CVSS Scores in Nessus Plugins
For over a year now, Tenable has been including CVSS base scores in the plugins we write for Nessus as well as Passive Vulnerability Scanner (PVS) to give our customers an objective way to assess the risk of flaws those plugins test for. We've been calculating these scores in-house during the course of investigating vulnerabilities and how to test for them. Until recently, our efforts have been largely independent of NIST's own work in this area.
Since early November, though, Tenable has been using the CVSS scores that NIST calculates and includes in its National Vulnerability Database. We still calculate our own scores initially, as our plugins are often released at the same time -- or even slightly before -- CVE ids are issued. But a daily synchronization process reports differences and updates the plugins as necessary.