The CVE Numbering Authority Distribution Score is a metric designed to evaluate the quality of CVE disclosures among
current CNAs (CVE Numbering Authorities) for a given year. The NADS score is calculated for each publicly disclosed
CVE and divided by the total number of disclosed CVEs. The score is then aggregated for each CNA to provide an overall
distribution score.
For each qualifying CVE, the NADS score is determined based on the following criteria:
* Readability of Description:
The system uses the Flesch-Kincaid grade level to assess the English description of the CVE.
Scores are awarded based on how readable the text is, with the highest points given for grade levels between
8 and 12 (typical for technical writing). Less readable or overly short/long descriptions receive fewer points
or a penalty.
* Affected Product Details:
Points are added for the presence of vendor, product, platforms, versions, and CPEs (Common Platform
Enumerations) in the affected JSON array. Each attribute contributes incrementally to the score, rewarding
CVEs that provide more detailed impact information.
* CPE Applicability:
If the CVE includes a cpeApplicability field, it receives a score boost, reflecting the value of precise
platform targeting.
* CWE (Common Weakness Enumeration):
If a CWE identifier is present, the score increases. However, if the CWE is on a prohibited or discouraged
list (indicating vague or generic weaknesses), the score is reduced accordingly.
* CVSS Metrics:
The presence of CVSS v3 and/or v4 metrics is highly valued. If both are present, the score increases further.
* References:
The script checks for references, especially vendor advisories, third-party advisories, and patches. These
add points, with extra for advisories and third-party sources.
* Solutions/Remedies:
If the CVE provides a solution or patch, it receives additional points, reflecting the practical value of
remediation information.
* Completeness Bonus:
If the CVE includes all three standards; CWE, CVSS, and CPE it receives a final bonus.