CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.

CVE Program Report for Calendar Year Q3-2020

Share or comment Medium Twitter LinkedIn

The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for CY Q3-2020 is below.

CY Q3-2020 Milestones

11 CVE Numbering Authorities (CNAs) Added
Eleven new CNAs were added: Crafter CMS (USA), Electronic Arts (USA), F-Secure (Finland), Gallagher Group (New Zealand), Mattermost (USA), Nozomi Networks (USA), Replicated (USA), Synaptics (USA), (USA), VDOO Connected Trust Ltd. (Israel), and Zabbix (Latvia).

CISA ICS Added as Top-Level Root CNA for Industrial Control Systems (ICS) and Medical Devices
On September 15, the CVE Program issued a press release announcing that it had expanded its partnership with Cybersecurity and Infrastructure Security Agency (CISA) and that CISA ICS would now be Top-Level Root CNA (TLR-CNA) responsible for CVE ID assignment by ICS and medical device vendors participating as CNAs, of which there are currently seven: Alias Robotics, ABB, Bosch, CERT@VDE, Gallagher Group, Johnson Controls, and Siemens.

Published the CVE Program’s Process for Assigning CVE IDs to End-of-Life (EOL) Products
The CVE Board approved the “CVE Program’s EOL Vulnerability Assignment Process” on July 31.

Published Updated CVE Program Terminology and Definitions
Updates to CVE Program Terminology were published on July 31. The changes were made to clarify the meaning of terms for stakeholders and to ensure clear and concise communications with the community. Three new terms were added, with CVE Record replacing CVE Entry, and Top-Level Root CNA (TLR-CNA) and CNA of Last Resort (CNA-LR) added as new roles within the CNA program. The CVE Program's definition of Vulnerability was also updated, among several other definition updates and clarifications.

Two “Our CVE Story” Blog Articles Published on the CVE Website
Published on the CVE Blog in August and September, “Our CVE Story: Rapid7” about how Rapid7 became CNA was written by CVE Board member and CNA Coordination Working Group Chair Tod Beardsley, and “Our CVE Story: Ancient History of the CVE Program – Did the Microsoft Security Response Center have Precognition?” about how Microsoft has partnered with the CVE Program as a CNA for more than 20 years was written by CVE Board member Lisa Olson.

Added a New CVE Board Member from JPMorgan Chase
Jessica Colvin of JPMorgan Chase was elected to the CVE Board on September 30.

CY Q3-2020 Metrics

Metrics for CY Q3-2020 published CVE Records and reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.


  • Published – A published CVE Record includes the CVE ID, a brief description, at least one public reference, and is available to the general public on the CVE List.
  • Reserved – CNAs reserve a CVE ID for a given vulnerability prior to assigning and publishing it as a CVE Record on the CVE List.

Published CVE Records

As shown in the table below, CVE Program production was 4,171 CVE Records for CY Q3-2020. This includes all CVE Records published by all CNAs.

Published CVE Records - All CNAs Year-to-Date CY Q3-2020

Comparison of Published CVE Records by Year for All Quarters - CY Q3-2020

Comparison of Published CVE Records by Year for All Quarters (figure 1)

Reserved CVE IDs

Finally, the CVE Program tracks reserved CVE IDs. As shown in the table below, the number of CVE Records in the reserved state was 10,723 for Q3-2020, a 45% increase over the previous quarter. The chart below (figure 2) shows the number of CVE Records added to the CVE List for each year. Unlike the table, the CVE Records in the chart can be either in the reserved or populated state.

Reserved CVE IDs - All CNAs Year-to-Date CY Q3-2020

Comparison of Reserved CVE IDs by Year for All Quarters - CY Q3-2020

Comparison of Reserved CVE IDs by Year for All Quarters - All CNAs Year-to-Date CY Q3-2020 (figure 2)

All CVE IDs Are Assigned by CNAs

All of the CVE Records cited in the metrics above are published by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, hosted services, and research groups authorized by the CVE Program to assign CVE IDs to vulnerabilities within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.

Currently, 140 organizations from 24 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.

Comments or Questions?

If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu.

We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!

- The CVE Team
  October 19, 2020
  CVE Request Web Form
(select “Other” from dropdown)

Recent Posts

Page Last Updated or Reviewed: October 19, 2020