How We Assess Acceptance Levels

The current NVD Analyst workflow for a single CVE entry consists of two primary stages, Initial Analysis and Verification. Initial Analysis involves an NVD Analyst investigating the information provided for the CVE entry to better understand the vulnerability’s characteristics. This analysis is primarily focused on the CVE description and associated reference links to external publicly verifiable information. From this information the NVD Analyst associates CWE(s) with the CVE, develops initial CVSS v3.1 and CVSS v2.0 vector strings, determines the appropriate Reference Link Tags, and builds the configurations using match criteria as defined in the Common Platform Enumeration (CPE) 2.3 specification. Once the Initial Analysis is complete, the analyzed metadata for the CVE Entry is then reviewed by a second, usually more experienced, NVD Analyst during the Verification stage. This ensures the proper standards and procedures have been applied to the analysis of CVE metadata based on the information available. Once the CVE has been reviewed, the CVE metadata is then published for public access.

Participation in the submission process automatically begins when a CNA includes submission category information within their provided CVE entries. NVD initial analysis and verification are performed for those CVEs and then an automated assessment comparing the CNA information and NVD information is performed to determine if both parties align. Alignment of CNA and NVD information is determined based on matching criteria established for each submission category.

As assessments are performed an email will be sent to the CNA notifying them that an audit has occurred with a link to the audit results. CNAs can then use the results to provide more clarifying information or to adjust the metadata submitted. As CNA provided metadata is found to align with NVD analysis and verification of the information publicly available the acceptance level of the CNA for the submission category will automatically increase.

CNAs who do not meet their current acceptance level may become subject to an acceptance level reduction 30 days from their first failure. This gives the CNA ample opportunity to update their methodology to re-align with the NVD or to improve the available information so that the CNA analyst and NVD analyst can come to a consensus. If alignment is achieved, the CNA will meet or exceed their acceptance level.

The NVD is currently providing CVMAP assessments for CWE, CVSS v2.0 and CVSS v3.1 Submission Categories. We plan to expand this to also include Reference Tag and Configuration (CPE) information in the future. More information regarding matching criteria and the thresholds for achieving new acceptance levels for each submission category is provided in the following sections.

CWE

CWE is a community-developed list of common software security weaknesses. It serves as a common language, a measuring stick for software security tools, and a baseline for weakness identification, mitigation, and prevention efforts. The NVD makes use of a subset of the entire CWE List, which is enumerated by the CWE-1003 (Weaknesses for Simplified Mapping of Published Vulnerabilities) view. NVD analysts will associate the most specific CWE value within the CWE-1003 view based on the publicly available information at the time of analysis.

Assessment of CWE submission alignment is done by comparing what was provided by the CNA and what was associated by NVD Analysts during the initial analysis and verification processes. Due to the NVD’s use of the CWE-1003 view, there are a few different ways for alignment to be determined.

• When both the NVD analyst and the CNA provide one CWE value and those values are identical a match is assessed which positively affects the acceptance level of the CNA for this submission category. When the NVD analyst and the CNA do not provide an identical CWE this is considered a mismatch and will negatively affect the acceptance level of the CNA for this submission category.
• CNAs are able to submit any CWE from the entire CWE List. In the event a CNA has provided a CWE that is not within the selection of CWEs used by NVD, we will use the CWE-1000 (Research Concepts) view relationships to identify if the value provided was more specific than those available in the CWE-1003 view. If so, this will still count as a match with the NVD assigned value. As an example, if an NVD analyst has associated CWE-787 Out-of-bounds Write and the CNA has provided CWE-122 Heap-based Buffer Overflow this would be counted as a match because CWE-122 is a child of CWE-787 in the CWE-1000 view.
• A CNA can submit multiple CWEs and the NVD in some cases also associates multiple CWE values when data available is unclear. Assessment between CNA submitted and NVD associated CWEs is based on the count of CWEs provided by the NVD. As an example, if the NVD has provided one CWE (CWE-122) and the CNA has associated two CWEs (CWE-122 and CWE-460), Assessment would only occur based on the CWE provided by the NVD (CWE-122) and CWE-460 would be omitted from assessment. Conversely, if the NVD were to provide two CWEs and the CNA provided only one, assessment would be performed for both of the CWEs provided by the NVD.

Due to the nature of CWE it is plausible that there is simply not enough information available to confidently determine an appropriate value. If the NVD analyst opts to assign the NVD-CWE-noinfo or the NVD-CWE-Other values, then those values will be omitted from acceptance level assessment for the submission category.

You can review the CWE-1003 list at https://cwe.mitre.org/data/definitions/1003.html.

You can review the CWE-1000 list at https://cwe.mitre.org/data/definitions/1000.html.

Assessment is performed using the last 40 CVEs with submissions or updates to the CWE submission category information. Acceptance level of the CNA is ultimately determined based on their acceptance level match percentage. The acceptance level match percentage will be calculated by taking the number of CNA CVE-to-CWE combinations that match the NVD Analyst CVE-to-CWE combinations, divided by the total number of NVD Analyst CVE-to-CWE metric combinations. The acceptance level for a CNA in the CWE submission category is determined based on the thresholds provided in the table below.

Reference	Contributor	Provider
< 70%	>= 70%	>= 95%

CVSS

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly inform their vulnerability management processes. The NVD currently provides support for CVSS v2.0 and CVSS v3.1 base metrics.

CVSS v2.0

The CVSS v2.0 Base Metric Group consists of six metrics: Access Vector, Access Complexity, Authentication, Confidentiality Impact, Integrity Impact, and Availability Impact. Values selected for each of these metrics are used to compute the CVSS v2.0 Base Metric score. See the CVSS Version 2.0 specification for more detailed information. Assessment of CVSS submission alignment is done by comparing each individual metric value provided by the submitting CNA to the metric values associated by NVD analysts through the initial analysis and verification processes. CNAs must submit CVSS v2.0 vector strings that include at least one value for each base metric group. Partial vector strings will not be assessed, nor displayed on the website.

CVSS v2.0 Specification: https://www.first.org/cvss/v2/guide

When both the NVD analyst and the CNA provide an identical metric value, a match is assessed which positively affects the acceptance level of the CNA for this submission category. When the NVD analyst and the CNA do not provide an identical metric value this is considered a mismatch and will negatively affect the acceptance level of the CNA for this submission category.

Assessment is performed using the last 40 CVEs with submissions or updates to the CVSS v2.0 submission category information. Acceptance level of the CNA is ultimately determined based on their acceptance level match percentage. The acceptance level match percentage will be calculated by taking the number of CNA CVE-to-CVSS metric combinations that match the NVD Analyst metric combinations, divided by the total number of NVD Analyst metric combinations (240).

Total	Reference	Contributor	Provider
240	< 168 (< 70%)	>= 168 (>= 70%)	>= 228 (>= 95%)

CVSS v3.1

The CVSS v3.1 Base Metric Group consists of eight metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, Confidentiality Impact, Integrity Impact, and Availability Impact. Values selected for each of these metrics are used to compute the CVSS v3.1 Base Metric score. See the CVSS v3.1 Specification Document for more detailed information. Assessment of CVSS submissions is done by comparing each individual metric value provided by the submitting CNA to the metric values associated by an NVD analyst through the analysis process. CNAs must submit CVSS v3.1 vector strings that include at least one value for each base metric group. Partial vector strings will not be assessed, nor displayed on the website.

CVSS v3.1 Specification:  https://www.first.org/cvss/v3.1/specification-document

When both the NVD analyst and the CNA provide an identical metric value, a match is assessed which positively affects the acceptance level of the CNA for this submission category. When the NVD analyst and the CNA do not provide an identical metric value this is considered a mismatch and will negatively affect the acceptance level of the CNA for this submission category.

Assessment is performed using the last 40 CVEs with submissions or updates to the CVSS v3.1 submission category information. acceptance level of the CNA is ultimately determined based on their acceptance level match percentage. The acceptance level match percentage will be calculated by taking the number of CNA CVE-to-CVSS metric combinations that match the NVD Analyst metric combinations, divided by the total number of NVD Analyst metric combinations (320).

Total	Reference	Contributor	Provider
320	< 224 (< 70%)	>= 224 (>= 70%)	>= 304 (>= 95%)

Reference Tags

Reference Tag assessments are not yet occurring as part of CVMAP. We will make an announcement when this functionality is officially included.

Configurations

Configuration assessments are not yet occurring as part of CVMAP. We will make an announcement when this functionality is officially included.