The Cathedral and the Bazaar of Software Vulnerabilities: From the NVD to the CNAs

· Source: cs.SE updates on arXiv.org · Field: Technology & Digital — Cybersecurity & Data Privacy, Data Science & Analytics, Artificial Intelligence & Machine Learning · Depth: Expert, extended

Summary

The paper systematically analyzes divergence in Common Vulnerability Scoring System (CVSS) metrics between the National Vulnerability Database (NVD) and various CVE Numbering Authorities (CNAs). It finds that 73% of public CNAs (pairwise setting) and 48% (consumer-view) exhibit at least one metric-level divergence from the NVD. Key metrics like Attack Complexity, User Interaction, and Impact are major sources of disagreement. The study, covering 1999-2025 data, identifies eight root causes, including information asymmetry, risk modeling differences, and ambiguity in CVSS specifications. Post-2025 data shows a significant reduction in divergence, with only 16% of CNAs having a median vector disagreement of at least 1, attributed to improved description quality. This inconsistency impacts downstream research and machine learning models, causing accuracy drops of up to 40%.

Key takeaway

For MLOps Engineers building vulnerability prediction systems, you must account for significant CVSS score divergence between NVD and CNAs. Models trained on a single source may see accuracy drops up to 40% when applied to another. Implement explicit source-aware data integration and filtering policies, especially for short descriptions or ambiguous metrics like Attack Complexity, to ensure reliable vulnerability prioritization and avoid propagating inconsistencies into your security posture tools.

Key insights

Divergence in CVSS scores between NVD and CNAs is widespread but improving, impacting vulnerability prioritization and ML model reliability.

Principles

Method

The study quantifies external divergence (CNA vs. NVD) and self-divergence (within a CNA) using Hamming distance and odds ratios, augmented by qualitative interviews with NVD and CNA representatives.

In practice

Topics

Best for: AI Engineer, Machine Learning Engineer, Research Scientist, AI Scientist, AI Security Engineer, MLOps Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.