Closed eslerm closed 1 year ago
CVSS scores on NVD are from NIST's NVD program, and not from the CNA or MITRE where NIST:NVD is listed as the provider.
When NVD lists a CVSS score from the CNA (and the provider is labeled as such), it picks up the score already in the CVE record submitted by the CNA.
The Authorized Data Provider (ADP) initiative (currently in a pilot mode) would enable NIST to add scores to CVE records as an ADP (up to NVD if they want to).
Other than that, CVE services has no plans to fetch scores from NVD and place them in the CNA's submitted data.
Thank you for clarifying @chandanbn :pray:
NIST providing NVD data would be an excellent use case of an ADP.
If anyone finds this issue because of the unrelated NVD legacy data deprecation, you may be interested in https://github.com/olbat/nvdcve/issues/7
Will legacy severity information, such as CVSS 2.0 vectors, be archived in cvelistV5?
As an example, https://github.com/CVEProject/cvelistV5/blob/main/cves/2012/2xxx/CVE-2012-2125.json does not contain the CVSS 2.0 score from https://nvd.nist.gov/vuln/detail/CVE-2012-2125