Interesting! I do think NVD’s approach makes sense in some ways. NVD is useful for long-term and longitudinal studies of CVE trends. To achieve this, the scores should be as consistent as possible. Curl is probably an outlier in their intellectually honest treatment of vulnerabilities, with commercial software vendors potentially downplaying severity.<p>I’m not sure I agree with the specific CVE example, though. Admittedly without any context, isn’t the short window not material if the adversary can reproduce the vulnerability locally and find an input to exploit it? Processing by curl server side would usually be non-interactive to the client.