NVD vs CNAs: Vulnerability scoring divergence can cut model accuracy by 40%
Models trained on NVD data fail on CNA data—accuracy drops by 40%...
Researchers from Vrije Universiteit Amsterdam and University of Luxembourg have published a comprehensive study on the divergence of Common Vulnerability Scoring System (CVSS) metrics between the National Vulnerability Database (NVD) and individual CVE Numbering Authorities (CNAs). The paper, titled "The Cathedral and the Bazaar of Software Vulnerabilities," examines both cross-source and self-divergence (where the same CNA rates identical CVE descriptions differently). Key metrics where divergence occurs most frequently include Attack Complexity, User Interaction, and Impact.
The authors conducted a qualitative study by interviewing NVD and CNA representatives and discussed findings at the CVSS Special Interest Group of FIRST. While some divergence stems from human error, much of it is intentional—different assessors have valid reasons for varying scores. The good news is that consistency has improved since 2025. However, the critical warning for practitioners is that machine learning models trained on one source (e.g., the full NVD dataset) do not reliably generalize to another (e.g., a CNA's dataset), with accuracy dropping by up to 40%. This has major implications for vulnerability prioritization and automated security tools that rely on historical CVSS data.
- Divergence in CVSS metrics is widespread across NVD and CNAs, especially in Attack Complexity, User Interaction, and Impact.
- Models trained on NVD data experience up to 40% accuracy loss when applied to CNA datasets.
- The situation has been improving since 2025, but industry-wide changes in CVE generation and scoring are still needed.
Why It Matters
Security teams relying on historical vulnerability data for prioritization may get misleading signals due to inconsistent scoring sources.