CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post.

Please use our LinkedIn page, or the CVE Request Web Form by selecting “Other” from the dropdown, to comment on the post below.

Become a CNA

Comment on LinkedIn | Share this post

CVE Numbering Authorities, or “CNAs,” are how the CVE List is built. Every CVE Entry added to the list is assigned by a CNA.

The majority of CNAs are currently software vendors that assign CVE Entries to issues in their own products, but many vulnerability researchers and third-party coordinators also participate by assigning CVE IDs to issues in third-party products per their specified scopes of coverage. In all cases, by issuing CVE IDs themselves without directly involving MITRE in the details of the specific vulnerabilities, CNAs are able to ensure CVE IDs are available for inclusion in the first-time public announcement of a new vulnerability, which greatly benefits the overall cyber security community as organizations share information about the vulnerabilities and remediate them.

Actively Expanding the Number of CNAs

As of today, August 2, 2017, there are 69 total CNAs participating in the CVE program: 57 software vendors, 7 third-party coordinators, 4 vulnerability researchers, and MITRE as the Primary CNA.

And the CVE program has been actively growing the list of participating CNAs, which now includes organizations from around the world with 14 countries represented as illustrated in this map:

CNAs World Map - August 2017

NUMBER OF CNAS BY COUNTRY, AS OF AUGUST 2017: Australia: 1; Austria: 1; Canada: 3; China: 6; France: 1;
Germany: 1; Israel: 1; Japan: 3; Netherlands: 1; Russia: 1; South Korea: 1; Taiwan: 1; UK: 1; and USA: 47.

You too can become a CNA

Please consider joining us as a CNA. Participation is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA's scope by researchers who request a CVE ID from them.

If your organization would like to become a CNA, please follow these three steps:

  1. Review the “CVE Numbering Authorities (CNA) Rules” document in its entirety.
  2. Closely review the How to Become a CNA section of this website, which is excerpted from the “CNA Rules” above.
  3. Contact us via our CVE Request web form by selecting “Other” from the dropdown menu.

We look forward to hearing from you!

- The CVE Team
  August 2, 2017
  CVE Request Web Form
(select “Other” from dropdown)

Recent Posts

Page Last Updated or Reviewed: August 24, 2020