Score rule: CVSS explains technical severity. It does not prove exposure, exploitation, asset criticality, patch urgency, or business priority. Preserve the score caveat and make the action decision from the full evidence set.
Disputed CVSS Guidance
A score disagreement is a validation task, not a decision by itself.
Use this guide when NVD, a vendor, scanner, distribution, cloud provider, or internal team scores the same issue differently.
Triage Lens
Treat each score as a claim with assumptions.
Compare vectors
Do not compare only the final number. Compare attack vector, privileges required, user interaction, scope, and impact assumptions.
Prefer context
Vendor, distro, cloud, or appliance guidance may know product-specific deployment constraints that a generic score does not.
Separate priority
A lower base score can still be urgent when the asset is exposed, exploited, business-critical, or has no safe workaround.
Record caveats
Document which score is used, which scores disagree, why the decision stands, and what would trigger review.
Workflow
Resolve score disputes without flattening the evidence.
1. Collect each source
Capture NVD, vendor, scanner, distro, cloud, exploit database, and internal scores with dates and links.
2. Compare assumptions
Check whether the disagreement comes from deployment model, required privileges, user interaction, scope, or impact interpretation.
3. Validate product guidance
Confirm whether the affected product, edition, feature, platform, configuration, or backport changes applicability.
4. Keep priority separate
Use exposure, active exploitation, asset role, patch availability, compensating controls, and operational risk to choose urgency.
5. Choose the action lane
Patch, mitigate, monitor, escalate, or investigate based on current evidence rather than whichever score is loudest.
6. Set review triggers
Reopen the decision if NVD updates the vector, vendor guidance changes, exploit evidence appears, or asset exposure changes.
Common Disputes
Where CVSS disagreements usually come from.
Network vs local
One source assumes remote reachability while another assumes local access, appliance adjacency, or authenticated management access.
Privileges required
Sources may disagree on whether default credentials, low-privilege accounts, or prior compromise are needed.
User interaction
Client-side, document, browser, and social-engineering paths often shift score assumptions and response owners.
Scope and impact
Chained behavior, sandbox escape, tenant isolation, or appliance control-plane impact can change the score story.
Vendor lowers score
A vendor may account for disabled-by-default features, supported configurations, mitigations, or narrower affected builds.
NVD changes later
Treat score updates as new evidence. Update the record, explain the change, and revisit priority if the action lane depended on it.
Copy Template
Disputed CVSS note
CVSS dispute: NVD lists [score/vector], while [vendor/source] lists [score/vector]. We are using [selected score/source] for severity context because [reason]. Priority is [lane/timeline] based on exposure, exploitation evidence, asset criticality, patch/mitigation availability, and source confidence. Review if [trigger].
Recommended next move: calculate or compare the vector, validate trust and evidence, then move the item into a decision or remediation workflow.