Suggestion: Look for 'vendor-advisory' tag in additon to 'patch'

[MrMegaZone]

The scoring information for Patch Information says "What it is: Direct links to patches, fixes, or official vendor advisories that provide remediation guidance."

However, looking into the technical details you're only looking for 'patch' in the tags - when there is a 'vendor-advisory' tag as well. (And possibly the 'mitigation' would also fall under the category of 'fixes'.)

I dug into this because we, as a CNA, have always included our Security Advisory link, and tagged it as 'vendor-advisory', but we get a 0% score in this section. I was confused until I dug into the technical details and realized what is being matched is much narrower than the description.

For now I suppose we can add the 'patch' tag every time as well, but I do think the matching logic should better reflect the way it is described.

[jgamblin]

Thanks for the thoughtful feedback, and for digging into the technical details. I really appreciate you taking the time, and it's great to see a CNA that's actively thinking about the quality of their CVE records.

You raise a valid point, and I completely understand the frustration of including your security advisory links and tagging them as vendor-advisory, only to see a 0% score in that section. That doesn't feel right when you're clearly providing remediation information.

The challenge is that the scorecard currently relies on structured, machine-readable tags in the CVE record itself rather than evaluating the content behind the links. The patch tag is the most unambiguous signal that a specific fix exists. A vendor-advisory tag could point to anything from a detailed patch guide to a general awareness bulletin, and there's a lot of variation across CNAs in how that tag gets used.

I've thought about whether the scorecard could be expanded to pull and evaluate the actual content of advisories, but realistically I don't think that's feasible. With hundreds of CNAs publishing thousands of advisories in different formats, there's no standard structure to parse against. To reliably determine whether an advisory actually contains patch or remediation information, it would require building an NLP or AI stack to read and interpret the content of each advisory. That's a significant undertaking well beyond the scope of this project.

So the scorecard has to work with what's in the CVE record itself, and right now the patch tag is the strongest signal available. My recommendation would be to add the patch tag alongside vendor-advisory on your references when a fix is available. That makes the remediation intent explicit for anyone consuming CVE data programmatically, and it's honestly a good practice regardless of the scorecard.

You also made a great catch that the scoring page description was broader than what we actually check. I've updated the wording to be more precise about the patch tag requirement (#29).

Thanks again for raising this. Feedback like this helps me think through what the scorecard can and can't measure, and I really appreciate the engagement.