Ensure the implications of the scores-to-metrics change are made explicit

[sthagen]

Moving CVSS in v2.1 and above now inside a content member of a metrics array item in itself is clearly documented.

But, the implications may not be as clear and explicit to the members of the ecosystem.

Let us support the communities by providing a FAQ entry and clear (possibly informative text) that highlights the now possible handling of different measurements leading to possibly divergent metrics across all CSAF communities.

Example: open source "vendors" (creators/suppliers) maintaining the classical CVSS perspective, but say, adding an Exploit Prediction Scoring System (EPSS) perspective while corporate and commercial environments favoring possibly a Stakeholder-Specific Vulnerability Categorization (SSVC) perspective.

Questions:

• how to assess such advisories coming from different such realms?
• how to deal with daily changing EPSS scores leading to daily changing advisories?
• how to manage open source advisories from different sources targeting the same "product"?

The latter may be due to a valid concern of a commercial vendor that distributes an isolated open source "product" and provides an advisory on that "product" to their customers while the upstream free and open source provider does issue a deviating advisory but using different metrics "types" i.e. there is an empty intersection of metrics. The new twist here is the problem for the consumer of these advisories to not be able to contrast such metrics directly.