[VIM] Linking third-party CVSS scores through CVEs (was: "CVENEW" messages to be posted to VIM during NVD outage)

security curmudgeon jericho at attrition.org
Thu Mar 14 13:14:04 CDT 2013


On Thu, 14 Mar 2013, Christey, Steven M. wrote:

: People who are considering linking from CVEs to CVSS scores using non-NVD external sources should note two things:
: 
: 1) The CVSS scores from other sources may be inconsistent with those of 
: NVD, so those who have "standardized" on NVD-based CVSS scores will need 
: to take this into account; when they go back to NVD-based scores, this 
: may cause some sudden changes to trends and statistical analyses.  This 
: is unavoidable but something to be aware of (while CVSS strives for 
: consistency, variation still occurs in the real world.)

To be very clear though, NVD doesn't have the magical "all our CVSS is 
correct". There are discrepancies, but when those happen, each 
organization should evaluate both scores and pick the one they feel most 
appropriate.



More information about the VIM mailing list