There are 93 organizations participating as CNAs as of December 10, 2018:

CNAs World Map as of December 2018

• Vendors and Projects: 76
• Vulnerability Researchers: 7
• National and Industry CERTs: 5
• Bug Bounty Programs: 2
• Root CNAs: 2
• Primary CNA: 1

Number of CNAs by country as shown at right:

• Australia: 1
• Austria: 1
• Belgium: 1
• Canada: 3
• China: 8
• France: 1
• Germany: 2
• Israel: 1
• Japan: 3
• Netherlands: 2
• Philippines: 1
• Russia: 2
• South Korea: 2
• Taiwan: 4
• UK: 1
• USA: 60

Key for CNA Types:

• Bug Bounty Programs - assigns CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings.
• National and Industry CERTs - performs incident response and vulnerability disclosure services for nations or industries. They may assign CVE IDs as part of their role and scope.
• Primary CNA - oversees the CNA program.
• Root CNA - manages a group of sub-CNAs within a given domain or community.
• Vendors and Projects - assigns CVE IDs for vulnerabilities found in their own products and projects.
• Vulnerability Researchers - assigns CVE IDs to products and projects upon which they perform vulnerability analysis.

View the current list of CNAs.

4. CNA Candidate Process

The CVE Program, through both Root CNAs and the Primary CNA, adds qualified organizations (hereinafter referred to as candidates) as CNAs through the on-boarding process described in this section. The on-boarding process is designed to set expectations for CNAs regarding the oversight and administration of CVE assignment for products within their scope. The goals of the CNA candidate process:

1. The candidate understands its roles and responsibilities.

2. Individual members of the new CNA's team are able to perform CVE assignment and counting processes.

3. Clear communication channels exist between CNAs and the rest of the CVE Program.

4.1. CNA Qualifications

A candidate is qualified if they meet the following criteria:

1. A candidate must be interested in becoming a CNA and willing to follow established CNA rules.

2. A CNA must be
   
   
   1. vendor with a significant user base and an established security advisory capability, or
      
      
   2. an established entity with an established security advisory capability that typically acts as a neutral interface between researchers and vendors. A Root CNA may be a regional coordinator (such as a Computer Emergency Response Team [CERT]) or a domain publisher (such as an Information Sharing and Analysis Center [ISAC] representing a particular sector). A CNA may also be a mature research organization.
   
   A Root CNA may be a regional coordinator (such as a Computer Emergency Response Team [CERT]) or a domain publisher (such as an Information Sharing and Analysis Center [ISAC] representing a particular sector). A CNA may also be a mature research organization.

3. The CNA must be an established distribution point or source for first-time product vulnerability announcements (which may concern their own products). In keeping with the CVE requirement to identify public issues, the CNA must only assign CVEs to security issues that will be made public. (Refer to the definition of  "vulnerability" in Appendix A for clarification on what products should and should not be considered when assigning a CVE ID.)

4. The CNA must follow coordinated disclosure practices as determined by the community which they serve. Coordinated disclosure practices reduce the likelihood that duplicate or inaccurate information will be introduced into CVE.

4.2. CNA On-Boarding Process

1. A candidate may be identified by a Root CNA, the Primary CNA, a member of the CVE Board, or they may approach the Root CNA, the Primary CNA, or a member of the CVE Board to request a CNA appointment.

2. The candidate is reviewed to determine whether it is qualified by the appropriate Root CNA or the Primary CNA, hereinafter referred to as the vetting CNA, using the guidance in this section. A Root CNA is appropriate if the candidate fits within the domain of the Root CNA.

3. The vetting CNA engages the candidate and shares information about becoming a CNA, including this document.

4. The candidate assigns a primary and secondary POC for initial coordination with the vetting CNA.

5. Anyone acting in a CVE analyst capacity at the candidate's organization will be given training by their vetting CNA, which will include:

• Examples and exercises to work through with instruction and feedback;
  
  
• Counting rules to review and follow. During this training, an initial block of CVE IDs will be allocated to the candidate for use with their training. This block will be allocated by the vetting CNA. The Primary CNA will provide guidance and templates to assist with the creation of examples and exercises.

6. The candidate will document how CVE processes will be integrated into their operations.

• The candidate's documentation will include how they will process new requests for CVE IDs, internally and externally. If the candidate will process external CVE assignment requests, processes to submit requests will be documented for public release.
  
  
• All documentation will be shared with the vetting CNA and may also be shared publicly by the candidate.

7. The vetting CNA will review the candidate's documentation and work with the candidate to address any issues in their processes that may conflict with the established CNA rules.

8. The vetting CNA allocates the candidate a block of CVE IDs to assign.

9. The candidate's POCs are added to the appropriate communications channels.

10. After successfully completing the above, required steps, the candidate enters operational mode and is now considered a CNA. If the CNA was added by a Root CNA, the Root CNA notifies the Primary CNA.

11. The Primary CNA updates public documentation to include the new CNA and makes public announcements introducing the new CNA. Any changes in a CNA's program, including staff changes or process changes, must be documented and shared with the CVE Program through a CNA's Root CNA or the Primary CNA.