[VIM] Linking third-party CVSS scores through CVEs (was: "CVENEW" messages to be posted to VIM during NVD outage)

[Christey, Steven M.]

People who are considering linking from CVEs to CVSS scores using non-NVD external sources should note two things:

1) The CVSS scores from other sources may be inconsistent with those of NVD, so those who have "standardized" on NVD-based CVSS scores will need to take this into account; when they go back to NVD-based scores, this may cause some sudden changes to trends and statistical analyses.  This is unavoidable but something to be aware of (while CVSS strives for consistency, variation still occurs in the real world.)

2) CVSS scores might be over-estimated in some cases if a source "counts" vulnerabilities differently than CVE does.  Some external sources might combine multiple CVEs into a single record, but have only a single CVSS score for that record (probably the maximum score of the worst vulnerability).  If such a source is used, then CVSS scores for a single CVE might be over-estimated.  For example, suppose CVE-1 has a CVSS score of 4.0, and CVE-2 has a CVSS score of 8.0 (ignoring variations in how people do CVSS scoring).  If there is a source with a record X that combines CVE-1 and CVE-2, but X only uses the single rollup score of 8.0, then linking from CVE-1 through X could make it appear that CVE-1 has a score of 8.0.  As a result, you should consider the abstraction (counting methodology) that is used by whichever source is adopted.  If you want greater precision, then you would want a source whose records rarely map to more than one CVE.  This should be fairly easy to spot by seeing how vendor advisories such as Microsoft, Cisco, and Red Hat are represented in the source; these vendors (and many others) typically map to more than one CVE, but might only be captured as a single record.

- Steve