https://mariadb.com/kb/en/mariadb/security/ is sufficient?

This is great.

However, do you think we could add one more link, for each CVE, that goes to the web.nvd.nist.gov site (which contains the CVSS Version 3 Metrics/Scores)?

Here is an example link:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6304

This would make it a one-stop shop, so-to-speak, and then we could avoid the whole "matrix".

Check last comment from Chris. Could we add that link for each CVE?

It's normally available from the CVE page. Like our CVE-2012-5614 link points to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5614. And at the top of that page there's a link Learn more at National Vulnerability Database (NVD)

In the KB any CVE-XXXX-XXXX text is automatically turned into a link to cve.mitre.org using the built-in auto-link feature. This feature doesn't have a way to turn a single CVE ID into two separate links, not right now at least. Such a thing could be added, but it would require a rewrite of the auto-link feature to allow for a single bit of text to be transformed into multiple links. bryan would know more about how feasible this would be.