NVD makes up vulnerability severity levels

11

NVD makes up vulnerability severity levels practices security daniel.haxx.se
via freddyb 25 days ago | archive
Archive.org Archive.today Ghostarchive
| 5 comments

5

4

freddyb Mozilla Security edited 25 days ago | link

It seems they make up CVSS scores for multiple projects?

As someone involved with CVE assigning at work, I know that e.g., https://nvd.nist.gov/vuln/detail/CVE-2022-46883 did not get a CVSS score from us.

I wonder if we omitted a field or if that’s generally the case…
1. 3
  
  Yogurt edited 24 days ago | link
  
  As a matter of practice NVD re-scores ~~every~~ most CVEs that comes in
  https://nvd.nist.gov/general/cve-process
  This is done because a large number of CVEs that come in are of very low quality and you do need humans in the loop.
  
  If you wrote that CVE you posted then you likely forgot a field if your own score is missing.
  1. 1
    
    freddyb 24 days ago | link
    
    We don’t provide cvss scores at all.
    1. 1
      
      Yogurt 23 days ago | link
      
      that could be it I guess. You might reach out to mitre and/or nvd to ask what’s up
2

Darakian edited 23 days ago | link

“Makes up” severity levels is a strong way to put it, but NVD does have analysts rescore CVEs as a matter of practice and the CVSS scoring guide explicitly states that

The analyst should score for the reasonable worst-case implementation scenario.

That guidance coupled with a coarse grain set of variables and likely a lack of domain knowledge in the analysts leads to a lot of criticals. Definitely a problem, but a social one and not one I think there’s an easy solution to.

For what it’s worth, I’m one of the humans on the GitHub database team and happy to give feedback from the GitHub side.