CNET también está disponible en español.

Ir a español

Don't show this again

Best Black Friday 2020 deals PS5 restock Xbox Series X in stock HomePod Mini vs. Echo Dot vs. Nest Mini Tile Black Friday Best Amazon Black Friday deals Best Black Friday Apple deals

Software vendors add tips to flaws database

National Vulnerability Database expands information to include software vendors' comments on reported flaws.

The National Vulnerability Database on Thursday expanded its security information offerings to include comments from software vendors about flaws in their products.

NVD, which is designed to warn security software companies and the public about all known . Software vendors, which previously were not allowed to post to the site, can now post their comments to the NVD site and distribute information over the NVD real-time feeds.

"The purpose...of the statements is to explain how a vendor is, or is not, affected by a given vulnerability, or to add comments, or corrections, to the vulnerability details," said Mark Cox, head of Red Hat's Security Response Team, in an e-mail interview. Red Hat originally approached the operators of the NVD site, the National Institute of Standards and Technology, to include vendor comments and has already completed a pilot with NVD.

Software vendors retain full editorial control over their statements, which are posted in real-time on the NVD site and distributed via its feeds. As a result, they are directly accountable for their content.

Software vendors will often release a patch to cover multiple flaws in their software, but IT administrators and security software advisory companies often do not know which specific flaws apply to the patch, said Peter Mell, NVD project lead.

Software vendors will be able to provide security software companies that advise IT administrators with more precise information on which flaws are addressed with their patches. The vendors will also be able to provide workarounds if a patch is not yet available via the NVD service, Mell said, adding that vendors may also elaborate on any disputes of claims that their software has security flaws.