# 29-Nov-2025 · CVSS v4.0 Momentum in Vulnerability Management

**Why now:** Vendors (NVD, GitHub, Microsoft, Snyk) are shipping CVSS v4 signals; StellaOps needs awareness to align receipts, reporting, and UI before defaulting to v4 everywhere.

## Scope
- Brief on adoption signals and compatibility risks when mixing v3.1/v4.
- Map impacts to receipt schemas (`SPRINT_0190_0001_0001_cvss_v4_receipts.md`).
- Identify quick UI/reporting deltas required for transparency.

## Required artefacts (MVP for DONE)
- This briefing plus linkage in `docs/product-advisories/ADVISORY_INDEX.md` (already indexed).
- Note in sprint Decisions & Risks for CVSS receipts sprints; ensure SPRINT_0300 tracker row 15 records completion.

## Determinism & Offline
- Keep CVSS vector parsing deterministic; pin scoring library versions in receipts.
- Avoid live API dependency; rely on mirrored NVD feeds or frozen samples.

## Next actions
- Cross-link to receipts schema draft; add Execution Log entry when briefing is published.