The bogus CVE problem

As an author of a container static analyzer, this is one of the reasons we purposefully do not consume NVD data directly. The CVSS scores from NVD frequently conflict with vendors and authors own severity ratings, and so users would ask us to "just fix" the score in the report. We now only consume vendor and language-authority data, and it's completely eliminated this class of problem.

I think having a process to triage reported vulnerabilities easily is key to handling this at scale. Frameworks like SSVC are great, but there's an onus on reporting tools to be able to integrate those decisions back in and not show scary red marks to people that just want a "security" toggle.