Skip to main content
Skip table of contents

Why Would the CVSS Scores In Mend Be Different from the NVD?

CVSS Score Prioritization

  1. MITRE

  2. NVD

  3. Mend.io

MITRE and NVD

2 main sources for CVSS scores are MITRE and the NVD, with MITRE taking precedence.

In other words, if Mend.io uses an NVD issued CVSS score for a vulnerability and later on MITRE issues a different CVSS score for the same vulnerability, the NVD score will be discarded and the MITRE score will be propagated to all Mend.io products.

Mend.io and NVD

Assuming MITRE has not issued a CVSS score:
If the CVE is set as "Reserved" in the NVD, this means the vulnerability Id was created and associated, but its details aren't shown publicly in the NVD. In this case, the CVSS score will be based on Mend.io’s own score, defined by Mend.io’s security team’s metrics.
Lastly, when the score of the NVD is officially published, the CVSS score/severity in the various Mend.io products gets replaced with the one from the NVD site.

Further reading about CVSS scores in Mend.io products can be found here.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close