• Hirom@beehaw.org
    link
    fedilink
    arrow-up
    10
    ·
    edit-2
    1 year ago

    NVD state they task an analyst to review each CVE and assign a score, then do QC to review the analysis before publication.

    No one’s perfect, but since NVD claim to do QC they should fix their mistakes. So now let’s see how they answer to Daniel Stenberg’s objection. The publication and objections are recent, it’s fair to give them a few days to react.

    But if they’re giving up on doing proper analysis or QC, and are are just acting as a vulnerability number registry, then they shouldn’t publish CVSS values.

    NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v3.1, CWE, and CPE Applicability statements

    CVSS V3.1 exploitability and impact metrics are assigned based on publicly available information and the guidelines of the specification.

    Analysis results are given a quality assurance check by another more senior analyst prior to being published to the website and data feeds.

    Source: CVEs and the NVD Process