...
An individual vendor element is called a Vendor Record. Vendor Records have several sub-elements. For a Vulnerability Note with multiple vulnerabilities, each vulnerability and its corresponding Vendor Status and Vendor Statement can be listed individually within a Vendor Record.
We notify vendors who we have sufficient reason to believe may be affected. Notification adds the vendor to the vendor list in the Vulnerability Note. Listing a vendor does not necessarily mean that the vendor is affected by the vulnerability.
Vendor Status
This element indicates in broad terms whether the vendor has is responsible for any products, components, or services that we considers consider to be vulnerable or in some way affected by the vulnerability. In many cases, the relationship between a vendor's products and a vulnerability is more complex than a simple "Vulnerable" or "Not Vulnerable" status. More detailed information is often available in the Vendor Statement and other elements of the Vendor Record.
Vendor Status is not time-dependentbased on the time that the case was opened, that is, status does not change once the vendor has released updated software or mitigation advice.
One significant factor we consider when determining vendor status is the extent to which vendors or users need to perform some mitigating activity. In the most common case, affected vendors develop and release changed software (e.g., patch, upgrade, update) and users deploy the changed software.
Unknown
By default, vendors are marked as "Unknown." "Unknown" may indicate that we have notified the vendor (See Date Notified) but have not received observed or processed a response. "Unknown" may also indicate that we have not contacted the vendor, possibly because we were unable to identify a security point of contact with reasonable effort.
...
If we have strong evidence (such as first-hand knowledge or vendor acknowledgement), we mark vendors as "Affected." In most cases, if a reader or user needs to take action, then status is "Affected."
Not Affected
We accept assertions from vendors that they are "Not Affected" unless we have strong evidence to the contrary.
...
This number is updated when the Vulnerability Note is modified and republished.
Deprecated Elements
These elements appear in some older Vulnerability Notes.
...