Fragmentation of CVSS Scores in the NVD: A Quantitative Analysis of Inconsistency Across Vulnerability Scoring Standards

This dataset contains vulnerability records from the National Vulnerability Database (NVD), retrieved via the NVD API 2.0 in October 2025. It accompanies the paper "Fragmentation of CVSS Scores in the NVD: A Quantitative Analysis of Inconsistency Across Vulnerability Scoring Standards." The dataset comprises 24 yearly JSON files (nvdcve-2.0-{year}.json, years 2002–2025) plus two supplementary feeds (modified, recent), covering over 270,000 CVE entries. Each record includes the CVE identifier, textual descriptions, references, and, where available, CVSS metrics across multiple scoring standard versions: CVSS v2.0, v3.0, v3.1, and v4.0. The data preserves the original NVD API 2.0 JSON schema, with no modifications to the source records. In addition to the raw JSON files, the dataset includes pre-extracted tabular summaries in TSV format: - scores_cvss20.tsv, scores_cvss30.tsv, scores_cvss31.tsv, scores_cvss40.tsv - base scores per CVE for each CVSS version (~190k, ~54k, ~179k, and ~14k records, respectively); - severity_all.tsv - aggregated severity-level counts (None/Low/Medium/High/Critical) across all four CVSS versions; - severity_changes_detailed.tsv - per-CVE severity category comparison across CVSS versions, with change pattern annotations; - severity_changes_summary.txt and severity_changes_by_pattern.txt - summary statistics of severity migration patterns between CVSS versions; - cvss_30_31_vector_differences.txt - detailed comparison of CVSS v3.0 vs. v3.1 vector strings for CVEs scored under both versions (11,114 CVEs; 52.6% with differing vectors); - year_counts.tsv - annual CVE publication counts (1988–2025). The dataset enables reproducibility of all quantitative analyses presented in the paper, including cross-version score distribution comparisons, severity category migration analysis, and CVSS vector-level discrepancy assessment.

本数据集收录了来自美国国家漏洞数据库（National Vulnerability Database，NVD）的漏洞记录，于2025年10月通过NVD API 2.0接口获取。本数据集配套论文《美国国家漏洞数据库中CVSS评分碎片化：漏洞评分标准不一致性的定量分析》（"Fragmentation of CVSS Scores in the NVD: A Quantitative Analysis of Inconsistency Across Vulnerability Scoring Standards"）。 数据集包含24个年度JSON格式文件（命名格式为nvdcve-2.0-{year}.json，覆盖2002至2025年），以及2个补充数据源（modified、recent），总计涵盖超过27万个通用漏洞与披露（Common Vulnerabilities and Exposures，CVE）条目。每条记录包含CVE标识符、文本描述、参考链接，以及对应多个评分标准版本的通用漏洞评分系统（Common Vulnerability Scoring System，CVSS）指标：CVSS v2.0、v3.0、v3.1及v4.0。本数据集完整保留NVD API 2.0原始JSON架构，未对源记录进行任何修改。 除原始JSON文件外，本数据集还包含预提取的TSV格式表格摘要： - scores_cvss20.tsv、scores_cvss30.tsv、scores_cvss31.tsv、scores_cvss40.tsv：分别对应各CVSS版本下每条CVE的基础评分（各文件分别包含约19万、5.4万、17.9万及1.4万条记录）； - severity_all.tsv：四个CVSS版本下聚合的严重级别统计（None/Low/Medium/High/Critical）； - severity_changes_detailed.tsv：逐条CVE的CVSS版本间严重类别对比结果，并标注了变更模式； - severity_changes_summary.txt与severity_changes_by_pattern.txt：CVSS版本间严重级别迁移模式的汇总统计数据； - cvss_30_31_vector_differences.txt：针对同时使用CVSS v3.0与v3.1评分的CVE，其CVSS向量字符串的详细对比结果（共11114个CVE，其中52.6%的向量字符串存在差异）； - year_counts.tsv：1988年至2025年的年度CVE发布数量统计。 本数据集可复现论文中呈现的全部定量分析，包括跨版本评分分布对比、严重类别迁移分析，以及CVSS向量层面的不一致性评估。