[Only changed the subject in attempt to separate the concerns.] Already in CVRF v1.1, our schema targets inside CVSSScoreSets - ScoreSetVx elements *not* the isolated CVSS vx score of whatever, but instead the specific applicable related ProductID references *and* the vx CVSS score data. So in my understanding, the author(s) of such a document MAY choose to use zero ProductID elements, but I understand this only makes sense, in "dedicated" single product advisories / publications, where the context is clear and in all other cases the author(s) SHOULD add the Product ID relation(s). <Stefan/> On 13/04/17 23:20, Masato wrote: > > - zero or one CVSSv2 and zero or one CVSSv3 > - recommendation: either v2 or v3 (or both) > > because sometimes I would like to publish advisory without scores. > at first, wish to advertise threat to the Internet. > Next, evaluate the detail of vulnerability with scores. > > BR > Masato > > On 2017/04/13 11:47, Art Manion wrote: >> On 2017-04-12 14:35, Vincent Danen wrote: >> >>> This is something we probably want to look at for CSAF 2.0, not CVRF >>> 1.2. I don't think it can be resolved easily. You could have 12 >>> different CVSSv2 scores right now but it's almost pointless if you can't >>> map that back to a particular product or scenario. >> >> Agreed. Thus, I'm proposing that CVRF 1.2 should allow zero or one CVSS >> v2 score and zero or one CVSS v3 score. >> >> A separate question remains: If there is a CVSS score, must it be v3 >> (and have an optional single v2 score)? My position is that the score >> can be either v2 or v3 (or both).