Due to temporary delays in enrichment efforts, the NVD will not be processing reductions in Acceptance Levels for organizations listed as CVMAP participants until further notice.
How We Assess Acceptance Levels
The current NVD enrichment workflow for a single CVE entry consists of two primary stages, Initial Analysis and Verification. Initial Analysis involves an NVD enrichment team member investigating the information provided for the CVE entry to better understand the vulnerability’s characteristics. This enrichment is primarily focused on the CVE description and associated reference links to external publicly verifiable information. From this information NVD enrichment associates CWE(s) with the CVE, develops initial CVSS v4.0, CVSS v3.1 and CVSS v2.0 vector strings, determines the appropriate Reference Link Tags, and builds the configurations using match criteria as defined in the Common Platform Enumeration (CPE) 2.3 specification. Once the Initial Analysis is complete, the enriched metadata for the CVE Entry is then reviewed by a second, usually more experienced, NVD enrichment team member during the verification stage. This ensures the proper standards and procedures have been applied to the enrichment of CVE metadata based on the information available. Once the CVE has been reviewed, the CVE metadata is then published for public access.
Participation in the submission process automatically begins when a CNA includes submission category information within their provided CVE entries. NVD initial analysis and verification are performed for those CVEs and then an automated assessment comparing the CNA information and NVD information is performed to determine if both parties align. Alignment of CNA and NVD information is determined based on matching criteria established for each submission category.
As assessments are performed an email will be sent to the CNA notifying them that an audit has occurred with a link to the audit results. CNAs can then use the results to provide more clarifying information or to adjust the metadata submitted. As CNA provided metadata is found to align with NVD enrichment and verification of the information publicly available the acceptance level of the CNA for the submission category will automatically increase.
CNAs who do not meet their current acceptance level may become subject to an acceptance level reduction 30 days from their first failure. This gives the CNA ample opportunity to update their methodology to re-align with the NVD or to improve the available information so that the CNA and NVD enrichment efforts can come to a consensus. If alignment is achieved, the CNA will meet or exceed their acceptance level.
The NVD is currently providing CVMAP assessments for CWE, CVSS v2.0, CVSS v3.1 and CVSS v4.0 Submission Categories. More information regarding matching criteria and the thresholds for achieving new acceptance levels for each submission category is provided in the following sections.
CWE
CWE is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and a baseline for weakness identification, mitigation, and prevention efforts. The NVD makes use of a subset of the entire CWE List, which is enumerated by the CWE-1003 (Weaknesses for Simplified Mapping of Published Vulnerabilities) view. NVD enrichment will associate the most specific CWE value within the CWE-1003 view based on the publicly available information at the time of enrichment.
Assessment of CWE submission alignment is done by comparing what was provided by the CNA and what was associated by NVD enrichment during the initial analysis and verification processes. Due to the NVD’s use of the CWE-1003 view, there are a few different ways for alignment to be determined.
- When both the NVD enrichment and the CNA provide one CWE value and those values are identical a match is assessed which positively affects the acceptance level of the CNA for this submission category. When the NVD enrichment and the CNA do not provide an identical CWE this is considered a mismatch and will negatively affect the acceptance level of the CNA for this submission category.
- CNAs are able to submit any CWE from the entire CWE List. In the event a CNA has provided a CWE that is not within the selection of CWEs used by NVD, we will use the CWE-1000 (Research Concepts) view relationships to identify if the value provided was more specific than those available in the CWE-1003 view. If so, this will still count as a match with the NVD assigned value. As an example, if NVD enrichment has associated CWE-787 Out-of-bounds Write and the CNA has provided CWE-122 Heap-based Buffer Overflow this would be counted as a match because CWE-122 is a child of CWE-787 in the CWE-1000 view.
- A CNA can submit multiple CWEs and the NVD in some cases also associates multiple CWE values when data available is unclear. Assessment between CNA submitted and NVD associated CWEs is based on the count of CWEs provided by the NVD. As an example, if the NVD has provided one CWE (CWE-122) and the CNA has associated two CWEs (CWE-122 and CWE-460), Assessment would only occur based on the CWE provided by the NVD (CWE-122) and CWE-460 would be omitted from assessment. Conversely, if the NVD were to provide two CWEs and the CNA provided only one, assessment would be performed for both of the CWEs provided by the NVD.
Due to the nature of CWE it is plausible that there is simply not enough information available to confidently determine an appropriate value. If NVD enrichment results in assignment of the NVD-CWE-noinfo or the NVD-CWE-Other values, then those values will be omitted from acceptance level assessment for the submission category.
You can review the CWE-1003 list at https://cwe.mitre.org/data/definitions/1003.html.
You can review the CWE-1000 list at https://cwe.mitre.org/data/definitions/1000.html.
Assessment is performed using the last 40 CVEs with submissions or updates to the CWE submission category information. Acceptance level of the CNA is ultimately determined based on their acceptance level match percentage. The acceptance level match percentage will be calculated by taking the number of CNA CVE-to-CWE combinations that match the NVD enrichment CVE-to-CWE combinations, divided by the total number of NVD enrichment CVE-to-CWE metric combinations. The acceptance level for a CNA in the CWE submission category is determined based on the thresholds provided in the table below.
Reference | Contributor | Provider |
< 70% | >= 70% | >= 95% |
CVSS
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly inform their vulnerability management processes. The NVD currently provides support for CVSS v2.0 and CVSS v3.1 base metrics.
CVSS v4.0
The CVSS v4.0 Base Metric Group consists of eleven metrics: Attack Vector, Attack Complexity, Attack Requirements, Privileges Required, User Interaction, Vulnerable Confidentiality Impact, Vulnerable Integrity Impact, Vulnerable Availability Impact, Subsequent Confidentiality Impact, Subsequent Integrity Impact, and Subsequent Availability Impact. Values selected for each of these metrics are used to derive the CVSS v4.0 resulting severity score. See the CVSS v4.0 Specification Document for more detailed information. Assessment of CVSS submissions is done by comparing each individual metric value provided by the submitting CNA to the metric values associated by an NVD enrichment team member. CNAs must submit CVSS v4.0 vector strings that include at least one value for each base metric.
CVSS v4.0 Specification: https://www.first.org/cvss/v3.1/specification-document
When both the NVD enrichment and the CNA provide an identical metric value, a match is assessed which positively affects the acceptance level of the CNA for this submission category. When the NVD enrichment and the CNA do not provide an identical metric value this is considered a mismatch and will negatively affect the acceptance level of the CNA for this submission category.
Assessment is performed using the last 40 CVEs with submissions or updates to the CVSS v4.0 submission category information. acceptance level of the CNA is ultimately determined based on their acceptance level match percentage. The acceptance level match percentage will be calculated by taking the number of CNA CVE-to-CVSS metric combinations that match the NVD enrichment metric combinations, divided by the total number of NVD enrichment metric combinations (320).
Total | Reference | Contributor | Provider |
320 | < 224 (< 70%) | >= 224 (>= 70%) | >= 304 (>= 95%) |
CVSS v3.1
The CVSS v3.1 Base Metric Group consists of eight metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality Impact, Integrity Impact, and Availability Impact. Values selected for each of these metrics are used to compute the CVSS v3.1 Base Metric score. See the CVSS v3.1 Specification Document for more detailed information. Assessment of CVSS submissions is done by comparing each individual metric value provided by the submitting CNA to the metric values associated by an NVD enrichment team member. CNAs must submit CVSS v3.1 vector strings that include at least one value for each base metric group.
CVSS v3.1 Specification: https://www.first.org/cvss/v3.1/specification-document
When both the NVD enrichment and the CNA provide an identical metric value, a match is assessed which positively affects the acceptance level of the CNA for this submission category. When the NVD enrichment and the CNA do not provide an identical metric value this is considered a mismatch and will negatively affect the acceptance level of the CNA for this submission category.
Assessment is performed using the last 40 CVEs with submissions or updates to the CVSS v3.1 submission category information. acceptance level of the CNA is ultimately determined based on their acceptance level match percentage. The acceptance level match percentage will be calculated by taking the number of CNA CVE-to-CVSS metric combinations that match the NVD enrichment metric combinations, divided by the total number of NVD enrichment metric combinations (320).
Total | Reference | Contributor | Provider |
320 | < 224 (< 70%) | >= 224 (>= 70%) | >= 304 (>= 95%) |
CVSS v2.0
The CVSS v2.0 Base Metric Group consists of six metrics: Access Vector, Access Complexity, Authentication, Confidentiality Impact, Integrity Impact, and Availability Impact. Values selected for each of these metrics are used to compute the CVSS v2.0 Base Metric score. See the CVSS Version 2.0 specification for more detailed information. Assessment of CVSS submission alignment is done by comparing each individual metric value provided by the submitting CNA to the metric values associated by NVD enrichment team members. CNAs must submit CVSS v2.0 vector strings that include at least one value for each base metric group.
CVSS v2.0 Specification: https://www.first.org/cvss/v2/guide
When both the NVD enrichment and the CNA provide an identical metric value, a match is assessed which positively affects the acceptance level of the CNA for this submission category. When the NVD enrichment and the CNA do not provide an identical metric value this is considered a mismatch and will negatively affect the acceptance level of the CNA for this submission category.
Assessment is performed using the last 40 CVEs with submissions or updates to the CVSS v2.0 submission category information. Acceptance level of the CNA is ultimately determined based on their acceptance level match percentage. The acceptance level match percentage will be calculated by taking the number of CNA CVE-to-CVSS metric combinations that match the NVD enrichment metric combinations, divided by the total number of NVD enrichment metric combinations (240).
Total | Reference | Contributor | Provider |
240 | < 168 (< 70%) | >= 168 (>= 70%) | >= 228 (>= 95%) |