...
This element indicates in broad terms whether the vendor is responsible for any products, components, or services that we consider to be vulnerable or in some way affected by the vulnerability. In many cases, the relationship between a vendor's products and a vulnerability is more complex than a simple "Vulnerable" or "Not Vulnerable" status. More detailed information is often available in the Vendor Statement and other elements of the Vendor Record.
Vendor Status is not time-dependentbased on the time that the case was opened, that is, status does not change once the vendor has released updated software or mitigation advice.
...
If we have strong evidence (such as first-hand knowledge or vendor acknowledgement), we mark vendors as "Affected." In most cases, if a reader or user needs to take action, then status is "Affected."
Not Affected
We accept assertions from vendors that they are "Not Affected" unless we have strong evidence to the contrary.
...