Which CVSS metric represents features that change during the lifetime of the vulnerability?

The aspect that changes over the life of a vulnerability is captured by the temporal metrics in CVSS. These metrics reflect how the vulnerability’s exploitability, remediation status, and confidence in the vulnerability report can evolve over time. For example, as exploit code becomes available, patches are released, or more information is published, the temporal score can be updated to reflect these changes. In contrast, the base metrics describe intrinsic properties of the vulnerability that don’t change with time (like attack vector and impact), and environmental metrics relate to how the vulnerability affects a specific environment or deployment. A term like buffer overflows is a vulnerability type, not a CVSS metric.