CVE Numbering Authorities

CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability disclosers, and information technology vendors.

Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA's scope by researchers who request a CVE ID from them.

To review the products covered by each CNA, visit the Request a CVE ID page.

CNAs

Documentation for CNAs

CNA Working Group

Back to top


Growth of CNA Program Worldwide


There are 184 organizations from 31 countries participating as CNAs as of September 14, 2021:

CNAs World Map - September 2021

CNAs World Map as of September 14, 2021

  • Vendors and Projects: 166
  • Vulnerability Researchers (Independent): 1
  • Vulnerability Researchers (Organizations): 33
  • National and Industry CERTs: 9
  • Bug Bounty Programs: 4
  • Root CNAs: 2
  • Top-Level Root CNAs: 2

Number of CNAs by country as shown at right:

  • Australia: 2
  • Austria: 1
  • Belgium: 1
  • Canada: 6
  • China: 11
  • Colombia: 1
  • Denmark: 1
  • Estonia: 1
  • Finland: 2
  • France: 2
  • Germany: 8
  • India: 2
  • Ireland: 1
  • Israel: 4
  • Japan: 7
  • Latvia: 1
  • Netherlands: 3
  • New Zealand: 1
  • Norway: 1
  • Romania: 1
  • Russia: 2
  • Slovak Republic: 1
  • South Korea: 4
  • Spain: 2
  • Sweden: 2
  • Switzerland: 3
  • Taiwan: 4
  • Turkey: 2
  • UK: 5
  • USA: 101
  • Vietnam: 1

View the current list of CNAs.

Back to top


How to Become a CNA

  1. Contact the CNA Coordination Team.
  2. Fill out the registration form.
  3. Attend an introductory session.
  4. Successfully create CVE ID records from examples.
Back to top

Why Become a CNA?

Thank you for your interest in becoming a CVE Numbering Authority (CNA).

Benefits

Cost

Requirements

Questions?

Back to top


CNA Onboarding Slides & Videos

These videos and slides on the CNA Onboarding Guidance playlist on the CVE Program Channel on YouTube should be reviewed by new CNAs in the order presented below prior to your onboarding meeting with the CNA Coordination Team.


 view as slides: English | Japanese



 view as slides: English | Japanese



 view as slides: English | Japanese



 view as slides: English | Japanese



 view as slides: English | Japanese



CVE Record GitHub Submissions slides

 view as slides (only): English |  Git setup documents





 view as slides: English | Japanese



Onboarding Questions or Help:

Back to top


Submitting CVE Record Information to CVE Program

Please use one of the following two methods to submit CVE Record information to the CVE Program.

(1) CVE Request Web Form

Submitting through the CVE Request Web Form:
  1. Visit the CVE Request web form.
  2. Select “Notify CVE about a publication” and enter your email address.
  3. Fill in the form.
  4. NOTE: “Link to the advisory” and “CVE IDs of vulnerabilities to be published” fields are required.
  5. The assignment information (in Flat File, CSV, or JSON format) should be entered in the “Additional information and CVE ID description updates” field.
  6. NOTE: Alternatively, you can send the CVE Record information as a file attachment in a reply to an email message generated by CVE’s ticketing system when the submission has been received.
  7. Enter the security code.
  8. Press “Submit Request.”

(2) Git

Back to top
Page Last Updated or Reviewed: September 14, 2021