National Vulnerability Database expands information to include software vendors' comments on reported flaws.
NVD, which is designed to warn security software companies and the public about all known
"The purpose...of the statements is to explain how a vendor is, or is not, affected by a given vulnerability, or to add comments, or corrections, to the vulnerability details," said Mark Cox, head of Red Hat's Security Response Team, in an e-mail interview. Red Hat originally approached the operators of the NVD site, the National Institute of Standards and Technology, to include vendor comments and has already completed a pilot with NVD.
Software vendors retain full editorial control over their statements, which are posted in real-time on the NVD site and distributed via its feeds. As a result, they are directly accountable for their content.
Software vendors will often release a patch to cover multiple flaws in their software, but IT administrators and security software advisory companies often do not know which specific flaws apply to the patch, said Peter Mell, NVD project lead.
Software vendors will be able to provide security software companies that advise IT administrators with more precise information on which flaws are addressed with their patches. The vendors will also be able to provide workarounds if a patch is not yet available via the NVD service, Mell said, adding that vendors may also elaborate on any disputes of claims that their software has security flaws.