We have seen multiple cases where CVSS evaluation is difficult, or where different parties have differing points of view. We were therefore wondering how to represent multiple CVSS entries for the same CVE record (as it seems the format allows this), but this scenario likely needs to be standardized in some way.
- Should we update the format BCP to include this use case?
- Should we explain it in BCP-02?