How They Disagree
The disagreement between NVD and GitHub Advisory is not random noise. It follows systematic patterns across individual CVSS metrics and exhibits persistent directional bias.
Strongest directional bias: When NVD and GitHub disagree on , assigns the more severe value of the time. This is systematic, not noise.
When NVD and GitHub disagree, which one tends to assign the higher score? The answer has shifted over time.
CVEs cross severity band boundaries — a High in one source is a Medium or Critical in the other.
Each dot is a CVE scored by both NVD and GitHub. Red dots cross a severity boundary. Gray dots disagree on score but stay within the same band. Shaded zones mark where sources assign different severity levels.