CVE Blog
The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post.
Please use our LinkedIn page, or the CVE Request Web Form by selecting “Other” from the dropdown, to comment on the post below.
Become a CNA
Comment on LinkedIn | Share this post
CVE Numbering Authorities, or “CNAs,” are how the CVE List is built. Every CVE Entry added to the list is assigned by a CNA.
The majority of CNAs are currently software vendors that assign CVE Entries to issues in their own products, but many vulnerability researchers and third-party coordinators also participate by assigning CVE IDs to issues in third-party products per their specified scopes of coverage. In all cases, by issuing CVE IDs themselves without directly involving MITRE in the details of the specific vulnerabilities, CNAs are able to ensure CVE IDs are available for inclusion in the first-time public announcement of a new vulnerability, which greatly benefits the overall cyber security community as organizations share information about the vulnerabilities and remediate them.
Actively Expanding the Number of CNAs
As of today, August 2, 2017, there are 69 total CNAs participating in the CVE program: 57 software vendors, 7 third-party coordinators, 4 vulnerability researchers, and MITRE as the Primary CNA.
And the CVE program has been actively growing the list of participating CNAs, which now includes organizations from around the world with 14 countries represented as illustrated in this map:
NUMBER OF CNAS BY COUNTRY, AS OF AUGUST 2017: Australia: 1; Austria: 1; Canada: 3; China: 6; France: 1;
Germany: 1; Israel: 1; Japan: 3; Netherlands: 1; Russia: 1; South Korea: 1; Taiwan: 1; UK: 1; and USA: 47.
You too can become a CNA
Please consider joining us as a CNA. Participation is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA's scope by researchers who request a CVE ID from them.
If your organization would like to become a CNA, please follow these three steps:
- Review the “CVE Numbering Authorities (CNA) Rules” document in its entirety.
- Closely review the How to Become a CNA section of this website, which is excerpted from the “CNA Rules” above.
- Contact us via our CVE Request web form by selecting “Other” from the dropdown menu.
We look forward to hearing from you!
| - | The CVE Team |
| August 2, 2017 | |
|
CVE Request Web Form (select “Other” from dropdown) |
Recent Posts
- We Speak CVE Podcast: CVE Working Groups, What They Are and How They Improve CVE
- We Speak CVE Podcast: Managing Modernization and Automation Changes in the CVE Program
- Our CVE Story: Leading the Way for Vulnerability Disclosures in Physical Security Systems (guest author)
- We Speak CVE Podcast: How the New CVE Record Format Is a Game Changer
- Our CVE Story: JPCERT/CC (guest author)
- More >>
