The Consensus Engine

Two authorities score the same vulnerability.
They disagree of the time.

When NVD and GitHub Advisory both assign a CVSS score to the same CVE, their scores differ more often than they agree — and the disagreement isn't random. It follows predictable patterns across vulnerability types, scoring organizations, and individual CVSS metrics.

of dual-scored CVEs conflict

CVEs cross severity band boundaries

average score gap

The problem is growing.

How They Disagree →

Patterns in directional bias, metrics, and severity

Where They Disagree →

Which CNAs and CWE types drive the most conflict

The Data →

Explore all conflicts, search by CVE, filter by drift

Two authorities score the same vulnerability. They disagree of the time.

Two authorities score the same vulnerability.
They disagree of the time.