Secunia Research inception of CVSS3 scoring
The Software Vulnerability Research and the SVM solutions have introduced CVSS3 scoring after the inception of CVSS3 by the Secunia Research team at Flexera.
This change was done for the following product: Software Vulnerability Manager
Implementation Date: May 18th, 2018
In addition to our own Secunia advisory criticality rating, Flexera scores vulnerability advisories using the industry-standard Common Vulnerability Scoring System (CVSS).
Previously, this has been done using the version 2.0 standard. Beginning on 5/18/2018, Secunia Research at Flexera began using the newer version 3.0 standard.
Older scores have not been updated retroactively. All new advisories issued after this date using CVSS v3.0 are being tracked now.
This was implemented in two phases. First, on 4/25, we introduced updates to Software Vulnerability Manager so it's capable of handling CVSS v3.0.
Secondly, on 5/18, Secunia Research began recording CVSS scores using the version 3.0 standard.
In the User Interface
Flexera now identifies v3.0 scores by indicating "v3" alongside the score in green.
In the API
All API calls returning CVSS data began returning the second set of values for CVSS v3.0 to differentiate between CVSS v2.0 and CVSS v3.0 scores.
After the inception of CVSS v3.0 scores, the previous CVSS value was replaced with a blank ( -eq $Null) and the correct value that should be tracked going forward is, therefore, CVSS v3.0.
The label CVSS Score represents CVSS v2.0 (it was not renamed to avoid breaking existing scripts).
New CVSS 3.0 values are now represented as cvss3_score.
In the XML
A change to the schema was necessary to add specific values for CVSS v3.0 scores. As with the JSON API values above, we added a cvss3 label to distinguish v3.0 scores. If any scripts or processes consuming this data parse this information, there is potential for a breaking change to result.
In Email Notifications
Emails will contain both v2.0 and v3.0 labels, the v3.0 value will be empty until we begin adding v3.0 scores, at this time the v2.0 value will become empty.
In PDF reports
PDF reports containing CVSS values will show CVSS v2.0 (displayed as CVSS) or CVSS v3.0 (displayed as CVSS3) as appropriate.
For more on CVSS see https://nvd.nist.gov/vuln-metrics/cvss