Common Vulnerability Scoring System (CVSS) Requirements
- CVSS.R.1 The product's documentation (printed or electronic) must state that it uses CVSS and explain relevant details to the users of the product. If external CVSS data is imported into the product, the documentation must state the source.
- The vendor shall provide documentation and/or procedures that explain how to view software flaws and associated CVSS base scores within the product output.
- The vendor shall provide documentation and/or procedures that explain how to view the CVSS vector string for all software flaws in the product that have CVSS base scores.
- The vendor will provide documentation explaining how users can refine CVSS base scores to produce CVSS temporal scores for each CVSS base score provided by the product. Alternately, the vendor will provide documentation stating that they directly provide temporal scores for the user. It is possible that a product will provide a combination of both approaches.
...
General overview of CVSS and how Security Analysis leverages this standard can be found here
CVSS + CVE Requirements
- The vendor shall provide documentation explaining where the NVD CVSS base scores and vector strings can be located with the corresponding CVE ID.15 The vendor may optionally provide the tester information on how the product can be updated with new NVD CVSS base scores and vector strings prior to testing.