CVE Numbering Authorities

CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability disclosers, and information technology vendors.

Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA's scope by researchers who request a CVE ID from them.

To review the products covered by each CNA, visit the Request a CVE ID page.


Documentation for CNAs

Growth of CNA Program Worldwide

There are 94 organizations participating as CNAs as of March 18, 2019:

CNAs World Map - March 2019

CNAs World Map as of March 2019

  • Vendors and Projects: 77
  • Vulnerability Researchers: 7
  • National and Industry CERTs: 5
  • Bug Bounty Programs: 2
  • Root CNAs: 2
  • Program Root CNA: 1

Number of CNAs by country as shown at right:

  • Australia: 1
  • Austria: 1
  • Belgium: 1
  • Canada: 2
  • China: 8
  • France: 1
  • Germany: 4
  • Israel: 1
  • Japan: 3
  • Netherlands: 2
  • Philippines: 1
  • Russia: 2
  • South Korea: 2
  • Taiwan: 3
  • UK: 1
  • USA: 61

Key for CNA Types:

  • Bug Bounty Programs - assigns CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings.
  • National and Industry CERTs - performs incident response and vulnerability disclosure services for nations or industries. They may assign CVE IDs as part of their role and scope.
  • Program Root CNA - oversees the CNA program.
  • Root CNA - manages a group of sub-CNAs within a given domain or community.
  • Vendors and Projects - assigns CVE IDs for vulnerabilities found in their own products and projects.
  • Vulnerability Researchers - assigns CVE IDs to products and projects upon which they perform vulnerability analysis.

View the current list of CNAs.

How to Become a CNA

IMPORTANT: The information below is reprinted from the "CNA Candidate Process" section of the "CVE Numbering Authorities (CNA) Rules" document. Please review the entire CNA Rules document before requesting to become a CNA.

4. CNA Candidate Process

The CVE Program, through both Root CNAs and the CVE Program Root CNA (Primary CNA), adds qualified organizations (hereinafter referred to as candidates) as CNAs through the on-boarding process described in this section. The on-boarding process is designed to set expectations for CNAs regarding the oversight and administration of CVE assignment for products within their scope. The goals of the CNA candidate process:

  1. The candidate understands its roles and responsibilities.
  1. Individual members of the new CNA's team are able to perform CVE assignment and counting processes.
  1. Clear communication channels exist between CNAs and the rest of the CVE Program.

4.1. CNA Qualifications

A candidate is qualified if they meet the following criteria:

  1. A candidate must be interested in becoming a CNA and willing to follow established CNA rules.
  1. A CNA must be

    1. vendor with a significant user base and an established security advisory capability, or

    2. an established entity with an established security advisory capability that typically acts as a neutral interface between researchers and vendors. A Root CNA may be a regional coordinator (such as a Computer Emergency Response Team [CERT]) or a domain publisher (such as an Information Sharing and Analysis Center [ISAC] representing a particular sector). A CNA may also be a mature research organization.

    A Root CNA may be a regional coordinator (such as a Computer Emergency Response Team [CERT]) or a domain publisher (such as an Information Sharing and Analysis Center [ISAC] representing a particular sector). A CNA may also be a mature research organization.
  1. The CNA must be an established distribution point or source for first-time product vulnerability announcements (which may concern their own products). In keeping with the CVE requirement to identify public issues, the CNA must only assign CVEs to security issues that will be made public. (Refer to the definition of "vulnerability" in Appendix A for clarification on what products should and should not be considered when assigning a CVE ID.)
  1. The CNA must follow coordinated disclosure practices as determined by the community which they serve. Coordinated disclosure practices reduce the likelihood that duplicate or inaccurate information will be introduced into CVE.

4.2. CNA On-Boarding Process

  1. A candidate may be identified by a Root CNA, the Program Root CNA (Primary CNA), a member of the CVE Board, or they may approach the Root CNA, the Program Root CNA (Primary CNA), or a member of the CVE Board to request a CNA appointment.
  1. The candidate is reviewed to determine whether it is qualified by the appropriate Root CNA or the Program Root CNA (Primary CNA), hereinafter referred to as the vetting CNA, using the guidance in this section. A Root CNA is appropriate if the candidate fits within the domain of the Root CNA.
  1. The vetting CNA engages the candidate and shares information about becoming a CNA, including this document.
  1. The candidate assigns a primary and secondary POC for initial coordination with the vetting CNA.
  1. Anyone acting in a CVE analyst capacity at the candidate's organization will be given training by their vetting CNA, which will include:
  • Examples and exercises to work through with instruction and feedback;

  • Counting rules to review and follow. During this training, an initial block of CVE IDs will be allocated to the candidate for use with their training. This block will be allocated by the vetting CNA. The Program Root CNA (Primary CNA) will provide guidance and templates to assist with the creation of examples and exercises.
  1. The candidate will document how CVE processes will be integrated into their operations.
  • The candidate's documentation will include how they will process new requests for CVE IDs, internally and externally. If the candidate will process external CVE assignment requests, processes to submit requests will be documented for public release.

  • All documentation will be shared with the vetting CNA and may also be shared publicly by the candidate.
  1. The vetting CNA will review the candidate's documentation and work with the candidate to address any issues in their processes that may conflict with the established CNA rules.
  1. The vetting CNA allocates the candidate a block of CVE IDs to assign.
  1. The candidate's POCs are added to the appropriate communications channels.
  1. After successfully completing the above, required steps, the candidate enters operational mode and is now considered a CNA. If the CNA was added by a Root CNA, the Root CNA notifies the Program Root CNA (Primary CNA).
  1. The Program Root CNA (Primary CNA) updates public documentation to include the new CNA and makes public announcements introducing the new CNA. Any changes in a CNA's program, including staff changes or process changes, must be documented and shared with the CVE Program through a CNA's Root CNA or the Program Root CNA (Primary CNA).
Contacting the CVE Team to Become a CNA:

After reviewing the "CVE Numbering Authorities (CNA) Rules" document and the information above, please use the CVE Request web form and select "Other" from the dropdown menu to contact us about becoming a CNA.

Submitting CVE Entry Information to CVE Team

Please use one of the following three methods to submit CVE Entry information to the CVE Team.

(1) CVE Request Web Form

Submitting through the CVE Request Web Form:
  1. Visit the CVE Request web form.
  2. Select “Notify CVE about a publication” and enter your email address.
  3. Fill in the form.
  4. NOTE: “Link to the advisory” and “CVE IDs of vulnerabilities to be published” fields are required.
  5. The assignment information (in Flat File, CSV, or JSON format) should be entered in the “Additional information and CVE ID description updates” field.
  6. NOTE: Alternatively, you can send the CVE Entry information as a file attachment in a reply to an email message generated by CVE’s ticketing system when the submission has been received.
  7. Enter the security code.
  8. Press “Submit Request.”

(2) Git (Experimental)

Page Last Updated or Reviewed: March 19, 2019