[This was originally published on the OSVDB blog.]
Along with the score, we display the date that NVD generated it and give users a method for recommending updates if they feel the score is inaccurate. While this is long overdue, this is one of many CVSS related features we will be adding in the near future. For those wondering about the delay in adding CVSS support, the cliff notes answer is “we had reservations about the scoring system”. Back in 2005, Jake and I had a long chat with a couple of the creators of CVSS and brought up our concerns. Our goal was to create our own scoring system, but internal debate (and procrastination) lead to neither being implemented. Rather than creating our own system, we finally opted to use what has become an industry standard. Some of our planned CVSS score enhancements on the to-do list, no particular order:
- Method for adding our own CVSS score. There are thousands of entries in OSVDB that do not have a CVE assignment, and as a result, no NVD based CVSS score.
- A more robust moderation queue to handle proposed changes. This may optionally have a one-click method for us to notify NVD of our change so they may consider revising their score.
- Ensure the CVSSv2 score is part of the database dumps, available for download.
- Method for tracking CVSS score historically. As NVD revises their score, or we do, a user should be able to see the history of changes.
- Compare our/NVD scores with other public tools, display discrepancy if different. For example, if a Nessus plugin scores an issue differently than NVD, show both scores so users may consider which is more accurate.
- Track researcher generated CVSS score. While infrequent, some advisories provide scoring. If different than NVD, display the discrepancy.
As always, if you have ideas on how we could better handle CVSS scoring, or have additional ideas for features, please contact us!