publicdata/nist-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nist-gov/nvd.nist.gov/vuln/cvmap/How-We-Assess-Acceptance-Levels
Scott Williams 4063bef310 Initital commit.
2025-03-05 18:59:57 +00:00

946 lines
No EOL
40 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<title>NVD - How We Assess Acceptance Levels</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<meta http-equiv="content-style-type" content="text/css" />
<meta http-equiv="content-script-type" content="text/javascript" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link href="/site-scripts/font-awesome/css/font-awesome.min.css"
type="text/css" rel="stylesheet" />
<link href="/site-media/bootstrap/css/bootstrap.min.css"
type="text/css" rel="stylesheet" />
<link href="/site-media/bootstrap/css/bootstrap-theme.min.css"
type="text/css" rel="stylesheet" />
<link
href="/site-scripts/eonasdan-bootstrap-datetimepicker/build/css/bootstrap-datetimepicker.min.css"
type="text/css" rel="stylesheet" />
<link href="/site-media/css/nist-fonts.css" type="text/css"
rel="stylesheet" />
<link href="/site-media/css/base-style.css" type="text/css"
rel="stylesheet" />
<link href="/site-media/css/media-resize.css" type="text/css"
rel="stylesheet" />
<meta name="theme-color" content="#000000">
<script src="/site-scripts/jquery/dist/jquery.min.js"
type="text/javascript"></script>
<script src="/site-scripts/jquery-visible/jquery.visible.min.js"
type="text/javascript"></script>
<script src="/site-scripts/underscore/underscore-min.js"
type="text/javascript"></script>
<script src="/site-media/bootstrap/js/bootstrap.js"
type="text/javascript"></script>
<script src="/site-scripts/moment/min/moment.min.js"
type="text/javascript"></script>
<script
src="/site-scripts/eonasdan-bootstrap-datetimepicker/build/js/bootstrap-datetimepicker.min.js"
type="text/javascript"></script>
<script src="/site-media/js/megamenu.js" type="text/javascript"></script>
<script src="/site-media/js/nist-exit-script.js"
type="text/javascript"></script>
<script src="/site-media/js/forms.js" type="text/javascript"></script>
<script
src="/site-media/js/federated-analytics.all.min.js?agency=NIST&amp;subagency=nvd&amp;pua=UA-37115410-41&amp;yt=true"
type="text/javascript" id="_fed_an_js_tag"></script>
<!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-4KKFZP12LQ"></script>
<script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-4KKFZP12LQ'); </script>
<style id="antiClickjack">
body>* {
display: none !important;
}
#antiClickjack {
display: block !important;
}
</style>
<noscript>
<style id="antiClickjackNoScript">
body>* {
display: block !important;
}
#antiClickjack {
display: none !important;
}
</style>
</noscript>
<script type="text/javascript" id="antiClickjackScript">
if (self === top) {
// no clickjacking
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
setTimeout(tryForward(), 5000);
}
function tryForward() {
top.location = self.location;
}
</script>
<meta charset="UTF-8">
<link href="/site-media/css/nvd-style.css" type="text/css"
rel="stylesheet" />
<link href="/site-media/images/favicons/apple-touch-icon.png"
rel="apple-touch-icon" type="image/png" sizes="180x180" />
<link href="/site-media/images/favicons/favicon-32x32.png"
rel="icon" type="image/png" sizes="32x32" />
<link href="/site-media/images/favicons/favicon-16x16.png"
rel="icon" type="image/png" sizes="16x16" />
<link href="/site-media/images/favicons/manifest.json"
rel="manifest" />
<link href="/site-media/images/favicons/safari-pinned-tab.svg"
rel="mask-icon" color="#000000" />
<link href="/site-media/images/favicons/favicon.ico"
rel="shortcut icon" />
<meta name="msapplication-config" content="/site-media/images/favicons/browserconfig.xml" />
<link href="/site-media/images/favicons/favicon.ico"
rel="shortcut icon" type="image/x-icon" />
<link href="/site-media/images/favicons/favicon.ico" rel="icon"
type="image/x-icon" />
<meta charset="UTF-8">
</head>
<body>
<header role="banner" title="Site Banner">
<div id="antiClickjack" style="display: none">
<h1>You are viewing this page in an unauthorized frame window.</h1>
<p>
This is a potential security issue, you are being redirected to
<a href="https://nvd.nist.gov">https://nvd.nist.gov</a>
</p>
</div>
<div>
<section class="usa-banner" aria-label="Official government website">
<div class="usa-accordion container">
<header class="usa-banner__header">
<noscript>
<p style="font-size: 0.85rem; font-weight: bold;">You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.</p>
</noscript>
<img class="usa-banner__header-flag"
src="/site-media/images/usbanner/us_flag_small.png" alt="U.S. flag">
&nbsp;
<span class="usa-banner__header-text">An official website of the United States government</span>
<button id="gov-banner-button" class="usa-accordion__button usa-banner__button" data-toggle="collapse" data-target="#gov-banner" aria-expanded="false" aria-controls="gov-banner">
<span class="usa-banner__button-text">Here's how you know</span>
</button>
</header>
<div class="usa-banner__content usa-accordion__content collapse" role="tabpanel" id="gov-banner" aria-expanded="true">
<div class="row">
<div class="col-md-5 col-sm-12">
<div class="row">
<div class="col-sm-2 col-xs-3">
<img class="usa-banner__icon usa-media-block__img"
src="/site-media/images/usbanner/icon-dot-gov.svg" alt="Dot gov">
</div>
<div class="col-sm-10 col-xs-9">
<p>
<strong>Official websites use .gov</strong>
<br>
A <strong>.gov</strong> website belongs to an official government organization in the United States.
</p>
</div>
</div>
</div>
<div class="col-md-5 col-sm-12">
<div class="row">
<div class="col-sm-2 col-xs-3">
<img class="usa-banner__icon usa-media-block__img"
src="/site-media/images/usbanner/icon-https.svg" alt="Https">
</div>
<div class="col-sm-10 col-xs-9">
<p>
<strong>Secure .gov websites use HTTPS</strong>
<br>
A <strong>lock</strong> (<img class="usa-banner__lock"
src="/site-media/images/usbanner/lock.svg" alt="Dot gov">) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
</p>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
</div>
<div>
<div>
<nav id="navbar" class="navbar">
<div id="nist-menu-container" class="container">
<div class="row">
<!-- Brand -->
<div class="col-xs-6 col-md-4 navbar-header"
style="height:104px">
<a class="navbar-brand"
href="https://www.nist.gov"
target="_blank" rel="noopener noreferrer"
id="navbar-brand-image"
style="padding-top: 36px">
<img alt="National Institute of Standards and Technology"
src="/site-media/images/nist/nist-logo.svg"
width="110" height="30">
</a>
</div>
<div class="col-xs-6 col-md-8 navbar-nist-logo">
<span id="nvd-menu-button" class="pull-right" style="margin-top: 26px"> <a href="#">
<span class="fa fa-bars"></span> <span id="nvd-menu-full-text"><span
class="hidden-xxs">NVD </span>MENU</span>
</a>
</span>
</div>
</div>
</div>
<div class="main-menu-row container">
<!-- Collect the nav links, forms, and other content for toggling -->
<div id="main-menu-drop" class="col-lg-12" style="display: none;">
<ul>
<li><a href="/general"> General <span
class="expander fa fa-plus" id="nvd-header-menu-general"
data-expander-name="general" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="general">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/general/nvd-dashboard">NVD Dashboard</a>
</p>
<p>
<a href="https://www.nist.gov/itl/nvd">News and Status Updates</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/general/faq">FAQ</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/general/visualizations">Visualizations</a>
</p>
<p>
<a href="/general/legal-disclaimer">Legal Disclaimer</a>
</p>
</div>
</div>
</div></li>
<li><a href="/vuln"> Vulnerabilities <span
class="expander fa fa-plus"
id="nvd-header-menu-vulnerabilities"
data-expander-name="vulnerabilities" data-expanded="false">
<span class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="vulnerabilities">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/vuln/search">Search &amp; Statistics</a>
</p>
<p>
<a href="/vuln/categories">Weakness Types</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/vuln/data-feeds">Legacy Data Feeds</a>
</p>
<p>
<a href="/vuln/vendor-comments">Vendor Comments</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/vuln/cvmap">CVMAP</a>
</p>
</div>
</div>
</div></li>
<li><a href="/vuln-metrics/cvss#"> Vulnerability Metrics <span
class="expander fa fa-plus" id="nvd-header-menu-metrics"
data-expander-name="metrics" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="metrics">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/vuln-metrics/cvss/v4-calculator">CVSS v4.0
Calculators</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/vuln-metrics/cvss/v3-calculator">CVSS v3.x
Calculators</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/vuln-metrics/cvss/v2-calculator">CVSS v2.0
Calculator</a>
</p>
</div>
</div>
</div></li>
<li><a href="/products"> Products <span
class="expander fa fa-plus" id="nvd-header-menu-products"
data-expander-name="products" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="products">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/products/cpe">CPE Dictionary</a>
</p>
<p>
<a href="/products/cpe/search">CPE Search</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/products/cpe/statistics">CPE Statistics</a>
</p>
<p>
<a href="/products/swid">SWID</a>
</p>
</div>
<div class="col-lg-4"></div>
</div>
</div></li>
<li>
<a href="/developers">Developers<span
class="expander fa fa-plus" id="nvd-header-menu-developers"
data-expander-name="developers" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="developers">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/developers/start-here">Start Here</a>
</p>
<p>
<a href="/developers/request-an-api-key">Request an API Key</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/developers/vulnerabilities">Vulnerabilities</a>
</p>
<p>
<a href="/developers/products">Products</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/developers/data-sources">Data Sources</a>
</p>
<p>
<a href="/developers/terms-of-use">Terms of Use</a>
</p>
</div>
</div>
</div>
</li>
<li><a href="/contact"> Contact NVD </a></li>
<li><a href="/other"> Other Sites <span
class="expander fa fa-plus" id="nvd-header-menu-othersites"
data-expander-name="otherSites" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="otherSites">
<div class="row">
<div class="col-lg-4">
<p>
<a href="https://ncp.nist.gov">Checklist (NCP) Repository</a>
</p>
<p>
<a href="https://ncp.nist.gov/cce">Configurations (CCE)</a>
</p>
<p>
<a href="https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search">800-53 Controls</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a
href="https://csrc.nist.gov/projects/scap-validation-program">SCAP
Validated Tools</a>
</p>
<p>
<a
href="https://csrc.nist.gov/projects/security-content-automation-protocol">SCAP</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a
href="https://csrc.nist.gov/projects/united-states-government-configuration-baseline">USGCB</a>
</p>
</div>
</div>
</div></li>
<li><a href="/search"> Search <span
class="expander fa fa-plus" id="nvd-header-menu-search"
data-expander-name="search" data-expanded="false"> <span
class="element-invisible">Expand or Collapse</span>
</span>
</a>
<div style="display: none;" class="sub-menu"
data-expander-trigger="search">
<div class="row">
<div class="col-lg-4">
<p>
<a href="/vuln/search">Vulnerability Search</a>
</p>
</div>
<div class="col-lg-4">
<p>
<a href="/products/cpe/search">CPE Search</a>
</p>
</div>
</div>
</div></li>
</ul>
</div>
<!-- /#mobile-nav-container -->
</div>
</nav>
<section id="itl-header" class="has-menu">
<div class="container">
<div class="row">
<div class="col-sm-12 col-md-8">
<h2 class="hidden-xs hidden-sm">
<a href="https://www.nist.gov/itl" target="_blank" rel="noopener noreferrer">Information Technology Laboratory</a>
</h2>
<h1 class="hidden-xs hidden-sm">
<a id="nvd-header-link"
href="/">National Vulnerability Database</a>
</h1>
<h1 class="hidden-xs text-center hidden-md hidden-lg"
>National Vulnerability Database</h1>
<h1 class="hidden-sm hidden-md hidden-lg text-center"
>NVD</h1>
</div>
<div class="col-sm-12 col-md-4">
<a style="width: 100%; text-align: center; display: block;padding-top: 14px">
<img id="img-logo-nvd-lg"
alt="National Vulnerability Database"
src="/site-media/images/F_NIST-Logo-NVD-white.svg"
width="500" height="100">
</a>
</div>
</div>
</div>
</section>
</div>
</div>
</header>
<main>
<div>
<div id="body-section" class="container">
<div class="row">
<ol class="breadcrumb">
<li><a href="/vuln" class="CMSBreadCrumbsLink">Vulnerabilities</a><a href="/vuln/cvmap" class="CMSBreadCrumbsLink">CVMAP</a></li>
</ol>
</div>
<div>
<div id="divTempCVMAPDelay" class="bs-callout bs-callout-warning">
<p>
<strong>
Due to <a href="/general/news/nvd-program-transition-announcement">temporary delays in enrichment efforts</a>,
the NVD will not be processing reductions in Acceptance Levels for organizations listed as CVMAP participants until further notice.
</strong>
</p>
</div>
<div id="entryCVMAP_HOW_WE0">
<h1>How We Assess Acceptance Levels</h1>
<p>
The current NVD enrichment workflow for a single CVE entry consists of two primary stages,
Initial Analysis and Verification. Initial Analysis involves an NVD enrichment team member investigating
the information provided for the CVE entry to better understand the vulnerabilitys
characteristics. This enrichment is primarily focused on the CVE description and associated
reference links to external publicly verifiable information. From this information NVD
enrichment associates CWE(s) with the CVE, develops initial CVSS v4.0, CVSS v3.1 and CVSS v2.0 vector
strings, determines the appropriate Reference Link Tags, and builds the configurations
using match criteria as defined in the Common Platform Enumeration (CPE) 2.3 specification.
Once the Initial Analysis is complete, the enriched metadata for the CVE Entry is then
reviewed by a second, usually more experienced, NVD enrichment team member during the verification stage.
This ensures the proper standards and procedures have been applied to the enrichment of CVE
metadata based on the information available. Once the CVE has been reviewed, the CVE metadata
is then published for public access.
</p>
<p>
Participation in the submission process automatically begins when a CNA includes submission
category information within their provided CVE entries. NVD initial analysis and verification
are performed for those CVEs and then an automated assessment comparing the CNA information
and NVD information is performed to determine if both parties align. Alignment of CNA and NVD
information is determined based on matching criteria established for each submission category.
</p>
<p>
As assessments are performed an email will be sent to the CNA notifying them that an audit
has occurred with a link to the audit results. CNAs can then use the results to provide
more clarifying information or to adjust the metadata submitted. As CNA provided metadata is
found to align with NVD enrichment and verification of the information publicly available the
acceptance level of the CNA for the submission category will automatically increase.
</p>
<p>
CNAs who do not meet their current acceptance level may become subject to an acceptance level
reduction 30 days from their first failure. This gives the CNA ample opportunity to update their
methodology to re-align with the NVD or to improve the available information so that the CNA
and NVD enrichment efforts can come to a consensus. If alignment is achieved, the CNA will meet
or exceed their acceptance level.
</p>
<p>
The NVD is currently providing CVMAP assessments for CWE, CVSS v2.0, CVSS v3.1 and CVSS v4.0 Submission
Categories. More information regarding matching criteria and the thresholds
for achieving new acceptance levels for each submission category is provided in the following
sections.
</p>
<h2><a name="#CWE">CWE</a></h2>
<p>
CWE is a community-developed list of common software security weaknesses. It serves as a common
language, a measuring stick for software security tools, and a baseline for weakness identification,
mitigation, and prevention efforts. The NVD makes use of a subset of the entire CWE List, which is
enumerated by the CWE-1003 (Weaknesses for Simplified Mapping of Published Vulnerabilities) view.
NVD enrichment will associate the most specific CWE value within the CWE-1003 view based on the publicly
available information at the time of enrichment.
</p>
<p>
Assessment of CWE submission alignment is done by comparing what was provided by the CNA and what
was associated by NVD enrichment during the initial analysis and verification processes. Due to the
NVDs use of the CWE-1003 view, there are a few different ways for alignment to be determined.
</p>
<br>
<ul>
<li>
When both the NVD enrichment and the CNA provide one CWE value and those values are identical a
match is assessed which positively affects the acceptance level of the CNA for this submission
category. When the NVD enrichment and the CNA do not provide an identical CWE this is considered a
mismatch and will negatively affect the acceptance level of the CNA for this submission category.
</li>
<li>
CNAs are able to submit any CWE from the entire CWE List. In the event a CNA has provided a CWE
that is not within the selection of CWEs used by NVD, we will use the CWE-1000 (Research Concepts)
view relationships to identify if the value provided was more specific than those available in the
CWE-1003 view. If so, this will still count as a match with the NVD assigned value. As an example,
if NVD enrichment has associated CWE-787 Out-of-bounds Write and the CNA has provided CWE-122
Heap-based Buffer Overflow this would be counted as a match because CWE-122 is a child of CWE-787
in the CWE-1000 view.
</li>
<li>
A CNA can submit multiple CWEs and the NVD in some cases also associates multiple CWE values when
data available is unclear. Assessment between CNA submitted and NVD associated CWEs is based on the
count of CWEs provided by the NVD. As an example, if the NVD has provided one CWE (CWE-122) and the
CNA has associated two CWEs (CWE-122 and CWE-460), Assessment would only occur based on the CWE
provided by the NVD (CWE-122) and CWE-460 would be omitted from assessment. Conversely, if the
NVD were to provide two CWEs and the CNA provided only one, assessment would be performed for
both of the CWEs provided by the NVD.
</li>
</ul>
<br>
<p>
Due to the nature of CWE it is plausible that there is simply not enough information available
to confidently determine an appropriate value. If NVD enrichment results in assignment of the NVD-CWE-noinfo
or the NVD-CWE-Other values, then those values will be omitted from acceptance level assessment
for the submission category.
</p>
<p>
You can review the CWE-1003 list at <a href="https://cwe.mitre.org/data/definitions/1003.html">https://cwe.mitre.org/data/definitions/1003.html</a>.
</p>
<p>
You can review the CWE-1000 list at <a href="https://cwe.mitre.org/data/definitions/1000.html">https://cwe.mitre.org/data/definitions/1000.html</a>.
</p>
<p>
Assessment is performed using the last 40 CVEs with submissions or updates to the CWE submission
category information. Acceptance level of the CNA is ultimately determined based on their acceptance
level match percentage. The acceptance level match percentage will be calculated by taking the number
of CNA CVE-to-CWE combinations that match the NVD enrichment CVE-to-CWE combinations, divided by the total
number of NVD enrichment CVE-to-CWE metric combinations. The acceptance level for a CNA in the CWE submission
category is determined based on the thresholds provided in the table below.
</p>
<br>
<table align="center" border="0" cellpadding="0" cellspacing="0" class="table table-striped table-bordered detail-table" style="width:626px;" width="626">
<tbody>
<tr>
<td style="width:209px;height:27px;">
<strong>Reference</strong>
</td>
<td style="width:209px;height:27px;">
<strong>Contributor</strong>
</td>
<td style="width:209px;height:27px;">
<strong>Provider</strong>
</td>
</tr>
<tr>
<td style="width:209px;height:27px;">&lt; 70%</td>
<td style="width:209px;height:27px;">&gt;= 70%</td>
<td style="width:209px;height:27px;">&gt;= 95%</td>
</tr>
</tbody>
</table>
<h2>CVSS</h2>
<p>
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal
characteristics of a vulnerability and produce a numerical score reflecting its severity.
The numerical score can then be translated into a qualitative representation (such as
low, medium, high, and critical) to help organizations properly inform their vulnerability
management processes. The NVD currently provides support for CVSS v2.0 and CVSS v3.1 base
metrics.
</p>
<h3><a name="CVSSv40">CVSS v4.0</a></h3>
<p>
The CVSS v4.0 Base Metric Group consists of eleven metrics: Attack Vector, Attack
Complexity, Attack Requirements, Privileges Required, User Interaction, Vulnerable Confidentiality Impact,
Vulnerable Integrity Impact, Vulnerable Availability Impact, Subsequent Confidentiality Impact,
Subsequent Integrity Impact, and Subsequent Availability Impact. Values selected for each of these metrics
are used to derive the CVSS v4.0 resulting severity score. See the CVSS v4.0 Specification
Document for more detailed information. Assessment of CVSS submissions is done by
comparing each individual metric value provided by the submitting CNA to the metric
values associated by an NVD enrichment team member. CNAs must submit CVSS
v4.0 vector strings that include at least one value for each base metric.
</p>
<p>
CVSS v4.0 Specification:&nbsp; <a href="https://www.first.org/cvss/v4.0/specification-document" class="external">https://www.first.org/cvss/v3.1/specification-document</a>
</p>
<p>
When both the NVD enrichment and the CNA provide an identical metric value, a match is
assessed which positively affects the acceptance level of the CNA for this submission
category. When the NVD enrichment and the CNA do not provide an identical metric value this
is considered a mismatch and will negatively affect the acceptance level of the CNA for
this submission category.
</p>
<p>
Assessment is performed using the last 40 CVEs with submissions or updates to the CVSS
v4.0 submission category information. acceptance level of the CNA is ultimately determined
based on their acceptance level match percentage. The acceptance level match percentage will
be calculated by taking the number of CNA CVE-to-CVSS metric combinations that match the NVD
enrichment metric combinations, divided by the total number of NVD enrichment metric combinations (320).
</p>
<table align="center" border="1" cellpadding="0" cellspacing="0" class="table table-striped table-bordered detail-table" style="width:625px;" width="625">
<tbody>
<tr>
<td style="width:104px;height:19px;">Total</td>
<td style="width:174px;height:19px;">Reference</td>
<td style="width:174px;height:19px;">Contributor</td>
<td style="width:174px;height:19px;">Provider</td>
</tr>
<tr>
<td style="width:104px;height:18px;">
<strong>320</strong>
</td>
<td style="width:174px;height:18px;">&lt; 224 (&lt; 70%)</td>
<td style="width:174px;height:18px;">&gt;= 224 (&gt;= 70%)</td>
<td style="width:174px;height:18px;">&gt;= 304 (&gt;= 95%)</td>
</tr>
</tbody>
</table>
<h3><a name="CVSSv31">CVSS v3.1</a></h3>
<p>
The CVSS v3.1 Base Metric Group consists of eight metrics: Attack Vector, Attack
Complexity, Privileges Required, User Interaction, Scope, Confidentiality Impact,
Integrity Impact, and Availability Impact. Values selected for each of these metrics
are used to compute the CVSS v3.1 Base Metric score. See the CVSS v3.1 Specification
Document for more detailed information. Assessment of CVSS submissions is done by
comparing each individual metric value provided by the submitting CNA to the metric
values associated by an NVD enrichment team member. CNAs must submit CVSS
v3.1 vector strings that include at least one value for each base metric group.
</p>
<p>
CVSS v3.1 Specification:&nbsp; <a href="https://www.first.org/cvss/v3.1/specification-document" class="external">https://www.first.org/cvss/v3.1/specification-document</a>
</p>
<p>
When both the NVD enrichment and the CNA provide an identical metric value, a match is
assessed which positively affects the acceptance level of the CNA for this submission
category. When the NVD enrichment and the CNA do not provide an identical metric value this
is considered a mismatch and will negatively affect the acceptance level of the CNA for
this submission category.
</p>
<p>
Assessment is performed using the last 40 CVEs with submissions or updates to the CVSS
v3.1 submission category information. acceptance level of the CNA is ultimately determined
based on their acceptance level match percentage. The acceptance level match percentage will
be calculated by taking the number of CNA CVE-to-CVSS metric combinations that match the NVD
enrichment metric combinations, divided by the total number of NVD enrichment metric combinations (320).
</p>
<table align="center" border="1" cellpadding="0" cellspacing="0" class="table table-striped table-bordered detail-table" style="width:625px;" width="625">
<tbody>
<tr>
<td style="width:104px;height:19px;">Total</td>
<td style="width:174px;height:19px;">Reference</td>
<td style="width:174px;height:19px;">Contributor</td>
<td style="width:174px;height:19px;">Provider</td>
</tr>
<tr>
<td style="width:104px;height:18px;">
<strong>320</strong>
</td>
<td style="width:174px;height:18px;">&lt; 224 (&lt; 70%)</td>
<td style="width:174px;height:18px;">&gt;= 224 (&gt;= 70%)</td>
<td style="width:174px;height:18px;">&gt;= 304 (&gt;= 95%)</td>
</tr>
</tbody>
</table>
<h3><a name="CVSSv2">CVSS v2.0</a></h3>
<p>
The CVSS v2.0 Base Metric Group consists of six metrics: Access Vector, Access Complexity,
Authentication, Confidentiality Impact, Integrity Impact, and Availability Impact. Values
selected for each of these metrics are used to compute the CVSS v2.0 Base Metric score. See
the CVSS Version 2.0 specification for more detailed information. Assessment of CVSS submission
alignment is done by comparing each individual metric value provided by the submitting CNA to
the metric values associated by NVD enrichment team members.
CNAs must submit CVSS v2.0 vector strings that include at least one value for each base metric group.
</p>
<p>
CVSS v2.0 Specification: <a href="https://www.first.org/cvss/v2/guide" class="external">https://www.first.org/cvss/v2/guide</a>
</p>
<p>
When both the NVD enrichment and the CNA provide an identical metric value, a match is assessed
which positively affects the acceptance level of the CNA for this submission category. When
the NVD enrichment and the CNA do not provide an identical metric value this is considered a mismatch
and will negatively affect the acceptance level of the CNA for this submission category.
</p>
<p>
Assessment is performed using the last 40 CVEs with submissions or updates to the CVSS v2.0
submission category information. Acceptance level of the CNA is ultimately determined based
on their acceptance level match percentage. The acceptance level match percentage will be
calculated by taking the number of CNA CVE-to-CVSS metric combinations that match the NVD
enrichment metric combinations, divided by the total number of NVD enrichment metric combinations (240).
</p>
<br>
<table align="center" border="1" cellpadding="0" cellspacing="0" class="table table-striped table-bordered detail-table" style="width:629px;" width="629">
<tbody>
<tr>
<td style="width:105px;height:18px;">Total</td>
<td style="width:175px;height:18px;">Reference</td>
<td style="width:175px;height:18px;">Contributor</td>
<td style="width:175px;height:18px;">Provider</td>
</tr>
<tr>
<td style="width:105px;height:17px;">
<strong>240</strong>
</td>
<td style="width:175px;height:17px;">&lt; 168 (&lt; 70%)</td>
<td style="width:175px;height:17px;">&gt;= 168 (&gt;= 70%)</td>
<td style="width:175px;height:17px;">&gt;= 228 (&gt;= 95%)</td>
</tr>
</tbody>
</table>
</div>
<div class="col-md-12 historical-data-area" id="historical-data-area">
<span>
Created
<span id="page-created-date">
<span>September 20, 2022</span>
</span>,
</span>
Updated
<span id="page-updated-date">
<span>August 27, 2024</span>
</span>
</div>
</div>
</div>
</div>
</main>
<footer id="footer" role="contentinfo">
<div class="container">
<div class="row">
<div class="col-sm-12">
<ul class="social-list pull-right">
<li class="field-item service-twitter list-horiz"><a
href="https://twitter.com/NISTCyber" target="_blank" rel="noopener noreferrer"
class="social-btn social-btn--large extlink ext"> <i
class="fa fa-twitter fa-fw"><span class="element-invisible">twitter</span></i><span
class="ext"><span class="element-invisible"> (link
is external)</span></span>
</a></li>
<li class="field-item service-facebook list-horiz"><a
href="https://www.facebook.com/NIST" target="_blank" rel="noopener noreferrer"
class="social-btn social-btn--large extlink ext"> <i
class="fa fa-facebook fa-fw"><span class="element-invisible">facebook</span></i><span
class="ext"><span class="element-invisible"> (link
is external)</span></span></a></li>
<li class="field-item service-linkedin list-horiz"><a
href="https://www.linkedin.com/company/nist" target="_blank" rel="noopener noreferrer"
class="social-btn social-btn--large extlink ext"> <i
class="fa fa-linkedin fa-fw"><span class="element-invisible">linkedin</span></i><span
class="ext"><span class="element-invisible"> (link
is external)</span></span></a></li>
<li class="field-item service-youtube list-horiz"><a
href="https://www.youtube.com/user/USNISTGOV" target="_blank" rel="noopener noreferrer"
class="social-btn social-btn--large extlink ext"> <i
class="fa fa-youtube fa-fw"><span class="element-invisible">youtube</span></i><span
class="ext"><span class="element-invisible"> (link
is external)</span></span></a></li>
<li class="field-item service-rss list-horiz"><a
href="https://www.nist.gov/news-events/nist-rss-feeds"
target="_blank" rel="noopener noreferrer" class="social-btn social-btn--large extlink">
<i class="fa fa-rss fa-fw"><span class="element-invisible">rss</span></i>
</a></li>
<li class="field-item service-govdelivery list-horiz last"><a
href="https://public.govdelivery.com/accounts/USNIST/subscriber/new?qsp=USNIST_3"
target="_blank" rel="noopener noreferrer" class="social-btn social-btn--large extlink ext">
<i class="fa fa-envelope fa-fw"><span
class="element-invisible">govdelivery</span></i><span class="ext"><span
class="element-invisible"> (link is external)</span></span>
</a></li>
</ul>
<span class="hidden-xs"> <a
title="National Institute of Standards and Technology" rel="home"
class="footer-nist-logo"> <img
src="/site-media/images/nist/nist-logo.png"
alt="National Institute of Standards and Technology logo" />
</a>
</span>
</div>
</div>
<div class="row hidden-sm hidden-md hidden-lg">
<div class="col-sm-12">
<a href="https://www.nist.gov"
title="National Institute of Standards and Technology" rel="home"
target="_blank" rel="noopener noreferrer" class="footer-nist-logo"> <img
src="/site-media/images/nist/nist-logo.png"
alt="National Institute of Standards and Technology logo" />
</a>
</div>
</div>
<div class="row footer-contact-container">
<div class="col-sm-6">
<strong>HEADQUARTERS</strong>
<br>
100 Bureau Drive
<br>
Gaithersburg, MD 20899
<br>
<a href="tel:301-975-2000">(301) 975-2000</a>
<br>
<br>
<a href="mailto:nvd@nist.gov">Webmaster</a> | <a
href="https://www.nist.gov/about-nist/contact-us">Contact Us</a>
| <a href="https://www.nist.gov/about-nist/visit"
style="display: inline-block;">Our Other Offices</a>
</div>
<div class="col-sm-6">
<div class="pull-right"
style="text-align:right">
<strong>Incident Response Assistance and Non-NVD Related<br>Technical Cyber Security Questions:</strong>
<br>
US-CERT Security Operations Center
<br> Email: <a href="mailto:soc@us-cert.gov">soc@us-cert.gov</a>
<br> Phone: 1-888-282-0870
</div>
</div>
</div>
<div class="row">
<nav title="Footer Navigation" role="navigation"
class="row footer-bottom-links-container">
<!-- https://github.com/usnistgov/nist-header-footer/blob/nist-pages/boilerplate-footer.html -->
<p>
<a href="https://www.nist.gov/oism/site-privacy">Site Privacy</a>
|
<a href="https://www.nist.gov/oism/accessibility">Accessibility</a>
|
<a href="https://www.nist.gov/privacy">Privacy Program</a>
|
<a href="https://www.nist.gov/oism/copyrights">Copyrights</a>
|
<a href="https://www.commerce.gov/vulnerability-disclosure-policy">Vulnerability Disclosure</a>
|
<a href="https://www.nist.gov/no-fear-act-policy">No Fear Act Policy</a>
|
<a href="https://www.nist.gov/foia">FOIA</a>
|
<a href="https://www.nist.gov/environmental-policy-statement">Environmental Policy</a>
|
<a href="https://www.nist.gov/summary-report-scientific-integrity">Scientific Integrity</a>
|
<a href="https://www.nist.gov/nist-information-quality-standards">Information Quality Standards</a>
|
<a href="https://www.commerce.gov/">Commerce.gov</a>
|
<a href="https://www.science.gov/">Science.gov</a>
|
<a href="https://www.usa.gov/">USA.gov</a>
</p>
</nav>
</div>
</div>
</footer>
</body>
</html>
Reference in a new issue View git blame Copy permalink