An individual vendor element is called a Vendor Record. Vendor Records have several sub-elements. For a Vulnerability Note with multiple vulnerabilities, each vulnerability and its corresponding Vendor Status and Vendor Statement can be listed individually within a Vendor Record.
We notify vendors who we have sufficient reason to believe may be affected. Notification adds the vendor to the vendor list in the Vulnerability Note. Listing a vendor does not necessarily mean that the vendor is affected by the vulnerability.
This element indicates in broad terms whether the vendor has is responsible for any products, components, or services that we considers to be vulnerable or in some way affected by the vulnerability. In many cases, the relationship between a vendor's products and a vulnerability is more complex than a simple "Vulnerable" or "Not Vulnerable" status. More detailed information is often available in the Vendor Statement and other elements of the Vendor Record.
Vendor Status is not time-dependent, that is, status does not change once the vendor has released updated software or mitigation advice.
One significant factor we consider when determining vendor status is the extent to which vendors or users need to perform some mitigating activity. In the most common case, a affected vendors develop and release changed software (e.g., patch, upgrade, update) and users deploy the changed software.
By default, vendors are marked as "Unknown." "Unknown" may indicate that we have notified the vendor (See Date Notified) but have not received observed or processed a response. "Unknown" may also indicate that we have not contacted the vendor, possibly because we were unable to identify a security point of contact with reasonable effort.
This number is updated when the Vulnerability Note is modified and republished.
These elements appear in some older Vulnerability Notes.