Common Vulnerabilities and Exposures |
|
||||
Power user
shortcuts:
Request CVE IDs
CVE prioritizes the assignment of CVE Identifiers (CVE IDs) for the products, vendors, and product categories listed below, but you may request a CVE ID for any vulnerability.
New users, follow these steps to request CVE IDs:
- Locate the correct CVE Numbering Authority (CNA) whose scope includes the product affected by the vulnerability in the Participating CNAs table below.
- Contact the CNA specified below using the contact method provided.
- If the product affected by the vulnerability is not covered by a CNA listed below, please contact the CVE Program Root CNA.
Participating CNAs
CNAs are listed alphabetically:
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
| Product, Vendor, or Product Category Name | Scope | CNA Contact Email and/or Webpage (if applicable) |
CNA Type* |
| MITRE Corporation | All vulnerabilities, and Open Source software product vulnerabilities, not already covered by a CNA listed on this page | MITRE CVE Request web form | Program Root CNA |
| Adobe Systems Incorporated | Adobe issues only | psirt@adobe.com Adobe security page | Vendors and Projects |
| Airbus | All Airbus products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Airbus that are not in another CNA’s scope | vuln@airbus.com
Airbus Vulnerability Handling and Disclosure |
Vendors and Projects Vulnerability Researchers |
| Alibaba, Inc. | Projects listed on its Alibaba GitHub website only | alibaba-cna@list.alibaba-inc.com
Alibaba website Alibaba GitHub website |
Vendors and Projects |
| Android (associated with Google Inc. or Open Handset Alliance) | Android issues only | security@android.com
Android security page |
Vendors and Projects |
| Apache Software Foundation | All Apache Software Foundation issues | security@apache.org Apache security page | Vendors and Projects |
| Apple Inc. | Apple issues only | product-security@apple.com Apple security page | Vendors and Projects |
| Appthority | All Appthority products, as well as vulnerabilities in third-party software discovered by Appthority that are not in another CNA’s scope | security@appthority.com
Appthority Disclosure Policy Appthority Advisories | Vendors and Projects Vulnerability Researchers |
| Atlassian | All Atlassian products, as well as Atlassian-maintained projects hosted on https://bitbucket.org/atlassian and https://github.com/atlassian/ | security@atlassian.com | Vendors and Projects |
| Autodesk | All currently supported Autodesk Applications and Cloud Services | psirt@autodesk.com | Vendors and Projects |
| Avaya, Inc. | All Avaya products | securityalerts@avaya.com
Avaya Disclosure Policy Avaya Advisories | Vendors and Projects |
| Bitdefender | All Bitdefender products, as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope | cve-requests@bitdefender.com
Bitdefender Disclosure Policy Bitdefender Advisories | Vendors and Projects Vulnerability Researchers |
| BlackBerry | BlackBerry and Good product issues only | secure@blackberry.com Blackberry security page | Vendors and Projects |
| Robert Bosch GmbH | Bosch products only | psirt@bosch.com
Bosch Disclosure Policy Bosch Advisories | Vendors and Projects |
| Brocade Communications Systems, LLC | Brocade products only | brocade.sirt@broadcom.com Brocade security page | Vendors and Projects |
| Canonical Ltd. | All Canonical issues (including Ubuntu Linux) only | security@ubuntu.com Ubuntu security page | Vendors and Projects |
| CA Technologies - A Broadcom Company | CA Technologies issues only |
ca.psirt@broadcom.com
CA Technologies Disclosure Policy CA Technologies Advisories | Vendors and Projects |
| CERT/CC | Vulnerability assignment related to its vulnerability coordination role | cert@cert.org CERT/CC contact page | National and Industry CERTs |
| Check Point Software Technologies Ltd. | Check Point Security Gateways product line only, and any vulnerabilities discovered by Check Point that are not in another CNA’s scope | cve@checkpoint.com | Vendors and Projects Vulnerability Researchers |
| Cisco Systems, Inc. | All Cisco and Duo Security products, and any third-party research targets that are not in another CNA’s scope | psirt@cisco.com
Cisco Disclosure Policy Cisco Advisories psirt@duosecurity.com Duo Security Disclosure Policy Duo Security Advisories |
Vendors and Projects Vulnerability Researchers |
| Cloudflare, Inc. | All Cloudflare products, projects hosted at https://github.com/cloudflare/, and any vulnerabilities discovered by Cloudflare that are not in another CNA’s scope | cna@cloudflare.com
Cloudflare Disclosure Policy Cloudflare Advisories |
Vendors and Projects |
| CyberSecurity Philippines - CERT | Vulnerability assignment related to its vulnerability coordination role that are not in another CNA’s scope | vulnerability@cspcert.ph
CyberSecurity Philippines - CERT Disclosure Policy CyberSecurity Philippines - CERT Advisories | National and Industry CERTs |
| Dahua Technologies | Dahua issues only | cybersecurity@dahuatech.com Dahua security page | Vendors and Projects |
| Debian GNU/Linux | Debian issues only | security@debian.org Debian security page | Vendors and Projects |
| Dell | Dell, Dell EMC, RSA, and VCE issues only | secure@dell.com Dell security page | Vendors and Projects |
| Document Foundation, The | Projects within The Document Foundation only, e.g., LibreOffice, LibreOffice Online; The Document Foundation discourages reporting denial of service bugs as security issues | security@documentfoundation.org
The Document Foundation Disclosure Policy The Document Foundation Advisories | Vendors and Projects |
| Drupal.org | All projects hosted under drupal.org only | security@drupal.org Drupal security advisories page | Vendors and Projects |
| Eclipse Foundation | Eclipse IDE and the Eclipse Foundation's eclipse.org, polarysys.org, and locationtech.org open source projects only | security@eclipse.org Eclipse security page | Vendors and Projects |
| Elastic | Elasticsearch, Kibana, Beats, Logstash, X-Pack, and Elastic Cloud Enterprise products only |
security@elastic.co
Elastic security page |
Vendors and Projects |
| F5 Networks | F5 issues only | f5sirt@f5.com
F5 Vulnerability Response Policy |
Vendors and Projects |
| Facebook, Inc. | Facebook-supported open source projects, mobile apps, and other software, as well as vulnerabilities in third-party software discovered by Facebook that are not in another CNA’s scope; see: https://www.facebook.com/whitehat and https://github.com/facebook/ | Facebook security page | Vendors and Projects Vulnerability Researchers |
| Fedora Project | Fedora Project issues only | Fedora Bug Report page | Vendors and Projects |
| Flexera Software LLC | All Flexera products, and vulnerabilities discovered by Secunia Research that are not in another CNA’s scope | PSIRT-CNA@flexerasoftware.com | Vendors and Projects Vulnerability Researchers |
| floragunn GmbH | All issues related to Search Guard only | security@search-guard.com
floragunn Disclosure Policy floragunn Advisories | Vendors and Projects |
| Forcepoint | Forcepoint products only | psirt@forcepoint.com Forcepoint security page | Vendors and Projects |
| Fortinet, Inc. | Fortinet issues only | psirt@fortinet.com | Vendors and Projects |
| FreeBSD | Primarily FreeBSD issues only | secteam@freebsd.org | Vendors and Projects |
| GitHub, Inc. | All libraries and products hosted on github.com in a public repository, unless they are otherwise covered by another CNA | security-advisories@github.com
GitHub Disclosure Policy GitHub Advisories | Vendors and Projects |
| Google Inc. | Chrome and Chrome OS issues, and projects that are not in another CNA’s scope | Report vulnerabilities: security@chromium.org Questions about Google’s CVE Entries: chrome-cve-admin@google.com Google app security page |
Vendors and Projects |
| HackerOne | Provides CVE IDs for its customers as part of its bug bounty and vulnerability coordination platform | support@hackerone.com HackerOne contact page | Bug Bounty Programs |
| Hangzhou Hikvision Digital Technology Co., Ltd. | All Hikvision Internet of Things (IoT) products including cameras and digital video recorders (DVRs) | hsrc@hikvision.com | Vendors and Projects |
| HCL Software | All HCL products only | psirt@hcl.com
HCL Disclosure Policy HCL Advisories | Vendors and Projects |
| Hewlett Packard Enterprise (HPE) | HPE issues only | security-alert@hpe.com | Vendors and Projects |
| Hillstone Networks, Inc. | All Hillstone products only |
sec@hillstonenet.com
Hillstone Disclosure Policy Hillstone Advisories | Vendors and Projects |
| HP Inc. | HP Inc. issues only | hp-security-alert@hp.com | Vendors and Projects |
| Huawei Technologies | Huawei issues only | psirt@huawei.com Huawei security page | Vendors and Projects |
| IBM Corporation | All IBM products, as well as vulnerabilities in third-party software discovered by IBM X-Force Red that are not in another CNA’s scope | psirt@us.ibm.com | Vendors and Projects Vulnerability Researchers |
| ICS-CERT | Infrastructure sector control systems | ics-cert@hq.dhs.gov | National and Industry CERTs |
| Intel Corporation | Intel branded products and technologies and Intel managed open source projects | secure@intel.com Intel security page | Vendors and Projects |
| Internet Systems Consortium (ISC) | All ISC.org projects | security-officer@isc.org ISC report a bug page | Vendors and Projects |
| Jenkins Project | Jenkins and Jenkins plugins distributed by the Jenkins Project (listed on plugins.jenkins.io) only | jenkinsci-cert@googlegroups.com
Jenkins Project Disclosure Policy Jenkins Project Advisories | Vendors and Projects |
| Johnson Controls | Johnson Controls products only | productsecurity@jci.com
Johnson Controls Disclosure Policy Johnson Controls Advisories | Vendors and Projects |
| JPCERT/CC | Vulnerability assignment related to its vulnerability coordination role | vultures@jpcert.or.jp JPCERT/CC contact page | Root CNA
National and Industry CERTs |
| Juniper Networks, Inc. | Juniper issues only | sirt@juniper.net Juniper security page | Vendors and Projects |
| Kaspersky | Kaspersky B2C and B2B products, as well as vulnerabilities discovered in third-party software not in another CNA’s scope | vulnerability@kaspersky.com | Vendors and Projects Vulnerability Researchers |
| KrCERT/CC | Vulnerability assignment related to its vulnerability coordination role | vuln@krcert.or.kr | National and Industry CERTs |
| Kubernetes | Kubernetes issues only | security@kubernetes.io
Kubernetes Disclosure Policy Kubernetes Advisories | Vendors and Projects |
| Larry Cashdollar | Third-party products he researches | larry0@me.com | Vulnerability Researchers |
| Lenovo Group Ltd. | Lenovo general-purpose computers, software for general-purpose operating systems, mobile devices, enterprise storage, and networking products only | psirt@lenovo.com | Vendors and Projects |
| MarkLogic Corporation | MarkLogic issues only | security@marklogic.com | Vendors and Projects |
| McAfee | All McAfee products, as well as vulnerabilities in third-party software discovered by McAfee ATR that are not in another CNA’s scope |
security_report@mcafee.com
McAfee Advisories | Vendors and Projects Vulnerability Researchers |
| Micro Focus International | All Attachmate, Borland, Gwava, Micro Focus, NetIQ, Novell, and Serena products, as well as all former HP Enterprise software suites | security@microfocus.com
Micro Focus Disclosure Policy Micro Focus Advisories | Vendors and Projects |
| Microsoft Corporation | Microsoft issues only | secure@microsoft.com
Microsoft security page |
Vendors and Projects |
| MITRE Corporation | All vulnerabilities, and Open Source software product vulnerabilities, not already covered by a CNA listed on this page | MITRE CVE Request web form | Program Root CNA |
| MongoDB, Inc. | MongoDB products only | cna@mongodb.com
MongoDB Disclosure Policy MongoDB Advisories | Vendors and Projects |
| Mozilla Corporation | Mozilla issues only | security@mozilla.org Mozilla security page | Vendors and Projects |
| Naver Corporation | Naver products only, except Line products | cve@navercorp.com
Naver Disclosure Policy Naver Advisories | Vendors and Projects |
| NetApp, Inc. | All NetApp products as well as projects hosted on https://github.com/netapp | security-alert@netapp.com NetApp security page | Vendors and Projects |
| Netflix, Inc. | Current versions of Netflix Mobile Streaming Application for iOS, Android, and Windows Mobile, plus all Netflix Open Source projects hosted on https://github.com/Netflix and https://github.com/spinnaker | security-report@netflix.com | Vendors and Projects |
| Node.js | All actively developed versions of software developed under the Node.js project on https://github.com/nodejs | cve-request@iojs.org Node.js security page | Vendors and Projects |
| NVIDIA Corporation | NVIDIA issues only | psirt@nvidia.com NVIDIA security page | Vendors and Projects |
| Objective Development Software GmbH | Objective Development issues only | Objective Development security page | Vendors and Projects |
| Odoo | Odoo issues only | security@odoo.com
Odoo Disclosure Policy Odoo Advisories | Vendors and Projects |
| OpenSSL Software Foundation | OpenSSL software projects only | openssl-security@openssl.org OpenSSL contact web page | Vendors and Projects |
| OPPO Mobile Telecommunication Corp., Ltd. | OPPO devices only | security@oppo.com
OPPO Disclosure Policy OPPO Advisories | Vendors and Projects |
| Oracle | Oracle Premier and Extended Support product versions per Oracle’s Lifetime Support Policy | secalert_us@oracle.com Oracle security page | Vendors and Projects |
| Palo Alto Networks, Inc. | All Palo Alto Networks products |
psirt@paloaltonetworks.com
Palo Alto Networks Disclosure Policy Palo Alto Networks Advisories | Vendors and Projects |
| PHP Group | Vulnerabilities in PHP code (code in https://github.com/php/php-src) only | security@php.net
PHP Group Disclosure Policy PHP Group Advisories | Vendors and Projects |
| Pivotal Software, Inc. | Pivotal, Spring, and Cloud Foundry issues only | security@pivotal.io
Pivotal Disclosure Policy, Cloud Foundry Disclosure Policy Pivotal Advisories, Spring Advisories, Cloud Foundry Advisories | Vendors and Projects |
| Puppet | All Puppet products, as well as all projects on https://github.com/puppetlabs | security@puppet.com Puppet security page | Vendors and Projects |
| QNAP Systems, Inc. | QNAP QTS, QES, and QVR products as well as its mobile apps and utilities | security@qnap.com | Vendors and Projects |
| Qualcomm, Inc. | Qualcomm and Snapdragon issues only | product-security@qualcomm.com | Vendors and Projects |
| Rapid7, Inc. | All Rapid7 products, and vulnerabilities discovered by Rapid7 that are not in another CNA’s scope | cve@rapid7.com Rapid7 security page | Vendors and Projects Vulnerability Researchers |
| Red Hat, Inc. | Linux issues only | secalert@redhat.com Red Hat security page | Vendors and Projects |
| Salesforce, Inc. | Salesforce products only | security@salesforce.com
Salesforce Disclosure Policy Salesforce Advisories | Vendors and Projects |
| SAP SE | All SAP products | cna@sap.com | Vendors and Projects |
| Schneider Electric SE | All Schneider Electric products, including Proface, Pelco, APC, and Eurotherm | cybersecurity@se.com Schneider Electric security page | Vendors and Projects |
| Siemens | Siemens issues only | productcert@siemens.com Siemens security page | Vendors and Projects |
| Snyk | Vulnerabilities in third-party products discovered by Snyk only | report@snyk.io
Snyk Disclosure Policy Snyk Advisories | Vulnerability Researchers |
| SonicWall, Inc. | SonicWall issues only | PSIRT@sonicwall.com
SonicWall Disclosure Policy SonicWall Advisories | Vendors and Projects |
| SUSE | All SUSE Enterprise products and openSUSE software | security@suse.de
SUSE Disclosure Policy SUSE Advisories SUSE Advisories by CVE ID | Vendors and Projects |
| Symantec Corporation | Symantec issues only | secure@symantec.com Symantec security page | Vendors and Projects |
| Synology Inc. | Synology issues only | security@synology.com Synology security page | Vendors and Projects |
| Talos | Third-party products it researches | talos-cna@cisco.com Talos web page | Vulnerability Researchers |
| Tenable Network Security, Inc. | Tenable products and third-party products they research not covered by another CNA | vulnreport@tenable.com Tenable security page | Vendors and Projects |
| 360 Security Technology, Inc. | 360 Total Security, 360 Safeguard, 360 Mobile Safe, and 360 Safe Router products, and vulnerabilities in third-party products discovered by 360 that are not covered by another CNA |
security@360.cn
360 Disclosure Policy 360 Advisories |
Vendors and Projects Vulnerability Researchers |
| TIBCO Software Inc. | TIBCO, Talarian, Spotfire, Data Synapse, Foresight, Kabira, Proginet, LogLogic, StreamBase, JasperSoft, and Mashery products/brands only | security@tibco.com | Vendors and Projects |
| Tigera, Inc. | All vulnerabilities for Calico and all of Tigera’s products only | psirt@tigera.io
Tigera Disclosure Policy Tigera Advisories | Vendors and Projects |
| Trend Micro, Inc. | Trend Micro supported products and end-of-life products issues only | security@trendmicro.com Trend Micro security page | Vendors and Projects |
| TWCERT/CC | Vulnerability assignment related to its vulnerability coordination role |
cve@cert.org.tw
Chinese: TWCERT/CC Disclosure Policy TWCERT/CC Advisories English: TWCERT/CC Disclosure Policy TWCERT/CC Advisories |
National and Industry CERTs |
| VMware | VMware issues only | security@vmware.com | Vendors and Projects |
| Yandex N.V. | Yandex issues only | browser-security@yandex-team.ru | Vendors and Projects |
| Zephyr Project | Zephyr project components, and vulnerabilities that are not in another CNA’s scope | vulnerabilities@zephyrproject.org | Vendors and Projects |
| Zero Day Initiative | Products and projects covered by its bug bounty programs that are not in another CNA’s scope | zdi-disclosures@trendmicro.com ZDI contact page | Bug Bounty Programs |
| ZTE Corporation | ZTE products only | psirt@zte.com.cn | Vendors and Projects |
* Key for CNA Types:
- Bug Bounty Programs - assigns CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings.
- National and Industry CERTs - performs incident response and vulnerability disclosure services for nations or industries. They may assign CVE IDs as part of their role and scope.
- Program Root CNA - oversees the CNA program.
- Root CNA - manages a group of sub-CNAs within a given domain or community.
- Vendors and Projects - assigns CVE IDs for vulnerabilities found in their own products and projects.
- Vulnerability Researchers - assigns CVE IDs to products and projects upon which they perform vulnerability analysis.
CVE Program Root CNA PGP Key
Please use our CVE Request web form to request CVE IDs directly from the CVE Program Root CNA (currently MITRE). Upon completion of the form, you will receive a confirmation email message that includes a reference number. Any additional communications related to that request will be done through email using the same subject line as the confirmation email.
View our web form help.
A PGP key is available for encrypted communications:
Key ID: 7C2D8720 Fingerprint: 9C98 A172 9BE8 01B2 FF6D 14BA 7496 C064 7C2D 8720 Key size: 4096 Public key: Click to download
NOTE: PGP key updated March 2018
For questions, or assistance about how to use the information on this page, please contact us.