CVE Numbering Authorities

CVE Numbering Authorities (CNAs) are organizations that are authorized to assign CVEs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVEs are provided to researchers, vulnerability disclosers, and information technology vendors.

Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA's scope by researchers who request a CVE ID from them.

To review the products covered by each CNA, visit the CNA Coverage section on the Request a CVE ID page.

Participating CNAs

The 48 organizations below are participating as CNAs as of January 2017:

Primary CNA

Software Vendors

Third-Party Coordinators

Vulnerability Researchers

Documentation for CNAs

To learn more about CNAs rules and requirements—including becoming a CNA—please review the documents below.

CVE Numbering Authorities (CNA) Rules, Version 1.1 – September 16, 2016

Includes detailed information about the following:
  • CNAs Overview – Federated CNA Structure, and Purpose and Goal of the CNA Rules
  • Rules for All CNAs – Assignment, Communication, and Administration
  • Responsibilities of Root and Primary CNAs – Specific Assignment, Communications, and Administration Rules for Root CNAs and for the Primary CNA
  • CNA Candidate Process – Qualifications, and On-Boarding Process
  • Appeals Process
  • Definitions
  • CVE Information Format
  • Common Vulnerabilities and Exposures (CVE) Counting Rules – Purpose, Introduction, Definitions, Vulnerability Report, Inclusion Decisions, and Counting Decisions
  • Terms of Use
  • Process to Correct Counting Issues
  • Acronyms

Researcher Reservation Guidelines, Version 0.1 – August 29, 2016

Provides information on how to reserve a CVE ID before publicizing a new vulnerability so that CVE ID can be included in the initial public announcement of the vulnerability and can be used to track the vulnerability.

Requesting CVE IDs from CNAs

Visit Request a CVE ID to find the appropriate CNA to contact for your issue, as well as CNA contact information.

Become a CNA

IMPORTANT: The information below is reprinted from the "CNA Candidate Process" section of the "CVE Numbering Authorities (CNA) Rules" document. Please review the entire CNA Rules document before requesting to become a CNA.

4. CNA Candidate Process

The CVE Program, through both Root CNAs and the Primary CNA, adds qualified organizations (hereinafter referred to as candidates) as CNAs through the on-boarding process described in this section. The on-boarding process is designed to set expectations for CNAs regarding the oversight and administration of CVE assignment for products within their scope. The goals of the CNA candidate process:

  1. The candidate understands its roles and responsibilities.
  1. Individual members of the new CNA's team are able to perform CVE assignment and counting processes.
  1. Clear communication channels exist between CNAs and the rest of the CVE Program.

4.1. CNA Qualifications

A candidate is qualified if they meet the following criteria:

  1. A candidate must be interested in becoming a CNA and willing to follow established CNA rules.
  1. A CNA must be

    1. vendor with a significant user base and an established security advisory capability, or

    2. an established entity with an established security advisory capability that typically acts as a neutral interface between researchers and vendors. A Root CNA may be a regional coordinator (such as a Computer Emergency Response Team [CERT]) or a domain publisher (such as an Information Sharing and Analysis Center [ISAC] representing a particular sector). A CNA may also be a mature research organization.

    A Root CNA may be a regional coordinator (such as a Computer Emergency Response Team [CERT]) or a domain publisher (such as an Information Sharing and Analysis Center [ISAC] representing a particular sector). A CNA may also be a mature research organization.
  1. The CNA must be an established distribution point or source for first-time product vulnerability announcements (which may concern their own products). In keeping with the CVE requirement to identify public issues, the CNA must only assign CVEs to security issues that will be made public. (Refer to the definition of  "vulnerability" in Appendix A for clarification on what products should and should not be considered when assigning a CVE ID.)
  1. The CNA must follow coordinated disclosure practices as determined by the community which they serve. Coordinated disclosure practices reduce the likelihood that duplicate or inaccurate information will be introduced into CVE.

4.2. CNA On-Boarding Process

  1. A candidate may be identified by a Root CNA, the Primary CNA, a member of the CVE Board, or they may approach the Root CNA, the Primary CNA, or a member of the CVE Board to request a CNA appointment.
  1. The candidate is reviewed to determine whether it is qualified by the appropriate Root CNA or the Primary CNA, hereinafter referred to as the vetting CNA, using the guidance in this section. A Root CNA is appropriate if the candidate fits within the domain of the Root CNA.
  1. The vetting CNA engages the candidate and shares information about becoming a CNA, including this document.
  1. The candidate assigns a primary and secondary POC for initial coordination with the vetting CNA.
  1. Anyone acting in a CVE analyst capacity at the candidate's organization will be given training by their vetting CNA, which will include:
  • Examples and exercises to work through with instruction and feedback;

  • Counting rules to review and follow. During this training, an initial block of CVE IDs will be allocated to the candidate for use with their training. This block will be allocated by the vetting CNA. The Primary CNA will provide guidance and templates to assist with the creation of examples and exercises.
  1. The candidate will document how CVE processes will be integrated into their operations.
  • The candidate's documentation will include how they will process new requests for CVE IDs, internally and externally. If the candidate will process external CVE assignment requests, processes to submit requests will be documented for public release.

  • All documentation will be shared with the vetting CNA and may also be shared publicly by the candidate.
  1. The vetting CNA will review the candidate's documentation and work with the candidate to address any issues in their processes that may conflict with the established CNA rules.
  1. The vetting CNA allocates the candidate a block of CVE IDs to assign.
  1. The candidate's POCs are added to the appropriate communications channels.
  1. After successfully completing the above, required steps, the candidate enters operational mode and is now considered a CNA. If the CNA was added by a Root CNA, the Root CNA notifies the Primary CNA.
  1. The Primary CNA updates public documentation to include the new CNA and makes public announcements introducing the new CNA. Any changes in a CNA's program, including staff changes or process changes, must be documented and shared with the CVE Program through a CNA's Root CNA or the Primary CNA.
Contacting MITRE to Become a CNA:

After reviewing the "CVE Numbering Authorities (CNA) Rules" document and the information above, please use the CVE Request web form and select "Other" from the dropdown menu to contact us about becoming a CNA.

Page Last Updated or Reviewed: February 03, 2017