Add tips on balancing SSVC with change risk in Future Work #66
Description
Per conversation on 2020-11-11, add some words to future work about balancing vulnerability risk (which is what SSVC is helping you reason about) with change risk (which it currently does not).
We talked about the potential for change risk profiles (startups might tolerate a lot of change risk, whereas regulated manufacturers might have very low tolerance for change risk) and how that might impact how one decides what to do.
SSVC is telling you how urgently you need to think about your risk, not necessarily what you're going to do about it, you can still choose to accept the risk and take no action. But at least you explicitly thought about it rather than inaction just being the default.
Extends #38