...
CVSS.R.1
The product's documentation (printed or electronic) must state that it uses CVSS and explain relevant details to the users of the product. If external CVSS data is imported into the product, the documentation must state the source.
General overview of CVSS and how Security Analysis leverages this standard can be found here.