Official Vendor Comments
NVD provides the software industry an open forum to comment upon the vulnerabilities discovered in their products. Software vendors have the deepest knowledge about their products and thus are uniquely positioned to comment on their vulnerabilities.
Organizations can use this service in a variety of ways. For example, they can provide configuration and remediation guidance, clarify vulnerability applicability, provide deeper vulnerability analysis, dispute third party vulnerability information, and explain vulnerability impact.
The CVES API returns all comments within the optional vendorComments object. Until late 2023, the complete set of comments is available as an XML feed from the NVD data feed page. They are also enumerated below. We encourage other vulnerability databases and services to incorporate Official Vendor Comments alongside their CVE descriptions. The comments are also available on the respective NVD vulnerability summary pages (e.g., https://nvd.nist.gov/vuln/detail/CVE-2006-4124).
Software development organizations can submit official comments by contacting NVD staff ( [email protected]). The capability exists both for organizations to manually submit comments and for organizations to log into NVD to issue and modify comments themselves. We recommend the log in capability for organizations that are affected by more than a few CVE vulnerabilities.
It is our hope that the software industry will actively participate in this open forum and that the Official Vendor Comments will be propagated throughout the 300+ products and services that use the CVE standard.
The total number of vendor comments is 1,486 (updated every 2 hours)