Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


CVSS Metrics

As of the release of VINCE in May 2020, we are no longer providing Common Vulnerability Scoring System (CVSS) scores. Many older Vulnerability Notes include CVSSv2 vectors and scores. For those Vulnerability Notes, the following guidance applies.

CVSS metrics appear in vulnerability notes published after March 27, 2012. We score Temporal metrics using information available at the time the vulnerability note is first published. Temporal metric information may or may not be updated after initial publication. We score Environmental metrics with a broad scope, typically some approximation of the whole internet. To use CVSS effectively, it is important to calculate your own current and specific Temporal and Environmental metrics. For vulnerability notes that cover more than one vulnerability (e.g., multiple CVE IDs), the CVSS metrics will apply to the vulnerability with the highest CVSS base metric.

Reasons for our choice decision to stop using CVSS can be found in Towards Improving CVSS and Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization.


References are a collection of relevant URLs. We attempt to list original source material first, and sometimes include references to high quality second-hand material as well.




Unless otherwise requested, we acknowledge individuals and organizations who report vulnerabilities to us. This section of the document element identifies who initially discovered reported the vulnerability, anyone who was instrumental in the development of the vulnerability noteVulnerability Note or assisted significantly in the coordinated vulnerability disclosure process, and the primary author of the documentVulnerability Note.

Other Information

Other information included in a vulnerability note.