1. 11

  2. 4

    It seems they make up CVSS scores for multiple projects?

    As someone involved with CVE assigning at work, I know that e.g., https://nvd.nist.gov/vuln/detail/CVE-2022-46883 did not get a CVSS score from us.

    I wonder if we omitted a field or if that’s generally the case…

    1. 3

      As a matter of practice NVD re-scores every most CVEs that comes in
      This is done because a large number of CVEs that come in are of very low quality and you do need humans in the loop.

      If you wrote that CVE you posted then you likely forgot a field if your own score is missing.

      1. 1

        We don’t provide cvss scores at all.

        1. 1

          that could be it I guess. You might reach out to mitre and/or nvd to ask what’s up

    2. 2

      “Makes up” severity levels is a strong way to put it, but NVD does have analysts rescore CVEs as a matter of practice and the CVSS scoring guide explicitly states that

      The analyst should score for the reasonable worst-case implementation scenario.

      That guidance coupled with a coarse grain set of variables and likely a lack of domain knowledge in the analysts leads to a lot of criticals. Definitely a problem, but a social one and not one I think there’s an easy solution to.

      For what it’s worth, I’m one of the humans on the GitHub database team and happy to give feedback from the GitHub side.