CVE Numbering Authorities

CVE Numbering Authorities (CNAs) are organizations that are authorized to assign CVEs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVEs are provided to researchers, vulnerability disclosers, and information technology vendors.

Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA’s scope by researchers who request a CVE ID from them.

To review the products covered by each CNA, visit CVE Coverage Goals.

Participating CNAs

The organizations below are participating as CNAs as of November 2016:

Primary CNA

Software Vendors

Third-Party Coordinators

Vulnerability Researchers

Documentation for CNAs

To learn more about CNAs rules and requirements—including becoming a CNA—please review the documents below.

CVE Numbering Authorities (CNA) Rules, Version 1.1 – September 16, 2016

Includes detailed information about the following:
  • CNAs Overview – Federated CNA Structure, and Purpose and Goal of the CNA Rules
  • Rules for All CNAs – Assignment, Communication, and Administration
  • Responsibilities of Root and Primary CNAs – Specific Assignment, Communications, and Administration Rules for Root CNAs and for the Primary CNA
  • CNA Candidate Process – Qualifications, and On-Boarding Process
  • Appeals Process
  • Definitions
  • CVE Information Format
  • Common Vulnerabilities and Exposures (CVE) Counting Rules – Purpose, Introduction, Definitions, Vulnerability Report, Inclusion Decisions, and Counting Decisions
  • Terms of Use
  • Process to Correct Counting Issues
  • Acronyms

Researcher Reservation Guidelines, Version 0.1 – August 29, 2016

Provides information on how to reserve a CVE ID before publicizing a new vulnerability so that CVE ID can be included in the initial public announcement of the vulnerability and can be used to track the vulnerability.

Requesting CVE IDs from CNAs

Visit Products Covered to find the appropriate CNA to contact for your issue, as well as CNA contact information.

Page Last Updated or Reviewed: December 02, 2016