National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVSS 3.1 Official Support

CVSS v3.1 was released in June 2019.  The NVD will begin officially supporting the CVSS v3.1 guidance on September 10th, 2019. Due to the clarifications in guidance, there will be some changes to the scoring practices used by NVD analysts for CVSS v3. The NVD will not be offering CVSS v3.0 and v3.1 vector strings for the same CVE. All new and re-analyzed CVEs will be done using the CVSS v3.1 guidance.

The NVD website will identify which guidance was used when associating a CVSS v3.x vector string. Due to minor changes in the equations, the CVSS v3 calculator page has also been updated to allow users to toggle between CVSS v3.0 and CVSS v3.1. Additionally, clicking a score on a vulnerability detail page will navigate users to the appropriate calculator. External users that link to the calculator pages will need to specify the CVSS version in the URL, otherwise the page will default to the CVSS v3.1 toggle option.

This change will have an impact to the data feeds as well. The JSON Vulnerability Feed must be modified to support CVSS v3.1 and will be iterated to version 1.1. Users will need to update their ingestion methods to handle the new CVSS v3.1 vector strings. We have provided details on what is changing to help organizations adjust to the differences as quickly as possible. For more information regarding the JSON 1.1 Vulnerability Feed please refer to JSON 1.1 Vulnerability Feed Release.

For more information regarding the official CVSS v3.1 guidance documentation please visit https://www.first.org/cvss/v3.1/specification-document