NVD CVSS News
- October 16, 2007: The NVD CVSS V2 calculator has been updated to include the following functionality:
- CVSS V2 calculator now supports the ‘ND’ (Not Defined) metric for temporal and environmental vectors.
- ‘CDP’ has replaced ‘CD’ to represent the environmental vector ‘CollateralDamagePotential.’
This update reflects the correct vector representation in the official CVSS V2 Specification.
(NOTE: CVSS calculator still supports legacy 'CD' representation)
- The metrics pertaining to the temporal Vector ‘ReportConfidence’ have been updated to reflect the official CVSS V2 Specification.
(*NOTE:CVSS calculator still supports RC legacy metrics)
- August 6, 2007: The Payment Card Industry
Data Security Standard
requires use of NVD Common Vulnerability Scoring System impact scores for use within approved scanning vendor tools.
- June 20, 2007: The National Vulnerability Database deployed support for the Common Vulnerability Scoring System
(CVSS) version 2.0.
NVD Vulnerability Severity Ratings
NVD provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores
but these qualitative rankings are simply mapped from the numeric CVSS scores:
1. Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.
2. Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.
3. Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.
With some vulnerabilities, all of the information needed to create CVSS scores may not be available.
This typically happens when a vendor announces a vulnerability but declines to provide certain details.
In such situations, NVD analysts assign CVSS scores using a worst case approach. Thus, if a vendor provides no details about a vulnerability, NVD will score that vulnerability as a 10.0 (the highest rating).
Collaboration with Industry
NVD staff are willing to work with the security community on CVSS impact
scoring. If you wish to contribute additional information or corrections
regarding the NVD CVSS impact scores, please send email to email@example.com.
We actively work with users that provide us feedback.
Product Integration into CVSS V2 Calculator
CVSS compatible products may provide their users access to the NVD
CVSS v2 calculator by creating a hyperlink that includes the CVSS vector and,
optionally, the vulnerability name. This works for both base, temporal, and environmental vectors.
The hyperlinks should take one of the following forms.
Example base vector hyperlinks to CVSS calculator (with and without vulnerability name):
Example environmental vector hyperlinks to CVSS calculator (with and without vulnerability name):
Example temporal vector hyperlinks to CVSS calculator (with and without vulnerability name):
Please see: http://nvd.nist.gov/cvss.cfm?vectorinfov2 for more details on the CVSS product integration.
Scores for the CVE vulnerabilities published between to 11/10/2005
and 11/30/2006 have been upgraded from CVSS version 1 data. CVSS v1 metrics did not contain granularity of CVSS v2 and so these scores are marked
as "Version 2.0 upgrade from v1.0" within NVD. While these scores are approximation, they are expected to be reasonably accurate CVSS v2 scores.
Scores provided for the 13,000 CVE vulnerabilities published prior to 11/9/2005
are approximated from only partially available CVSS metric data. Such scores are marked
as "Version 2.0 Incomplete approximation" within NVD. In particular, the following CVSS metrics
are only partially available for these vulnerabilities and NVD assumes certain values
based on an approximation algorithm: AccessComplexity, Authentication, ConfImpact of
'partial', IntegImpact of 'partial', AvailImpact of 'partial', and the