (
     CONFIDENTIALITY_IMPACT_1,
     CONFIDENTIALITY_IMPACT_2,
-    CONFIDENTIALITY_IMPACT_2_0_1,
+    CONFIDENTIALITY_IMPACT_3_0_0,
 )
 LATEST = VERSIONS[-1]
 
diff --git a/src/ssvc/decision_points/cvss/exploitability.py b/src/ssvc/decision_points/cvss/exploit_maturity.py
similarity index 100%
rename from src/ssvc/decision_points/cvss/exploitability.py
rename to src/ssvc/decision_points/cvss/exploit_maturity.py
diff --git a/src/ssvc/decision_points/cvss/integrity_impact.py b/src/ssvc/decision_points/cvss/integrity_impact.py
index 7bc62e96..6cc2584c 100644
--- a/src/ssvc/decision_points/cvss/integrity_impact.py
+++ b/src/ssvc/decision_points/cvss/integrity_impact.py
@@ -113,11 +113,11 @@
 )
 
 
-INTEGRITY_IMPACT_2_0_1 = CvssDecisionPoint(
-    name="Integrity Impact",
+INTEGRITY_IMPACT_3_0_0 = CvssDecisionPoint(
+    name="Integrity Impact to the Vulnerable System",
     description="This metric measures the impact to integrity of a successfully exploited vulnerability.",
-    key="I",
-    version="2.0.1",
+    key="VI",
+    version="3.0.0",
     values=(
         _II_NONE_3,
         _II_LOW_2,
@@ -125,7 +125,8 @@
     ),
 )
 
-VERSIONS = (INTEGRITY_IMPACT_1, INTEGRITY_IMPACT_2, INTEGRITY_IMPACT_2_0_1)
+
+VERSIONS = (INTEGRITY_IMPACT_1, INTEGRITY_IMPACT_2, INTEGRITY_IMPACT_3_0_0)
 LATEST = VERSIONS[-1]
 
 
diff --git a/src/ssvc/decision_points/cvss/integrity_requirement.py b/src/ssvc/decision_points/cvss/integrity_requirement.py
index 5bfb30e9..fed364a6 100644
--- a/src/ssvc/decision_points/cvss/integrity_requirement.py
+++ b/src/ssvc/decision_points/cvss/integrity_requirement.py
@@ -101,7 +101,7 @@
     description="This metric enables the consumer to customize the assessment depending on the importance of the "
     "affected IT asset to the analyst’s organization, measured in terms of Confidentiality.",
     key="IR",
-    version="1.0.1",
+    version="1.1.1",
     values=(
         _LOW_2,
         _MEDIUM_2,
diff --git a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
index e3cbe929..1a4cf449 100644
--- a/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
+++ b/src/ssvc/decision_points/cvss/subsequent_availability_impact.py
@@ -44,7 +44,7 @@
 
 
 SUBSEQUENT_AVAILABILITY_IMPACT_1 = CvssDecisionPoint(
-    name="Subsequent Availability Impact",
+    name="Availability Impact to the Subsequent System",
     description="This metric measures the impact on availability a successful exploit of the vulnerability will have "
     "on the Subsequent System.",
     key="SA",
diff --git a/src/ssvc/decision_points/cvss/supplemental/automatable.py b/src/ssvc/decision_points/cvss/supplemental/automatable.py
index c6fa0dd7..38c1ffe2 100644
--- a/src/ssvc/decision_points/cvss/supplemental/automatable.py
+++ b/src/ssvc/decision_points/cvss/supplemental/automatable.py
@@ -16,16 +16,23 @@
 #  U.S. Patent and Trademark Office by Carnegie Mellon University
 
 from ssvc.decision_points import SsvcDecisionPointValue
+from ssvc.decision_points.cvss._not_defined import NOT_DEFINED_X
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
-NO = SsvcDecisionPointValue(name="No", key="N",
-                               description="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for " \
-                                           "some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.", )
-YES = SsvcDecisionPointValue(name="Yes", key="Y",
-                               description="Attackers can reliably automate all 4 steps of the kill chain. These steps are " \
-                                           "reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is " \
-                                           '"wormable").', )
+NO = SsvcDecisionPointValue(
+    name="No",
+    key="N",
+    description="Attackers cannot reliably automate all 4 steps of the kill chain for this vulnerability for "
+    "some reason. These steps are reconnaissance, weaponization, delivery, and exploitation.",
+)
+YES = SsvcDecisionPointValue(
+    name="Yes",
+    key="Y",
+    description="Attackers can reliably automate all 4 steps of the kill chain. These steps are "
+    "reconnaissance, weaponization, delivery, and exploitation (e.g., the vulnerability is "
+    '"wormable").',
+)
 AUTOMATABLE_1 = CvssDecisionPoint(
     name="Automatable",
     description='The "Automatable" metric captures the answer to the question "Can an attacker automate exploitation '
@@ -35,12 +42,14 @@
     values=(
         NO,
         YES,
+        NOT_DEFINED_X,
     ),
 )
 
 VERSIONS = (AUTOMATABLE_1,)
 LATEST = AUTOMATABLE_1
 
+
 def main():
     print_versions_and_diffs(VERSIONS)
 
diff --git a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
index aca04676..4aaeb452 100644
--- a/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
+++ b/src/ssvc/decision_points/cvss/supplemental/provider_urgency.py
@@ -20,14 +20,26 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
-RED = SsvcDecisionPointValue(name="Red", key="R",
-                               description="Provider has assessed the impact of this vulnerability as having the highest urgency.", )
-AMBER = SsvcDecisionPointValue(name="Amber", key="A",
-                               description="Provider has assessed the impact of this vulnerability as having a moderate urgency.", )
-GREEN = SsvcDecisionPointValue(name="Green", key="G",
-                               description="Provider has assessed the impact of this vulnerability as having a reduced urgency.", )
-CLEAR = SsvcDecisionPointValue(name="Clear", key="C",
-                               description="Provider has assessed the impact of this vulnerability as having no urgency (Informational).", )
+RED = SsvcDecisionPointValue(
+    name="Red",
+    key="R",
+    description="Provider has assessed the impact of this vulnerability as having the highest urgency.",
+)
+AMBER = SsvcDecisionPointValue(
+    name="Amber",
+    key="A",
+    description="Provider has assessed the impact of this vulnerability as having a moderate urgency.",
+)
+GREEN = SsvcDecisionPointValue(
+    name="Green",
+    key="G",
+    description="Provider has assessed the impact of this vulnerability as having a reduced urgency.",
+)
+CLEAR = SsvcDecisionPointValue(
+    name="Clear",
+    key="C",
+    description="Provider has assessed the impact of this vulnerability as having no urgency (Informational).",
+)
 PROVIDER_URGENCY_1 = CvssDecisionPoint(
     name="Provider Urgency",
     description="Many vendors currently provide supplemental severity ratings to consumers via product security "
@@ -48,6 +60,7 @@
 VERSIONS = (PROVIDER_URGENCY_1,)
 LATEST = PROVIDER_URGENCY_1
 
+
 def main():
     print_versions_and_diffs(VERSIONS)
 
diff --git a/src/ssvc/decision_points/cvss/supplemental/recovery.py b/src/ssvc/decision_points/cvss/supplemental/recovery.py
index 5297e10a..14ea6ef8 100644
--- a/src/ssvc/decision_points/cvss/supplemental/recovery.py
+++ b/src/ssvc/decision_points/cvss/supplemental/recovery.py
@@ -20,13 +20,22 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
-AUTOMATIC = SsvcDecisionPointValue(name="Automatic", key="A",
-                               description="The system recovers services automatically after an attack has been performed.", )
-USER = SsvcDecisionPointValue(name="User", key="U",
-                               description="The system requires manual intervention by the user to recover services, after an attack has " \
-                                           "been performed.", )
-IRRECOVERABLE = SsvcDecisionPointValue(name="Irrecoverable", key="I",
-                               description="The system services are irrecoverable by the user, after an attack has been performed.", )
+AUTOMATIC = SsvcDecisionPointValue(
+    name="Automatic",
+    key="A",
+    description="The system recovers services automatically after an attack has been performed.",
+)
+USER = SsvcDecisionPointValue(
+    name="User",
+    key="U",
+    description="The system requires manual intervention by the user to recover services, after an attack has "
+    "been performed.",
+)
+IRRECOVERABLE = SsvcDecisionPointValue(
+    name="Irrecoverable",
+    key="I",
+    description="The system services are irrecoverable by the user, after an attack has been performed.",
+)
 RECOVERY_1 = CvssDecisionPoint(
     name="Recovery",
     description="The Recovery metric describes the resilience of a system to recover services, in terms of performance "
@@ -44,6 +53,7 @@
 VERSIONS = (RECOVERY_1,)
 LATEST = VERSIONS[-1]
 
+
 def main():
     print_versions_and_diffs(VERSIONS)
 
diff --git a/src/ssvc/decision_points/cvss/supplemental/safety.py b/src/ssvc/decision_points/cvss/supplemental/safety.py
index f251a958..14152687 100644
--- a/src/ssvc/decision_points/cvss/supplemental/safety.py
+++ b/src/ssvc/decision_points/cvss/supplemental/safety.py
@@ -21,12 +21,18 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
-PRESENT = SsvcDecisionPointValue(name="Present", key="P",
-                               description="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of " \
-                                           '"marginal," "critical," or "catastrophic."', )
-NEGLIGIBLE = SsvcDecisionPointValue(name="Negligible", key="N",
-                               description="Consequences of the vulnerability meet definition of IEC 61508 consequence category " \
-                                           '"negligible."', )
+PRESENT = SsvcDecisionPointValue(
+    name="Present",
+    key="P",
+    description="Consequences of the vulnerability meet definition of IEC 61508 consequence categories of "
+    '"marginal," "critical," or "catastrophic."',
+)
+NEGLIGIBLE = SsvcDecisionPointValue(
+    name="Negligible",
+    key="N",
+    description="Consequences of the vulnerability meet definition of IEC 61508 consequence category "
+    '"negligible."',
+)
 SAFETY_1 = CvssDecisionPoint(
     name="Safety",
     description="The Safety decision point is a measure of the potential for harm to humans or the environment.",
@@ -42,6 +48,7 @@
 VERSIONS = (SAFETY_1,)
 LATEST = SAFETY_1
 
+
 def main():
     print_versions_and_diffs(VERSIONS)
 
diff --git a/src/ssvc/decision_points/cvss/supplemental/value_density.py b/src/ssvc/decision_points/cvss/supplemental/value_density.py
index ba176576..4e56c1dc 100644
--- a/src/ssvc/decision_points/cvss/supplemental/value_density.py
+++ b/src/ssvc/decision_points/cvss/supplemental/value_density.py
@@ -20,12 +20,18 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
-DIFFUSE = SsvcDecisionPointValue(name="Diffuse", key="D",
-                               description="The vulnerable system has limited resources. That is, the resources that the attacker will " \
-                                           "gain control over with a single exploitation event are relatively small.", )
-CONCENTRATED = SsvcDecisionPointValue(name="Concentrated", key="C",
-                               description="The vulnerable system is rich in resources. Heuristically, such systems are often the direct " \
-                                           'responsibility of "system operators" rather than users.', )
+DIFFUSE = SsvcDecisionPointValue(
+    name="Diffuse",
+    key="D",
+    description="The vulnerable system has limited resources. That is, the resources that the attacker will "
+    "gain control over with a single exploitation event are relatively small.",
+)
+CONCENTRATED = SsvcDecisionPointValue(
+    name="Concentrated",
+    key="C",
+    description="The vulnerable system is rich in resources. Heuristically, such systems are often the direct "
+    'responsibility of "system operators" rather than users.',
+)
 VALUE_DENSITY_1 = CvssDecisionPoint(
     name="Value Density",
     description="Value Density describes the resources that the attacker will gain control over with a single "
@@ -42,6 +48,7 @@
 VERSIONS = (VALUE_DENSITY_1,)
 LATEST = VERSIONS[-1]
 
+
 def main():
     print_versions_and_diffs(VERSIONS)
 
diff --git a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
index d3d058cb..d69077ee 100644
--- a/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
+++ b/src/ssvc/decision_points/cvss/supplemental/vulnerability_response_effort.py
@@ -20,18 +20,27 @@
 from ssvc.decision_points.cvss.base import CvssDecisionPoint
 from ssvc.decision_points.helpers import print_versions_and_diffs
 
-LOW = SsvcDecisionPointValue(name="Low", key="L",
-                               description="The effort required to respond to a vulnerability is low/trivial.", )
-MODERATE = SsvcDecisionPointValue(name="Moderate", key="M",
-                               description="The actions required to respond to a vulnerability require some effort on behalf of the " \
-                                           "consumer and could cause minimal service impact to implement.", )
-HIGH = SsvcDecisionPointValue(name="High", key="H",
-                               description="The actions required to respond to a vulnerability are significant and/or difficult, and may " \
-                                           "possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling " \
-                                           "purposes including honoring any embargo on deployment of the selected response. Alternatively, response " \
-                                           "to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability " \
-                                           "involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or " \
-                                           "replacement).", )
+LOW = SsvcDecisionPointValue(
+    name="Low",
+    key="L",
+    description="The effort required to respond to a vulnerability is low/trivial.",
+)
+MODERATE = SsvcDecisionPointValue(
+    name="Moderate",
+    key="M",
+    description="The actions required to respond to a vulnerability require some effort on behalf of the "
+    "consumer and could cause minimal service impact to implement.",
+)
+HIGH = SsvcDecisionPointValue(
+    name="High",
+    key="H",
+    description="The actions required to respond to a vulnerability are significant and/or difficult, and may "
+    "possibly lead to an extended, scheduled service impact. This would need to be considered for scheduling "
+    "purposes including honoring any embargo on deployment of the selected response. Alternatively, response "
+    "to the vulnerability in the field is not possible remotely. The only resolution to the vulnerability "
+    "involves physical replacement (e.g. units deployed would have to be recalled for a depot level repair or "
+    "replacement).",
+)
 VULNERABILITY_RESPONSE_EFFORT_1 = CvssDecisionPoint(
     name="Vulnerability Response Effort",
     description="The intention of the Vulnerability Response Effort metric is to provide supplemental information on "
@@ -51,6 +60,7 @@
 VERSIONS = (VULNERABILITY_RESPONSE_EFFORT_1,)
 LATEST = VERSIONS[-1]
 
+
 def main():
     print_versions_and_diffs(VERSIONS)
 
diff --git a/src/ssvc/decision_points/helpers.py b/src/ssvc/decision_points/helpers.py
index 12a52077..111ec8e1 100644
--- a/src/ssvc/decision_points/helpers.py
+++ b/src/ssvc/decision_points/helpers.py
@@ -18,21 +18,9 @@
 
 from typing import Sequence
 
-from ssvc.decision_points import SsvcDecisionPoint
-
+import semver
 
-#  Copyright (c) 2023 Carnegie Mellon University and Contributors.
-#  - see Contributors.md for a full list of Contributors
-#  - see ContributionInstructions.md for information on how you can Contribute to this project
-#  Stakeholder Specific Vulnerability Categorization (SSVC) is
-#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
-#  with this Software or contact permission@sei.cmu.edu for full terms.
-#  Created, in part, with funding and support from the United States Government
-#  (see Acknowledgments file). This program may include and/or can make use of
-#  certain third party source code, object code, documentation and other files
-#  (“Third Party Software”). See LICENSE.md for more details.
-#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
-#  U.S. Patent and Trademark Office by Carnegie Mellon University
+from ssvc.decision_points import SsvcDecisionPoint
 
 
 def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]:
@@ -167,12 +155,30 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]:
                 f"{dp2.name} v{dp2.version} value {name} description did not change"
             )
 
+    v1 = semver.VersionInfo.parse(dp1.version)
+    v2 = semver.VersionInfo.parse(dp2.version)
+
     if major:
         diffs.append(f"{dp2.name} v{dp2.version} appears to be a major change")
+        expected = v1.bump_major()
+        if v2 != expected:
+            diffs.append(
+                f"Expected version to be bumped to {expected}, but was bumped to {v2}"
+            )
     elif minor:
         diffs.append(f"{dp2.name} v{dp2.version} appears to be a minor change")
-    elif patch:
+        expected = v1.bump_minor()
+        if v2 != expected:
+            diffs.append(
+                f"Expected version to be bumped to {expected}, but was bumped to {v2}"
+            )
+    elif patch and not any([maybe_minor, maybe_major]):
         diffs.append(f"{dp2.name} v{dp2.version} appears to be a patch change")
+        expected = v1.bump_patch()
+        if v2 != expected:
+            diffs.append(
+                f"Expected version to be bumped to {expected}, but was bumped to {v2}"
+            )
 
     if maybe_new_obj:
         diffs.append(
@@ -181,13 +187,23 @@ def dp_diff(dp1: SsvcDecisionPoint, dp2: SsvcDecisionPoint) -> list[str]:
         )
 
     if not major:
+        check_possible = False
+        possible1 = v1.bump_major()
+        possible2 = v1.bump_minor()
         if maybe_major:
             diffs.append(
-                f"{dp2.name} v{dp2.version} could be a major change depending on context"
+                f"{dp2.name} v{dp2.version} could be a major change ({v1} -> {possible1}) depending on context"
             )
+            check_possible = True
         if maybe_minor:
             diffs.append(
-                f"{dp2.name} v{dp2.version} could be a minor change depending on context"
+                f"{dp2.name} v{dp2.version} could be a minor change ({v1} -> {possible2}) depending on context"
+            )
+            check_possible = True
+        # did one of possible1 or possible2 match v2?
+        if check_possible and v2 not in [possible1, possible2]:
+            diffs.append(
+                f"Expected version to be bumped to {possible1} or {possible2}, but was bumped to {v2}"
             )
 
     if not any([major, minor, patch, maybe_major, maybe_minor]):
diff --git a/src/ssvc/decision_points/high_value_asset.py b/src/ssvc/decision_points/high_value_asset.py
index b0aeac2b..35d2c9d4 100644
--- a/src/ssvc/decision_points/high_value_asset.py
+++ b/src/ssvc/decision_points/high_value_asset.py
@@ -45,6 +45,7 @@
 VERSIONS = (HIGH_VALUE_ASSET_1,)
 LATEST = VERSIONS[-1]
 
+
 def main():
     print_versions_and_diffs(VERSIONS)
 
diff --git a/src/ssvc/doc_helpers.py b/src/ssvc/doc_helpers.py
index 3e794601..6304044f 100644
--- a/src/ssvc/doc_helpers.py
+++ b/src/ssvc/doc_helpers.py
@@ -81,7 +81,9 @@ def example_block(dp: SsvcDecisionPoint, indent=4) -> str:
         rows.append(indent_ + row)
     rows.append("")
 
-    rows.append(indent_ + f'??? example "{dp.name} v{dp.version} JSON Example"')
+    rows.append(
+        indent_ + f'??? example "{dp.name} v{dp.version} JSON Example"'
+    )
     rows.append("")
     for row in json_example(dp, indent=4).splitlines():
         rows.append(indent_ + row)
diff --git a/src/ssvc/doctools.py b/src/ssvc/doctools.py
index e3d973a7..93b4591c 100644
--- a/src/ssvc/doctools.py
+++ b/src/ssvc/doctools.py
@@ -92,7 +92,8 @@ def remove_if_exists(file):
         logger.debug(f"File {file} does not exist, nothing to remove")
 
 
-def dump_decision_point(jsondir: str, dp: SsvcDecisionPoint, overwrite: bool) -> None:
+def dump_decision_point(jsondir: str, dp: SsvcDecisionPoint, overwrite: bool
+) -> None:
     """
     Generate the markdown table, json example, and markdown table file for a decision point.
 
diff --git a/src/ssvc/dp_groups/cvss/collections.py b/src/ssvc/dp_groups/cvss/collections.py
index 3b40ee14..55e3c300 100644
--- a/src/ssvc/dp_groups/cvss/collections.py
+++ b/src/ssvc/dp_groups/cvss/collections.py
@@ -35,7 +35,7 @@
 from ssvc.decision_points.cvss.availability_impact import (
     AVAILABILITY_IMPACT_1,
     AVAILABILITY_IMPACT_2,
-    AVAILABILITY_IMPACT_2_0_1,
+    AVAILABILITY_IMPACT_3_0_0,
 )
 from ssvc.decision_points.cvss.availability_requirement import (
     AVAILABILITY_REQUIREMENT_1,
@@ -49,7 +49,7 @@
 from ssvc.decision_points.cvss.confidentiality_impact import (
     CONFIDENTIALITY_IMPACT_1,
     CONFIDENTIALITY_IMPACT_2,
-    CONFIDENTIALITY_IMPACT_2_0_1,
+    CONFIDENTIALITY_IMPACT_3_0_0,
 )
 from ssvc.decision_points.cvss.confidentiality_requirement import (
     CONFIDENTIALITY_REQUIREMENT_1,
@@ -62,7 +62,7 @@
 from ssvc.decision_points.cvss.equivalence_set_4 import EQ4
 from ssvc.decision_points.cvss.equivalence_set_5 import EQ5
 from ssvc.decision_points.cvss.equivalence_set_6 import EQ6
-from ssvc.decision_points.cvss.exploitability import (
+from ssvc.decision_points.cvss.exploit_maturity import (
     EXPLOITABILITY_1,
     EXPLOITABILITY_1_1,
     EXPLOIT_CODE_MATURITY_1_2,
@@ -73,7 +73,7 @@
 from ssvc.decision_points.cvss.integrity_impact import (
     INTEGRITY_IMPACT_1,
     INTEGRITY_IMPACT_2,
-    INTEGRITY_IMPACT_2_0_1,
+    INTEGRITY_IMPACT_3_0_0,
 )
 from ssvc.decision_points.cvss.integrity_requirement import (
     INTEGRITY_REQUIREMENT_1,
@@ -273,9 +273,9 @@
     USER_INTERACTION_2,
 ]
 _IMPACT_4 = [
-    CONFIDENTIALITY_IMPACT_2_0_1,
-    INTEGRITY_IMPACT_2_0_1,
-    AVAILABILITY_IMPACT_2_0_1,
+    CONFIDENTIALITY_IMPACT_3_0_0,
+    INTEGRITY_IMPACT_3_0_0,
+    AVAILABILITY_IMPACT_3_0_0,
     SUBSEQUENT_CONFIDENTIALITY_IMPACT_1,
     SUBSEQUENT_INTEGRITY_IMPACT_1,
     SUBSEQUENT_AVAILABILITY_IMPACT_1,
diff --git a/src/ssvc/md_gen.py b/src/ssvc/md_gen.py
new file mode 100644
index 00000000..beca4fcd
--- /dev/null
+++ b/src/ssvc/md_gen.py
@@ -0,0 +1,154 @@
+#!/usr/bin/env python
+"""
+file: md_gen
+author: adh
+created_at: 2/17/25 4:25 PM
+"""
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+import os
+
+
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+
+def cutfname(fname):
+    # foo_bar_1_0_0 -> foo_bar
+    parts = fname.split("_")
+    parts_ = []
+
+    for part in parts:
+        if part.isnumeric():
+            break
+        parts_.append(part)
+
+    return "_".join(parts_)
+
+
+PAGE_TOP_TEMPLATE = """# {dp_name}
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.{module} import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+"""
+
+PAGE_BOTTOM_TEMPLATE = """## Previous Versions
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.{module} import VERSIONS
+from ssvc.doc_helpers import example_block
+
+versions = VERSIONS[:-1]
+for version in versions:
+    print(example_block(version))
+    print("\\n---\\n")
+```
+"""
+
+
+def snake_to_title(s):
+    return " ".join([w.capitalize() for w in s.split("_")])
+
+
+def main():
+    # add overwrite command line argument
+    import argparse
+
+    parser = argparse.ArgumentParser(
+        description="Generate decision point documentation"
+    )
+    parser.add_argument(
+        "--overwrite",
+        action="store_true",
+        help="overwrite existing files",
+        default=False,
+    )
+
+    parser.add_argument(
+        "--outdir",
+        help="output directory",
+        default="../../docs/reference/decision_points/cvss",
+    )
+
+    parser.add_argument(
+        "--jsondir",
+        help="json directory",
+        default="../../data/json/decision_points/cvss",
+    )
+
+    args = parser.parse_args()
+
+    json_dir = args.jsondir
+    json_files = sorted(os.listdir(json_dir))
+    print(json_files)
+
+    dp_fnames = sorted(list(set([cutfname(f) for f in json_files])))
+    print(dp_fnames)
+
+    md_dir = args.outdir
+    os.makedirs(md_dir, exist_ok=True)
+
+    for dp_fname in dp_fnames:
+
+        fname = dp_fname + ".md"
+        path = os.path.join(md_dir, fname)
+
+        if os.path.exists(path):
+            if not args.overwrite:
+                # skip if file already exists
+                continue
+            else:
+                os.remove(path)
+
+        # does the module exist?
+        module = f"ssvc.decision_points.cvss.{dp_fname}"
+        try:
+            # try to import the module
+            mod = __import__(module)
+            print(f"Module {mod} exists")
+        except ImportError:
+            print(f"Module {module} does not exist")
+            continue
+
+        with open(os.path.join(md_dir, fname), "w") as f:
+            f.write(
+                PAGE_TOP_TEMPLATE.format(
+                    dp_name=snake_to_title(dp_fname), module=dp_fname
+                )
+            )
+            f.write("\n")
+            if len(mod.VERSIONS) > 1:
+                f.write("\n")
+                f.write(PAGE_BOTTOM_TEMPLATE.format(module=dp_fname))
+                f.write("\n")
+
+    pass
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/outcomes/groups.py b/src/ssvc/outcomes/groups.py
index cc654d90..5326b6d9 100644
--- a/src/ssvc/outcomes/groups.py
+++ b/src/ssvc/outcomes/groups.py
@@ -82,7 +82,7 @@
 EISENHOWER = OutcomeGroup(
     name="Do, Schedule, Delegate, Delete",
     description="The Eisenhower outcome group.",
-    version="1.0.0",    
+    version="1.0.0",
     outcomes=(
         OutcomeValue(name="Delete", key="D", description="Delete"),
         OutcomeValue(name="Delegate", key="G", description="Delegate"),
@@ -97,7 +97,7 @@
 CVSS = OutcomeGroup(
     name="CVSS Levels",
     description="The CVSS outcome group.",
-    version="1.0.0",    
+    version="1.0.0",
     outcomes=(
         OutcomeValue(name="Low", key="L", description="Low"),
         OutcomeValue(name="Medium", key="M", description="Medium"),
@@ -113,7 +113,7 @@
     name="CISA Levels",
     description="The CISA outcome group. "
     "CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
-    version="1.0.0",    
+    version="1.0.0",
     outcomes=(
         OutcomeValue(
             name="Track",
@@ -153,7 +153,7 @@
 YES_NO = OutcomeGroup(
     name="Yes, No",
     description="The Yes/No outcome group.",
-    version="1.0.0",    
+    version="1.0.0",
     outcomes=(
         OutcomeValue(name="No", key="N", description="No"),
         OutcomeValue(name="Yes", key="Y", description="Yes"),
@@ -166,7 +166,7 @@
 VALUE_COMPLEXITY = OutcomeGroup(
     name="Value, Complexity",
     description="The Value/Complexity outcome group.",
-    version="1.0.0",    
+    version="1.0.0",
     outcomes=(
         # drop, reconsider later, easy win, do first
         OutcomeValue(name="Drop", key="D", description="Drop"),
@@ -184,7 +184,7 @@
 THE_PARANOIDS = OutcomeGroup(
     name="theParanoids",
     description="PrioritizedRiskRemediation outcome group based on TheParanoids.",
-    version="1.0.0",    
+    version="1.0.0",
     outcomes=(
         OutcomeValue(name="Track 5", key="5", description="Track"),
         OutcomeValue(
diff --git a/src/ssvc/policy_generator.py b/src/ssvc/policy_generator.py
index 85ce86b9..38e75f01 100644
--- a/src/ssvc/policy_generator.py
+++ b/src/ssvc/policy_generator.py
@@ -86,7 +86,9 @@ def __init__(
             # validate that the outcome weights sum to 1.0
             total = sum(outcome_weights)
             if not math.isclose(total, 1.0):
-                raise ValueError(f"Outcome weights must sum to 1.0, but sum to {total}")
+                raise ValueError(
+                    f"Outcome weights must sum to 1.0, but sum to {total}"
+                )
 
             self.outcome_weights = outcome_weights
         logger.debug(f"Outcome weights: {self.outcome_weights}")
@@ -202,7 +204,9 @@ def _assign_outcomes(self):
         logger.debug(f"Layer count: {len(layers)}")
         logger.debug(f"Layer sizes: {[len(layer) for layer in layers]}")
 
-        outcome_counts = [round(node_count * weight) for weight in self.outcome_weights]
+        outcome_counts = [
+            round(node_count * weight) for weight in self.outcome_weights
+        ]
 
         toposort = list(nx.topological_sort(self.G))
         logger.debug(f"Toposort: {toposort[:4]}...{toposort[-4:]}")
@@ -291,11 +295,15 @@ def _confirm_topological_order(self, node_order: list) -> None:
         # all nodes must be in the graph
         for node in node_order:
             if node not in self.G.nodes:
-                raise ValueError(f"Node order contains node {node} not in the graph")
+                raise ValueError(
+                    f"Node order contains node {node} not in the graph"
+                )
 
         for node in self.G.nodes:
             if node not in node_order:
-                raise ValueError(f"Graph contains node {node} not in the node order")
+                raise ValueError(
+                    f"Graph contains node {node} not in the node order"
+                )
 
         node_idx = {node: i for i, node in enumerate(node_order)}
 
diff --git a/src/test/test_doc_helpers.py b/src/test/test_doc_helpers.py
index f7834eee..76b217f4 100644
--- a/src/test/test_doc_helpers.py
+++ b/src/test/test_doc_helpers.py
@@ -26,8 +26,12 @@ def setUp(self):
             key="TK",
             version="1.0.0",
             values=(
-                SsvcDecisionPointValue(name="A", key="A", description="A Definition"),
-                SsvcDecisionPointValue(name="B", key="B", description="B Definition"),
+                SsvcDecisionPointValue(
+                    name="A", key="A", description="A Definition"
+                ),
+                SsvcDecisionPointValue(
+                    name="B", key="B", description="B Definition"
+                ),
             ),
         )
 
diff --git a/src/test/test_schema.py b/src/test/test_schema.py
index 65568501..a8835bf8 100644
--- a/src/test/test_schema.py
+++ b/src/test/test_schema.py
@@ -22,6 +22,7 @@
 
 import ssvc.decision_points  # noqa F401
 from ssvc.decision_points.base import REGISTERED_DECISION_POINTS
+
 # importing these causes the decision points to register themselves
 from ssvc.decision_points.critical_software import CRITICAL_SOFTWARE_1  # noqa
 from ssvc.decision_points.high_value_asset import HIGH_VALUE_ASSET_1  # noqa
@@ -32,6 +33,7 @@
     CVSSv3,
     CVSSv4,
 )  # noqa
+
 # importing these causes the decision points to register themselves
 from ssvc.dp_groups.ssvc.collections import SSVCv1, SSVCv2, SSVCv2_1  # noqa
 
@@ -92,13 +94,15 @@ def test_decision_point_validation(self):
             loaded = json.loads(as_json)
 
             try:
-                Draft202012Validator({"$ref": schema_url}, registry=registry).validate(
-                    loaded
-                )
+                Draft202012Validator(
+                    {"$ref": schema_url}, registry=registry
+                ).validate(loaded)
             except jsonschema.exceptions.ValidationError as e:
                 exp = e
 
-            self.assertIsNone(exp, f"Validation failed for {dp.name} {dp.version}")
+            self.assertIsNone(
+                exp, f"Validation failed for {dp.name} {dp.version}"
+            )
             self.logger.debug(
                 f"Validation passed for Decision Point ({dp.namespace}) {dp.name} v{dp.version}"
             )
@@ -111,13 +115,15 @@ def test_decision_point_group_validation(self):
             loaded = json.loads(as_json)
 
             try:
-                Draft202012Validator({"$ref": schema_url}, registry=registry).validate(
-                    loaded
-                )
+                Draft202012Validator(
+                    {"$ref": schema_url}, registry=registry
+                ).validate(loaded)
             except jsonschema.exceptions.ValidationError as e:
                 exp = e
 
-            self.assertIsNone(exp, f"Validation failed for {dpg.name} {dpg.version}")
+            self.assertIsNone(
+                exp, f"Validation failed for {dpg.name} {dpg.version}"
+            )
             self.logger.debug(
                 f"Validation passed for Decision Point Group {dpg.name} v{dpg.version}"
             )

From 3fd228b2cc83f59e94f7a00bf773233c7671e8c7 Mon Sep 17 00:00:00 2001
From: bkoo <111892109+sei-bkoo@users.noreply.github.com>
Date: Thu, 20 Feb 2025 16:01:34 -0500
Subject: [PATCH 24/31] Updated mission_impact.md (#706)

Updated wording in light of the fact that SSVC is no longer hosted here as a paper.

Also removed block of text on Utility that might be causing unnecessary confusion.
---
 docs/reference/decision_points/mission_impact.md | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/docs/reference/decision_points/mission_impact.md b/docs/reference/decision_points/mission_impact.md
index f4aa3a48..f8b80503 100644
--- a/docs/reference/decision_points/mission_impact.md
+++ b/docs/reference/decision_points/mission_impact.md
@@ -33,15 +33,12 @@ In that sense they all function quite similarly within SSVC. Organizations shoul
 ## Gathering Information About Mission Impact
 
 The factors that influence the mission impact level are diverse.
-This paper does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work.
+The material here does not exhaustively discuss how a stakeholder should answer a question; that is a topic for future work.
 At a minimum, understanding mission impact should include gathering information about the critical paths that involve vulnerable components, viability of contingency measures, and resiliency of the systems that support the mission.
 There are various sources of guidance on how to gather this information; see for example the FEMA guidance in Continuity Directive 2 [@FCD2_2017] or OCTAVE FORTE [@tucker2018octave].
 This is part of risk management more broadly.
 It should require the vulnerability management team to interact with more senior management to understand mission priorities and other aspects of risk mitigation.
 
-As a heuristic, [Utility](utility.md) might constrain [*Mission Impact*](mission_impact.md) if both are not used in the same decision tree.
-For example, if the [Utility](utility.md) is [*super effective*](utility.md), then [*Mission Impact*](mission_impact.md) is at least [*MEF support crippled*](mission_impact.md).
-
 ## Prior Versions
 
 ```python exec="true" idprefix=""

From 9b53f52d21acefbf58975638196a8ee69bf2bca0 Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <ahouseholder@users.noreply.github.com>
Date: Fri, 21 Feb 2025 11:57:52 -0500
Subject: [PATCH 25/31] Add CVSS Qualitative Severity Rating Scale decision
 point (#712)

* add CVSS qualitative severity as a decision point

* make json in `example_block()` optional

* markdownlint

* add qualitative severity link to cvss/index.md
---
 docs/reference/decision_points/cvss/index.md  |  6 ++
 .../cvss/qualitative_severity.md              | 12 +++
 mkdocs.yml                                    |  1 +
 .../cvss/qualitative_severity.py              | 73 +++++++++++++++++++
 src/ssvc/doc_helpers.py                       | 17 +++--
 5 files changed, 101 insertions(+), 8 deletions(-)
 create mode 100644 docs/reference/decision_points/cvss/qualitative_severity.md
 create mode 100644 src/ssvc/decision_points/cvss/qualitative_severity.py

diff --git a/docs/reference/decision_points/cvss/index.md b/docs/reference/decision_points/cvss/index.md
index 74c9fa53..f9309c0f 100644
--- a/docs/reference/decision_points/cvss/index.md
+++ b/docs/reference/decision_points/cvss/index.md
@@ -23,6 +23,12 @@ We have organized them into groups according to where they belong in the
     been refined over different versions of the CVSS specification. These versions
     do _not_ correspond the CVSS specification versions (2.0, 3.0, 3.1, 4.0 etc.).
 
+### Qualitative Severity
+
+<div class="grid cards" markdown>
+- [CVSS Qualitative Severity Rating Scale](qualitative_severity.md)
+</div>
+
 ### Base Metrics
 
 <div class="grid cards" markdown>
diff --git a/docs/reference/decision_points/cvss/qualitative_severity.md b/docs/reference/decision_points/cvss/qualitative_severity.md
new file mode 100644
index 00000000..81be133d
--- /dev/null
+++ b/docs/reference/decision_points/cvss/qualitative_severity.md
@@ -0,0 +1,12 @@
+# CVSS Qualitative Severity Rating Scale
+
+```python exec="true" idprefix=""
+from ssvc.decision_points.cvss.qualitative_severity import LATEST
+from ssvc.doc_helpers import example_block
+
+print(example_block(LATEST))
+```
+
+The [CVSS Qualitative Severity Rating Scale](https://www.first.org/cvss/v4.0/specification-document#Qualitative-Severity-Rating-Scale)
+is a set of labels that describe the severity of a vulnerability based on the
+CVSS Score.
diff --git a/mkdocs.yml b/mkdocs.yml
index 1b896cf1..2e47540c 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -73,6 +73,7 @@ nav:
         - Utility: 'reference/decision_points/utility.md'
       - CVSS-based decision points:
           - 'reference/decision_points/cvss/index.md'
+          - Qualitative Severity: 'reference/decision_points/cvss/qualitative_severity.md'
           - Base Metrics:
             - Attack Vector: 'reference/decision_points/cvss/attack_vector.md'
             - Attack Complexity: 'reference/decision_points/cvss/attack_complexity.md'
diff --git a/src/ssvc/decision_points/cvss/qualitative_severity.py b/src/ssvc/decision_points/cvss/qualitative_severity.py
new file mode 100644
index 00000000..23358fe7
--- /dev/null
+++ b/src/ssvc/decision_points/cvss/qualitative_severity.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python
+"""
+Provides a decision point for the [CVSS Qualitative Severity Rating Scale](https://www.first.org/cvss/v4.0/specification-document#Qualitative-Severity-Rating-Scale).
+"""
+#  Copyright (c) 2025 Carnegie Mellon University and Contributors.
+#  - see Contributors.md for a full list of Contributors
+#  - see ContributionInstructions.md for information on how you can Contribute to this project
+#  Stakeholder Specific Vulnerability Categorization (SSVC) is
+#  licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
+#  with this Software or contact permission@sei.cmu.edu for full terms.
+#  Created, in part, with funding and support from the United States Government
+#  (see Acknowledgments file). This program may include and/or can make use of
+#  certain third party source code, object code, documentation and other files
+#  (“Third Party Software”). See LICENSE.md for more details.
+#  Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
+#  U.S. Patent and Trademark Office by Carnegie Mellon University
+
+from ssvc.decision_points import SsvcDecisionPointValue
+from ssvc.decision_points.cvss.base import CvssDecisionPoint
+from ssvc.decision_points.helpers import print_versions_and_diffs
+
+QS_NONE = SsvcDecisionPointValue(
+    name="None",
+    key="N",
+    description="No severity rating (0.0)",
+)
+
+LOW = SsvcDecisionPointValue(
+    name="Low",
+    key="L",
+    description="Low (0.1 - 3.9)",
+)
+MEDIUM = SsvcDecisionPointValue(
+    name="Medium",
+    key="M",
+    description="Medium (4.0 - 6.9)",
+)
+HIGH = SsvcDecisionPointValue(
+    name="High",
+    key="H",
+    description="High (7.0 - 8.9)",
+)
+CRITICAL = SsvcDecisionPointValue(
+    name="Critical",
+    key="C",
+    description="Critical (9.0 - 10.0)",
+)
+
+QUALITATIVE_SEVERITY = CvssDecisionPoint(
+    name="CVSS Qualitative Severity Rating Scale",
+    key="QS",
+    description="The CVSS Qualitative Severity Rating Scale provides "
+    "a categorical representation of a CVSS Score.",
+    version="1.0.0",
+    values=(
+        QS_NONE,
+        LOW,
+        MEDIUM,
+        HIGH,
+        CRITICAL,
+    ),
+)
+
+VERSIONS = (QUALITATIVE_SEVERITY,)
+LATEST = VERSIONS[-1]
+
+
+def main():
+    print_versions_and_diffs(VERSIONS)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/src/ssvc/doc_helpers.py b/src/ssvc/doc_helpers.py
index 6304044f..16a48bc8 100644
--- a/src/ssvc/doc_helpers.py
+++ b/src/ssvc/doc_helpers.py
@@ -69,10 +69,12 @@ def example_block_tabbed(dp: SsvcDecisionPoint, indent=4) -> str:
     return "\n".join(rows)
 
 
-def example_block(dp: SsvcDecisionPoint, indent=4) -> str:
+def example_block(
+    dp: SsvcDecisionPoint, indent: int = 4, include_json: bool = True
+) -> str:
     """Given a decision point, return a markdown block that contains an example of the decision point."""
 
-    indent_ = " " * 4
+    indent_ = " " * indent
     rows = []
     rows.append(f'!!! note "{dp.name} v{dp.version}"')
     rows.append("")
@@ -81,12 +83,11 @@ def example_block(dp: SsvcDecisionPoint, indent=4) -> str:
         rows.append(indent_ + row)
     rows.append("")
 
-    rows.append(
-        indent_ + f'??? example "{dp.name} v{dp.version} JSON Example"'
-    )
-    rows.append("")
-    for row in json_example(dp, indent=4).splitlines():
-        rows.append(indent_ + row)
+    if include_json:
+        rows.append(indent_ + f'??? example "{dp.name} v{dp.version} JSON Example"')
+        rows.append("")
+        for row in json_example(dp, indent=4).splitlines():
+            rows.append(indent_ + row)
 
     return "\n".join(rows)
 

From 73286d7b0d2e245dc5273615376cd7c1d0b5573d Mon Sep 17 00:00:00 2001
From: "Allen D. Householder" <ahouseholder@users.noreply.github.com>
Date: Mon, 24 Feb 2025 15:46:21 -0500
Subject: [PATCH 26/31] Dockerize the mkdocs dev server (#695)

* refine Dockerfile to modularize targets

* add Makefile to simplify container build & run process

* update readme to explain makefile use

* `markdownlint --fix .`

* address common error where `ssvc` module is not found due to PYTHONPATH

* add `venv` note

* explain that ports in docker containers are local to the container

* add basic `make` explainer

* `markdownlint --fix .`

* use long options
---
 Dockerfile | 21 +++++++++------
 Makefile   | 61 ++++++++++++++++++++++++++++++++++++++++++
 README.md  | 78 +++++++++++++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 145 insertions(+), 15 deletions(-)
 create mode 100644 Makefile

diff --git a/Dockerfile b/Dockerfile
index 37a6d682..79aa5836 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,18 +1,23 @@
-FROM python:3.12-slim-bookworm
-
+FROM python:3.12-slim-bookworm AS base
+RUN pip install --upgrade pip
 WORKDIR /app
 
+FROM base AS dependencies
+
 # install requirements
 COPY requirements.txt .
 RUN pip install -r requirements.txt
-
 # Copy the files we need
-COPY src/ .
-COPY data ./data
+COPY . /app
+# Set the environment variable
+ENV PYTHONPATH=/app/src
 
+
+FROM dependencies AS test
 # install pytest
 RUN pip install pytest
-
 # run the unit tests \
-ENTRYPOINT ["pytest"]
-CMD ["test"]
+CMD ["pytest","src/test"]
+
+FROM dependencies AS docs
+CMD ["mkdocs", "serve", "--dev-addr", "0.0.0.0:8000"]
\ No newline at end of file
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..40f8e7f0
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,61 @@
+# Project-specific vars
+PFX=ssvc
+DOCKER=docker
+DOCKER_BUILD=$(DOCKER) build
+DOCKER_RUN=$(DOCKER) run --tty --rm
+PROJECT_VOLUME=--volume $(shell pwd):/app
+MKDOCS_PORT=8765
+
+# docker names
+TEST_DOCKER_TARGET=test
+TEST_IMAGE = $(PFX)_test
+DOCS_DOCKER_TARGET=docs
+DOCS_IMAGE = $(PFX)_docs
+
+# Targets
+.PHONY: all dockerbuild_test dockerrun_test dockerbuild_docs dockerrun_docs docs docker_test clean help
+
+all: help
+
+dockerbuild_test:
+	@echo "Building the test Docker image..."
+	$(DOCKER_BUILD) --target $(TEST_DOCKER_TARGET) --tag $(TEST_IMAGE) .
+
+dockerrun_test:
+	@echo "Running the test Docker image..."
+	$(DOCKER_RUN) $(PROJECT_VOLUME) $(TEST_IMAGE)
+
+dockerbuild_docs:
+	@echo "Building the docs Docker image..."
+	$(DOCKER_BUILD) --target $(DOCS_DOCKER_TARGET) --tag $(DOCS_IMAGE) .
+
+dockerrun_docs:
+	@echo "Running the docs Docker image..."
+	$(DOCKER_RUN) --publish $(MKDOCS_PORT):8000 $(PROJECT_VOLUME) $(DOCS_IMAGE)
+
+
+docs: dockerbuild_docs dockerrun_docs
+docker_test: dockerbuild_test dockerrun_test
+
+clean:
+	@echo "Cleaning up..."
+	$(DOCKER) rmi $(TEST_IMAGE) $(DOCS_IMAGE) || true
+
+help:
+	@echo "Usage: make [target]"
+	@echo ""
+	@echo "Targets:"
+	@echo " all         - Display this help message"
+	@echo " docs        - Build and run the docs Docker image"
+	@echo " docker_test - Build and run the test Docker image"
+	@echo ""
+	@echo " dockerbuild_test - Build the test Docker image"
+	@echo " dockerrun_test   - Run the test Docker image"
+	@echo " dockerbuild_docs - Build the docs Docker image"
+	@echo " dockerrun_docs   - Run the docs Docker image"
+	@echo ""
+	@echo " clean - Remove the Docker images"
+	@echo " help  - Display this help message"
+
+
+
diff --git a/README.md b/README.md
index 319c0a0f..e1bc0c1e 100644
--- a/README.md
+++ b/README.md
@@ -83,9 +83,55 @@ but it worked well enough for what was needed at the time.
 
 ## Local development
 
-Install prerequisites:
+The simplest way to get started with local development is to use Docker.
+We provide a Dockerfile that builds an image with all the dependencies needed to build the site.
+We also provide a `Makefile` that simplifies the process of building the site and running a local server,
+so you don't have to remember the exact `docker build` and `docker run` commands
+to get started.
+
+### Make Commands
+
+To display the available `make` commands, run:
+
+```bash
+make help
+```
+
+To preview any `make` command without actually executing it, run:
+
+```bash
+make -n <command>
+```
+
+### Run Local Server With Docker
+
+The easiest way to get started is using make to build a docker image and run the site:
+
+```bash
+make docs
+```
+
+Then navigate to <http://localhost:8765/SSVC/> to see the site.
+
+Note that the docker container will display a message with the URL to visit, for
+example: `Serving on http://0.0.0.0:8000/SSVC/` in the output. However, that port
+is only available inside the container. The host port 8765 is mapped to the container's
+port 8000, so you should navigate to <http://localhost:8765/SSVC/> to see the site.
+
+Or, if make is not available:
+
+```bash
+docker build --target docs --tag ssvc_docs .
+docker run --tty --rm -p 8765:8000 --volume .:/app ssvc_docs
+```
+
+### Run Local Server Without Docker
+
+If you prefer to run the site locally without Docker, you can do so with mkdocs.
+We recommend using a virtual environment to manage dependencies:
 
 ```bash
+python3 -m venv ssvc_venv
 pip install -r requirements.txt
 ```
 
@@ -95,6 +141,8 @@ Start a local server:
 mkdocs serve
 ```
 
+By default, the server will run on port 8001.
+This is configured in the `mkdocs.yml` file.
 Navigate to <http://localhost:8001/> to see the site.
 
 (Hint: You can use the `--dev-addr` argument with mkdocs to change the port, e.g. `mkdocs serve --dev-addr localhost:8000`)
@@ -103,20 +151,36 @@ Navigate to <http://localhost:8001/> to see the site.
 
 We include a few tests for the `ssvc` module.
 
-### With Docker
+### Run Tests With Docker
+
+The easiest way to run tests is using make to build a docker image and run the tests:
 
 ```bash
+make docker_test
+```
+
+Or, if make is not available:
 
-docker build -t ssvc_test .
-docker run -it --rm ssvc_test
+```bash
+docker build --target test --tag ssvc_test .
+docker run --tty --rm --volume .:/app ssvc_test
 ```
 
-### Without Docker
+### Run Tests Without Docker
 
 ```bash
-pip install pytest  # if you haven't already
+pip install pytest
+pytest src/test
+```
 
-pytest # should find tests in src/test/*
+## Environment Variables
+
+If you encounter a problem with the `ssvc` module not being found, you may need to set the `PYTHONPATH` environment variable.
+The Dockerfile takes care of this in the Docker environment.
+When not running in Docker, make sure that the `src` directory is in your `PYTHONPATH`:
+
+```bash
+export PYTHONPATH=$PYTHONPATH:$(pwd)/src
 ```
 
 ## Contributing

From 3c66f6e30a521949942b6f630f5db3447fd1d915 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Feb 2025 15:48:05 -0500
Subject: [PATCH 27/31] Bump semver from 3.0.2 to 3.0.4 (#719)

Bumps [semver](https://github.com/python-semver/python-semver) from 3.0.2 to 3.0.4.
- [Release notes](https://github.com/python-semver/python-semver/releases)
- [Changelog](https://github.com/python-semver/python-semver/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/python-semver/python-semver/compare/3.0.2...3.0.4)

---
updated-dependencies:
- dependency-name: semver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index c22d2613..9deeacdb 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -14,4 +14,4 @@ scikit-learn==1.6.1
 jsonschema==4.23.0
 networkx==3.4.2
 pydantic==2.10.6
-semver==3.0.2
\ No newline at end of file
+semver==3.0.4
\ No newline at end of file

From 76adf8e55329ac2d1b7445f3801b5e514a18c90b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Feb 2025 15:48:48 -0500
Subject: [PATCH 28/31] Bump tj-actions/changed-files from 44 to 45 (#720)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 44 to 45.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/v44...v45)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/lint_md_changes.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml
index d5aa5b78..5a9a9d2a 100644
--- a/.github/workflows/lint_md_changes.yml
+++ b/.github/workflows/lint_md_changes.yml
@@ -16,7 +16,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: tj-actions/changed-files@v44
+    - uses: tj-actions/changed-files@v45
       id: changed-files
       with:
         files: '**/*.md'

From 26f29b736f036642a16c80d2286ed2cc6c6c2135 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Feb 2025 15:49:15 -0500
Subject: [PATCH 29/31] Bump DavidAnson/markdownlint-cli2-action from 16 to 19
 (#721)

Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 16 to 19.
- [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases)
- [Commits](https://github.com/davidanson/markdownlint-cli2-action/compare/v16...v19)

---
updated-dependencies:
- dependency-name: DavidAnson/markdownlint-cli2-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/lint_md_changes.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint_md_changes.yml b/.github/workflows/lint_md_changes.yml
index 5a9a9d2a..7c076a7b 100644
--- a/.github/workflows/lint_md_changes.yml
+++ b/.github/workflows/lint_md_changes.yml
@@ -21,7 +21,7 @@ jobs:
       with:
         files: '**/*.md'
         separator: ","
-    - uses: DavidAnson/markdownlint-cli2-action@v16
+    - uses: DavidAnson/markdownlint-cli2-action@v19
       if: steps.changed-files.outputs.any_changed == 'true'
       with:
         globs: ${{ steps.changed-files.outputs.all_changed_files }}

From 275a548e0e24687a1f24ff21d0b2e779aa6c54d6 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Feb 2025 15:49:57 -0500
Subject: [PATCH 30/31] Bump the mkdocs group across 1 directory with 3 updates
 (#722)

Bumps the mkdocs group with 3 updates in the / directory: [mkdocs-material](https://github.com/squidfunk/mkdocs-material), [mkdocstrings](https://github.com/mkdocstrings/mkdocstrings) and [mkdocstrings-python](https://github.com/mkdocstrings/python).


Updates `mkdocs-material` from 9.6.4 to 9.6.5
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](https://github.com/squidfunk/mkdocs-material/compare/9.6.4...9.6.5)

Updates `mkdocstrings` from 0.28.1 to 0.28.2
- [Release notes](https://github.com/mkdocstrings/mkdocstrings/releases)
- [Changelog](https://github.com/mkdocstrings/mkdocstrings/blob/main/CHANGELOG.md)
- [Commits](https://github.com/mkdocstrings/mkdocstrings/compare/0.28.1...0.28.2)

Updates `mkdocstrings-python` from 1.16.0 to 1.16.2
- [Release notes](https://github.com/mkdocstrings/python/releases)
- [Changelog](https://github.com/mkdocstrings/python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/mkdocstrings/python/compare/1.16.0...1.16.2)

---
updated-dependencies:
- dependency-name: mkdocs-material
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mkdocs
- dependency-name: mkdocstrings
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mkdocs
- dependency-name: mkdocstrings-python
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: mkdocs
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 requirements.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 9deeacdb..f4294acb 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,10 +2,10 @@ mkdocs==1.6.1
 mkdocs-bibtex==4.2.1
 mkdocs-include-markdown-plugin==7.1.4
 mkdocs-table-reader-plugin==3.1.0
-mkdocs-material==9.6.4
+mkdocs-material==9.6.5
 mkdocs-material-extensions==1.3.1
-mkdocstrings==0.28.1
-mkdocstrings-python==1.16.0
+mkdocstrings==0.28.2
+mkdocstrings-python==1.16.2
 mkdocs-print-site-plugin==2.6.0
 markdown-exec==1.10.0
 thefuzz==0.22.1

From 39f40c25bc958b57e7492ac5b4419a0d259f0138 Mon Sep 17 00:00:00 2001
From: Vijay Sarvepalli <vssarvepalli@cert.org>
Date: Tue, 25 Feb 2025 09:23:55 -0500
Subject: [PATCH 31/31] Update schema JSON to use cross-referencing and force
 more validations (#704)

* Update schema JSON to use cross-referencing and force more validations

* Update test_dp_base namespace to be name1 instead of 'ns'

* Update regex

* Update to obj.namespace

* Update data/schema/v1/Decision_Point-1-0-1.schema.json

Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>

* Missing comma and backslashes in @tschmidt's PR

* Going back to date-time from regex for timestamp

* fix trailing space @tschmidt

* Clarified JSON schema description fields in more detail

---------

Co-authored-by: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
---
 .../v1/Decision_Point-1-0-1.schema.json       | 36 +++++++++++----
 .../v1/Decision_Point_Group-1-0-1.schema.json | 16 ++++---
 ...on_Point_Value_Selection-1-0-1.schema.json | 46 +++++++------------
 src/test/test_dp_base.py                      |  4 +-
 4 files changed, 55 insertions(+), 47 deletions(-)

diff --git a/data/schema/v1/Decision_Point-1-0-1.schema.json b/data/schema/v1/Decision_Point-1-0-1.schema.json
index 75b573d9..019accee 100644
--- a/data/schema/v1/Decision_Point-1-0-1.schema.json
+++ b/data/schema/v1/Decision_Point-1-0-1.schema.json
@@ -5,7 +5,7 @@
     "description": "Decision points are the basic building blocks of SSVC decision functions. Individual decision points describe a single aspect of the input to a decision function.",
     "$defs":     {
 	"schemaVersion": {
-            "description": "Schema version used to represent this Decision Point",
+            "description": "Schema version used to represent this Decision Point.",
             "type": "string",
             "enum": ["1-0-1"]
         },
@@ -15,15 +15,21 @@
             "properties": {
                 "key": {
                     "type": "string",
-                    "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way"
+                    "description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point Value.",
+		    "minLength": 1,
+		    "examples": ["P", "Y"]
                 },
                 "name": {
                     "type": "string",
-                    "description": "A short label that captures the description of the Decision Point or the Group of Decision Points."
+                    "description": "A short label that identifies a Decision Point Value",
+		    "minLength": 1,
+		    "examples": ["Public PoC", "Yes"]
                 },
                 "description": {
                     "type": "string",
-                    "description": "Description of the Decision Point Value"
+                    "description": "A full description of the Decision Point Value.",
+		    "minLength": 1,
+		    "examples": ["One of the following is true: (1) Typical public PoC exists in sources such as Metasploit or websites like ExploitDB; or (2) the vulnerability has a well-known method of exploitation.","Attackers can reliably automate steps 1-4 of the kill chain."]
                 }
             },
 	    "required" : [
@@ -41,26 +47,36 @@
 		},
 		"namespace": {
 		    "type": "string",
-		    "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point"
+		    "description": "Namespace (a short, unique string): For example, \"ssvc\" or \"cvss\" to indicate the source of the decision point. See SSVC Documentation for details.",
+		    "pattern": "^[a-z0-9-]{3,4}[a-z0-9/\\.-]*$",
+		    "examples": ["ssvc", "cvss", "ssvc-jp", "ssvc/acme", "ssvc/example.com"]
 		},
 		"version": {
 		    "type": "string",
-		    "description": "Version (a semantic version string) that identifies this object"
+		    "description": "Version (a semantic version string) that identifies the version of a Decision Point.",
+		    "pattern": "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$",
+		    "examples": ["1.0.1", "1.0.1-alpha"]
 		},
 		"key": {
 		    "type": "string",
-		    "description": "A key (a short, unique string) that can be used to identify the Decision Point/Decision Point value in a shorthand way"
+                    "description": "A short, unique string (or key) used as a shorthand identifier for a Decision Point.",
+
+		    "minLength": 1,
+		    "examples": ["E", "A"]
 		},
 		"name": {
 		    "type": "string",
-		    "description": "A short label that captures the description of the Decision Point or the Group of Decision Points."
+                    "description": "A short label that identifies a Decision Point.",
+		    "minLength": 1,
+		    "examples": ["Exploitation", "Automatable"]
 		},
 		"description": {
 		    "type": "string",
-		    "description": "q Description of the Decision Point or the Group of Decision Points as defined."
+                    "description": "A full description of the Decision Point, explaining what it represents and how it is used in SSVC.",
+		    "minLength": 1
 		},
 		"values": {
-		    "description": "Decision Point Values are valid results from a Decision Point",
+		    "description": "A set of possible answers for a given Decision Point",
 		    "uniqueItems": true,
 		    "type": "array",
 		    "minItems": 1,
diff --git a/data/schema/v1/Decision_Point_Group-1-0-1.schema.json b/data/schema/v1/Decision_Point_Group-1-0-1.schema.json
index 7ff2f5dd..ec2768ab 100644
--- a/data/schema/v1/Decision_Point_Group-1-0-1.schema.json
+++ b/data/schema/v1/Decision_Point_Group-1-0-1.schema.json
@@ -1,10 +1,11 @@
 {
     "$schema": "https://json-schema.org/draft/2020-12/schema",
-    "title": "Decision Points Group schema definition",
+    "title": "Decision Points Group schema definition.",
     "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Group-1-0-1.schema.json",
+    "description": "Decision Point Groups are sets of decision points pinned to specific versions of those decision points. These groups may change over time.",
     "$defs": {
 	"schemaVersion": {
-            "description": "Schema version used to represent Decision Point Group",
+            "description": "Schema version used to represent Decision Point Group.",
             "type": "string",
             "enum": ["1-0-1"]
         },
@@ -16,16 +17,19 @@
                     "$ref": "#/$defs/schemaVersion"
                 },
 		"version": {
-		    "type": "string",
-		    "description": "Version (a semantic version string) that identifies this object"
+		    "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version"
 		},
 		"name": {
 		    "type": "string",
-		    "description": "A short label that captures the description of the Decision Point or the Group of Decision Points."
+		    "description": "A short label that captures the description of the Decision Point Group.",
+		    "minLength": 1,
+		    "examples": ["SSVC Supplier","Coordinator Triage", "SSVC Deployer"]
 		},
 		"description": {
 		    "type": "string",
-		    "description": "Description of the Decision Point or the Group of Decision Points."
+		    "description": "A full description of the Decision Point Group.",
+		    "minLength": 1,
+		    "examples": ["These decision points used by the Coordinator during publication."]
 		},
 		"decision_points": {
 		    "type": "array",
diff --git a/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json b/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json
index 59022e04..ca5b1115 100644
--- a/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json
+++ b/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json
@@ -1,57 +1,45 @@
 {
     "$schema": "https://json-schema.org/draft/2020-12/schema",
     "$id": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point_Value_Selection-1-0-1.schema.json",
+    "description": "This schema defines the structure for selecting SSVC Decision Points and their evaluated values for a given vulnerability. Each vulnerability can have multiple Decision Points, and each Decision Point can have multiple selected values when full certainty is not available.",
     "$defs": {
 	"id": {
             "type": "string",
-            "description": "Identifier for a vulnerability could be CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
-            "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"]
+            "description": "Identifier for the vulnerability that was evaluation, such as CVE, CERT/CC VU#, OSV id, Bugtraq, GHSA etc.",
+            "examples": ["CVE-1900-1234","VU#11111","GHSA-11a1-22b2-33c3"],
+	    "minLength": 1
 	},	
 	"role": {
             "type": "string",
-            "description": "Roles to define SSVC Stakeholders https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
-            "examples": ["Supplier","Deployer","Coordinator"]
+            "description": "The role of the stakeholder performing the evaluation (e.g., Supplier, Deployer, Coordinator). See SSVC documentation for a currently identified list: https://certcc.github.io/SSVC/topics/enumerating_stakeholders/",
+            "examples": ["Supplier","Deployer","Coordinator"],
+	    "minLength": 1
         },
 	"timestamp" : {
-            "description": "Date and time in ISO format  ISO 8601 format",
+            "description": "Date and time when the evaluation of the Vulnerability was performed according to RFC 3339, section 5.6.",
             "type": "string",
-            "format": "date-time"
+	    "format": "date-time"
 	},
-        "schemaVersion": {
-            "description": "Schema version used to represent this evaluation",
-            "type": "string",
-            "enum": ["1-0-1"]
-        },
 	"SsvcdecisionpointselectionSchema": {
-	    "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability",
+	    "description": "A down-selection of SSVC Decision Points that represent an evaluation at a specific time of a Vulnerability evaluation.",
 	    "properties": {
 		"name": {
-		    "description": "Name of the Decision Point that were evaluated", 
-		    "title": "name",
-		    "type": "string",
-		    "examples": ["Automatable", "Exploitation"]
+		    "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/name" 		    
 		},
 		"namespace": {
-		    "description": "SSVC Namespace that were used for defining the evaluated Decision Points",
-		    "title": "namespace",
-		    "type": "string",
-		    "examples": ["ssvc","cvssv4"]
+		    "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/namespace"		    
 		},
 		"values": {
-		    "description": "Evaluated values of the Decision Point",
+		    "description": "One or more Decision Point Values that were selected for this Decision Point. If the evaluation is uncertain, multiple values may be listed to reflect the potential range of possibilities.",
 		    "title": "values",
 		    "type": "array",
 		    "minItems": 1,
 		    "items": {
-			"description": "Each value that were down-selected for a Decision Point",
-			"title": "values",
-			"type": "string"
+			"$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point_value/properties/name"
 		    }
 		},
 		"version": {
-		    "description": "Version of the Decision Points that were evaluated",
-		    "title": "version",
-		    "type": "string"
+		    "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/decision_point/properties/version"		    
 		}
 	    },
 	    "type": "object",
@@ -72,13 +60,13 @@
 	    "$ref": "#/$defs/role"
 	},
 	"schemaVersion": {
-	    "$ref": "#/$defs/schemaVersion"
+	    "$ref": "https://certcc.github.io/SSVC/data/schema/v1/Decision_Point-1-0-1.schema.json#/$defs/schemaVersion"
 	},
 	"timestamp": {
 	    "$ref": "#/$defs/timestamp"
 	},
 	"selections": {
-	    "description" : "An array of Decision Points and their Values that were down-selected or evaluated ",
+	    "description": "An array of Decision Points and their selected values for the identified Vulnerability.  If a clear evaluation is uncertain, multiple values may be listed for a Decision Point instead of waiting for perfect clarity.",
 	    "title": "selections",
 	    "type": "array",
 	    "minItems": 1,
diff --git a/src/test/test_dp_base.py b/src/test/test_dp_base.py
index 7fa233d9..c6b580e6 100644
--- a/src/test/test_dp_base.py
+++ b/src/test/test_dp_base.py
@@ -34,7 +34,7 @@ def setUp(self) -> None:
             key="bar",
             description="baz",
             version="1.0.0",
-            namespace="ns",
+            namespace="name1",
             values=tuple(self.values),
         )
 
@@ -90,7 +90,7 @@ def test_ssvc_decision_point(self):
         self.assertEqual(obj.key, "bar")
         self.assertEqual(obj.description, "baz")
         self.assertEqual(obj.version, "1.0.0")
-        self.assertEqual(obj.namespace, "ns")
+        self.assertEqual(obj.namespace, "name1")
         self.assertEqual(len(self.values), len(obj.values))
 
     def test_ssvc_value_json_roundtrip(self):