_content/doc/security: explain why no CVSS

Change-Id: Ia63c0c1cb78adc42526af70628442d33cff7a1ad
Reviewed-on: https://go-review.googlesource.com/c/website/+/757301
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Neal Patel <nealpatel@google.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/_content/doc/security/policy.md b/_content/doc/security/policy.md
index f0fa180f..c7249034 100644
--- a/_content/doc/security/policy.md
+++ b/_content/doc/security/policy.md
@@ -42,7 +42,12 @@ issues will be issued CVE numbers.
 
 The Go Security team does not assign traditional fine-grained severity labels
 (e.g CRITICAL, HIGH, MEDIUM, LOW) to security issues because severity depends
-highly on how a user is using the affected API or functionality.
+highly on how a user is using the affected API or functionality. Additionally,
+when issuing CVEs for Go security issues we do not assign CVSS scores, as we
+fundamentally disagree with the applicability of the scoring system to Go for
+the same reasons. Third parties, such as MITRE or NIST, via the NVD, may assign
+CVSS scores to our vulnerabilities, but we do not endorse these scores as
+accurate reflections of their impact.
 
 For example, the impact of a resource exhaustion issue in the `encoding/json`
 parser depends on what is being parsed. If the user is parsing trusted JSON