Yes, it is not uncommon for a CNA to submit a CVSS vector for a vulnerability to NVD. So, what if there is a conflict between two CVSS vectors for a vulnerability? Let's see !!
Once a CVSS vector is submitted by a CNA, using the NVD interpretation as the ground truth, NVD records how accurate the submitted vector is. This accuracy is accumulated over time for each CNA, using the last 40 CVEs that the CNA provided a CVSS vector for. By becoming more accurate and aligned with the NVD interpretation, the CNA can be considered more trustworthy (in terms of providing accurate CVSS vectors).
Through this accuracy, the CNA will be attributed an acceptance level. The acceptance levels start at “Reference”, then moves to “Contributor”, and finally if submitted data agrees with NVD-provided data at least 95% of the time (counting the eight metrics for the last 40 CVSS vectors), then you can get the highest acceptance level of “Provider”.
For “Providers”, the NVD trusts the data provided by the CNA and does not have to compute its own CVSS score. For these CNAs, NVD only audits 10% of the submitted CVSS vectors, meaning that they compute their own CVSS vector and compare it with the one provided by the CNA.
Please find the below URL for more details:
https://debricked.com/blog/cvss-precedence-in-nvd-and-debricked/
Happy Learning !!
VulnerabilityManagement Cybersecurity
No comments:
Post a Comment