How do you assign CVSS scores to advisories?

Providing CVSS scores directly in a security advisory is the way to go because it gives a clear, standardized severity signal that teams can use to triage and prioritize fixes right away. CVSS scores are a widely understood way to express how risky a vulnerability is, and GitHub’s advisory data model supports storing that score (and related vector information) alongside the advisory content. When the score is visible in the advisory, developers, security teams, and automation can quickly assess urgency, filter and search advisories by severity, and coordinate remediation timelines without chasing external documents. If the score isn’t included in the advisory, teams lose immediate visibility into risk levels; relying solely on external documentation fragments that aren’t surfaced in the advisory makes triage slower and error-prone. Waiting to assign a score after publication delays prioritization, and storing the score only in external docs fragments the risk signal, reducing consistency across projects.