NVD provides the software industry an open forum to comment upon the set of CVE vulnerabilities discovered in their products. Software vendors have the deepest knowledge about their products and thus are uniquely positioned to comment on their vulnerabilities.
Organizations can use the service in a variety of ways. For example, they can provide configuration and remediation guidance, clarify vulnerability applicability, provide deeper vulnerability analysis, dispute third party vulnerability information, and explain vulnerability impact.
The set of “official vendor comments” are available as an XML feed from the NVD data feed page. They are also enumerated below. We encourage other vulnerability databases and services to incorporate these vendor comments alongside their CVE vulnerability descriptions. The comments are also available on the respective NVD vulnerability summary pages (e.g., https://nvd.nist.gov/vuln/detail/CVE-2006-4124).
Software development organizations can submit official comments by contacting NVD staff ( nvd@nist.gov). The capability exists both for organizations to manually submit comments and for organizations to log into NVD to issue and modify comments themselves. We recommend the log in capability for organizations that are affected by more than a few CVE vulnerabilities.
It is our hope that the software industry will actively participate in this open forum and that the “official vendor comments” will be propagated throughout the 300+ products and services that use the CVE vulnerability naming standard.
The total number of vendor comments is 1,481 (updated every 2 hours)