Software vendors add tips to flaws database

The National Vulnerability Database on Thursday expanded its security information offerings to include comments from software vendors about flaws in their products.

NVD, which is designed to warn security software companies and the public about all known computer vulnerabilities, has added a new twist to its year-old database. Software vendors, which previously were not allowed to post to the site, can now post their comments to the NVD site and distribute information over the NVD real-time feeds.

"The purpose...of the statements is to explain how a vendor is, or is not, affected by a given vulnerability, or to add comments, or corrections, to the vulnerability details," said Mark Cox, head of Red Hat's Security Response Team, in an e-mail interview. Red Hat originally approached the operators of the NVD site, the National Institute of Standards and Technology, to include vendor comments and has already completed a pilot with NVD.

Software vendors retain full editorial control over their statements, which are posted in real-time on the NVD site and distributed via its feeds. As a result, they are directly accountable for their content.

Software vendors will often release a patch to cover multiple flaws in their software, but IT administrators and security software advisory companies often do not know which specific flaws apply to the patch, said Peter Mell, NVD project lead.

Software vendors will be able to provide security software companies that advise IT administrators with more precise information on which flaws are addressed with their patches. The vendors will also be able to provide workarounds if a patch is not yet available via the NVD service, Mell said, adding that vendors may also elaborate on any disputes of claims that their software has security flaws.