<div dir="ltr">Hi,<div><br></div><div>I am all into having one source for all the CVSS scores for CVEs, but when this one source doesn't have a fall-back plan or a backup site, it kinda makes things difficult to stick around to it.</div>
<div><br></div><div>If you have any alternative or method of still matching CVSS and CVEs without going to some other source beside NVD I will be happy to hear about it.<br><br><div class="gmail_quote">On Thu, Mar 14, 2013 at 7:53 PM, Christey, Steven M. <span dir="ltr"><<a href="mailto:coley@mitre.org" target="_blank">coley@mitre.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">People who are considering linking from CVEs to CVSS scores using non-NVD external sources should note two things:<br>
<br>
1) The CVSS scores from other sources may be inconsistent with those of NVD, so those who have "standardized" on NVD-based CVSS scores will need to take this into account; when they go back to NVD-based scores, this may cause some sudden changes to trends and statistical analyses. This is unavoidable but something to be aware of (while CVSS strives for consistency, variation still occurs in the real world.)<br>
<br>
2) CVSS scores might be over-estimated in some cases if a source "counts" vulnerabilities differently than CVE does. Some external sources might combine multiple CVEs into a single record, but have only a single CVSS score for that record (probably the maximum score of the worst vulnerability). If such a source is used, then CVSS scores for a single CVE might be over-estimated. For example, suppose CVE-1 has a CVSS score of 4.0, and CVE-2 has a CVSS score of 8.0 (ignoring variations in how people do CVSS scoring). If there is a source with a record X that combines CVE-1 and CVE-2, but X only uses the single rollup score of 8.0, then linking from CVE-1 through X could make it appear that CVE-1 has a score of 8.0. As a result, you should consider the abstraction (counting methodology) that is used by whichever source is adopted. If you want greater precision, then you would want a source whose records rarely map to more than one CVE. This should be fairly easy to spot by seeing how vendor advisories such as Microsoft, Cisco, and Red Hat are represented in the source; these vendors (and many others) typically map to more than one CVE, but might only be captured as a single record.<br>
<br>
- Steve<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Thanks,<div>Noam Rathaus</div><div>Beyond Security</div>
</div></div>