CVE Program Status Update
We continue to work diligently on expanding CVE assignment in ways that meet the needs of all the various use cases of CVE. Towards that end, we have begun increasing the number of organizations participating as CVE Numbering Authorities (CNAs). We are also working closely with the CVE Editorial Board to define additional ways for CNAs to enable CVE to expand its coverage. Updates on our progress will continue to be posted here as soon as they occur.

The CVE Team, May 4, 2016

CVE® International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures.

CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.

Widespread Use of CVE
Focus On

CVE Numbering Authorities (CNAs)

CNAs are the main method for requesting a CVE-ID number.

CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

The following 25 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; Distributed Weakness Filing Project; EMC; FreeBSD; Google; HP; HPE; IBM; ICS-CERT; JPCERT/CC; Juniper; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

A message about turnaround times for requesting CVE-ID numbers from MITRE is posted above. For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

Page Last Updated: July 13, 2016