this post was submitted on 26 Aug 2023
83 points (100.0% liked)

Free and Open Source Software

17931 readers
117 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Hirom@beehaw.org 14 points 1 year ago* (last edited 1 year ago)

NVD state they task an analyst to review each CVE and assign a score, then do QC to review the analysis before publication.

No one's perfect, but since NVD claim to do QC they should fix their mistakes. So now let's see how they answer to Daniel Stenberg's objection. The publication and objections are recent, it's fair to give them a few days to react.

But if they're giving up on doing proper analysis or QC, and are are just acting as a vulnerability number registry, then they shouldn't publish CVSS values.

NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v3.1, CWE, and CPE Applicability statements

CVSS V3.1 exploitability and impact metrics are assigned based on publicly available information and the guidelines of the specification.

Analysis results are given a quality assurance check by another more senior analyst prior to being published to the website and data feeds.

Source: CVEs and the NVD Process