The Cathedral and the Bazaar of Software Vulnerabilities: From the NVD to the CNAs
Summary
The paper systematically analyzes divergence in Common Vulnerability Scoring System (CVSS) metrics between the National Vulnerability Database (NVD) and various CVE Numbering Authorities (CNAs). It finds that 73% of public CNAs (pairwise setting) and 48% (consumer-view) exhibit at least one metric-level divergence from the NVD. Key metrics like Attack Complexity, User Interaction, and Impact are major sources of disagreement. The study, covering 1999-2025 data, identifies eight root causes, including information asymmetry, risk modeling differences, and ambiguity in CVSS specifications. Post-2025 data shows a significant reduction in divergence, with only 16% of CNAs having a median vector disagreement of at least 1, attributed to improved description quality. This inconsistency impacts downstream research and machine learning models, causing accuracy drops of up to 40%.
Key takeaway
For MLOps Engineers building vulnerability prediction systems, you must account for significant CVSS score divergence between NVD and CNAs. Models trained on a single source may see accuracy drops up to 40% when applied to another. Implement explicit source-aware data integration and filtering policies, especially for short descriptions or ambiguous metrics like Attack Complexity, to ensure reliable vulnerability prioritization and avoid propagating inconsistencies into your security posture tools.
Key insights
Divergence in CVSS scores between NVD and CNAs is widespread but improving, impacting vulnerability prioritization and ML model reliability.
Principles
- CVSS divergence is common across 73% of CNAs.
- Attack Complexity, User Interaction, and Impact metrics diverge most.
- CNA-first assessments increase disagreement likelihood.
Method
The study quantifies external divergence (CNA vs. NVD) and self-divergence (within a CNA) using Hamming distance and odds ratios, augmented by qualitative interviews with NVD and CNA representatives.
In practice
- Integrate multiple CVSS sources with source-aware policies.
- Filter short CVE descriptions for better model robustness.
- Prioritize vulnerabilities using odds ratios for consistency.
Topics
- Vulnerability Management
- CVSS Scoring
- National Vulnerability Database
- CVE Numbering Authorities
- Vulnerability Prioritization
- Machine Learning Reliability
- Cybersecurity Data Quality
Best for: AI Engineer, Machine Learning Engineer, Research Scientist, AI Scientist, AI Security Engineer, MLOps Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.