Common Vulnerability Scoring System (CVSS) Requirements
- The product's documentation (printed or electronic) must state that it uses CVSS and explain relevant details to the users of the product. If external CVSS data is imported into the product, the documentation must state the source.
...
- The vendor will provide documentation explaining how users can customize CVSS base scores to produce CVSS environmental scores for each CVSS base score provided by the product.
CVSS + CVE Requirements
- The vendor shall provide documentation explaining where the NVD CVSS base scores and vector strings can be located with the corresponding CVE ID.15 The vendor may optionally provide the tester information on how the product can be updated with new NVD CVSS base scores and vector strings prior to testing.