CVE Numbering Authorities

CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability disclosers, and information technology vendors.

Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA's scope by researchers who request a CVE ID from them.

To review the products covered by each CNA, visit the Request a CVE ID page.

CNAs

Documentation for CNAs

Working Groups





Growth of CNA Program Worldwide


There are 98 organizations participating as CNAs as of June 26, 2019:

CNAs World Map - June 2019

CNAs World Map as of June 2019

  • Vendors and Projects: 80
  • Vulnerability Researchers: 8
  • National and Industry CERTs: 5
  • Bug Bounty Programs: 2
  • Root CNAs: 2
  • Program Root CNA: 1

Number of CNAs by country as shown at right:

  • Australia: 1
  • Austria: 1
  • Belgium: 1
  • Canada: 2
  • China: 8
  • France: 1
  • Germany: 6
  • Israel: 1
  • Japan: 3
  • Netherlands: 2
  • Philippines: 1
  • Russia: 2
  • South Korea: 2
  • Taiwan: 3
  • UK: 2
  • USA: 63

Key for CNA Types:

  • Bug Bounty Programs - assigns CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings.
  • National and Industry CERTs - performs incident response and vulnerability disclosure services for nations or industries. They may assign CVE IDs as part of their role and scope.
  • Program Root CNA - oversees the CNA program.
  • Root CNA - manages a group of sub-CNAs within a given domain or community.
  • Vendors and Projects - assigns CVE IDs for vulnerabilities found in their own products and projects.
  • Vulnerability Researchers - assigns CVE IDs to products and projects upon which they perform vulnerability analysis.

View the current list of CNAs.




How to Become a CNA

Thank you for your interest in becoming a CVE Numbering Authority (CNA).

Please follow these steps to get started:

  1. Learn about the CVE Program by reviewing the introduction to CVE for prospective CNAs.
  2. Read the CNA program overview.
  3. Review the CNA candidate process for what to expect.
  4. Determine if you or your organization meets the base qualifications to become a CNA.
  5. Use the CVE Request web form and select “Other” from the dropdown menu to contact us about becoming a CNA.

After receiving your web form submission, the CNA Program Coordinator will contact you to lead you through the steps to becoming a CNA per the CNA on-boarding process.


Additional Reading

Submitting CVE Entry Information to CVE Team

Please use one of the following two methods to submit CVE Entry information to the CVE Team.

(1) CVE Request Web Form

Submitting through the CVE Request Web Form:
  1. Visit the CVE Request web form.
  2. Select “Notify CVE about a publication” and enter your email address.
  3. Fill in the form.
  4. NOTE: “Link to the advisory” and “CVE IDs of vulnerabilities to be published” fields are required.
  5. The assignment information (in Flat File, CSV, or JSON format) should be entered in the “Additional information and CVE ID description updates” field.
  6. NOTE: Alternatively, you can send the CVE Entry information as a file attachment in a reply to an email message generated by CVE’s ticketing system when the submission has been received.
  7. Enter the security code.
  8. Press “Submit Request.”

(2) Git

Page Last Updated or Reviewed: June 25, 2019