CVE - CVE Numbering Authorities

CVE Numbering Authorities

CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability disclosers, and information technology vendors.

Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA's scope by researchers who request a CVE ID from them.

To review the products covered by each CNA, visit the Request a CVE ID page.


CNAs Participating CNAs Types of CNAs Growth of CNA Program Worldwide Why Become a CNA? How to Become a CNA	Documentation for CNAs CVE Numbering Authorities (CNA) Rules, Version 3.0 Submitting CVE Entry Information to CVE Team Documents, Policies, & Guidance Resources CNA Onboarding Slides & Videos	CNA Working Group CNA Coordination All CVE WGs

CNAs

Documentation for CNAs

CNA Onboarding Slides & Videos

CNA Working Group

Growth of CNA Program Worldwide

There are 130 organizations from 21 countries participating as CNAs as of July 7, 2020:

CNAs World Map as of July 2020

Vendors and Projects: 117
Vulnerability Researchers: 18
National and Industry CERTs: 7
Bug Bounty Programs: 2
Root CNAs: 2
Program Root CNA: 1

Number of CNAs by country as shown at right:

Australia: 1
Austria: 1
Belgium: 1
Canada: 5
China: 12
France: 1
Germany: 8
India: 1
Ireland: 1
Israel: 2
Japan: 3
Netherlands: 2
Norway: 1
Romania: 1
Russia: 2
South Korea: 2
Spain: 2
Switzerland: 1
Taiwan: 3
UK: 2
USA: 78

Key for CNA Types:

Bug Bounty Programs - assigns CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings.
CNA of Last Resort (CNA-LR) - assigns CVE IDs for vulnerabilities that will not be assigned by another CNA.
Hosted Services - assigns CVE IDs for vulnerabilities found in their own services.
National and Industry CERTs - performs incident response and vulnerability disclosure services for nations or industries. They may assign CVE IDs as part of their role and scope.
Program Root CNA - oversees the CNA program.
Root CNA - manages a group of sub-CNAs within a given domain or community.
Vendors and Projects - assigns CVE IDs for vulnerabilities found in their own products and projects.
Vulnerability Researchers - assigns CVE IDs to products and projects upon which they perform vulnerability analysis.
Secretariat - supports CNA functions for a given Root CNA and its sub-CNAs such as providing infrastructure, etc.

View the current list of CNAs.

How to Become a CNA

Contact the CNA Coordination Team.
Fill out the registration form.
Attend an introductory session.
Successfully create CVE ID entries from examples.

Why Become a CNA?

Thank you for your interest in becoming a CVE Numbering Authority (CNA).

Benefits

Demonstrate mature vulnerability management practices and a commitment to cybersecurity to current and potential customers.
Communicate value-added vulnerability information to your customer base.
Control the CVE publication release process for vulnerabilities in your scope.
Assign CVE IDs without having to share embargoed information with another CNA.
Streamline vulnerability disclosure processes.

Cost

There is no monetary fee.
CNAs volunteer their own time for their own benefit.
There is no contract to sign.

Requirements

Have a public vulnerability disclosure policy.
Have a public source for new vulnerability disclosures.
Agree to the CVE Terms of Use.

Questions?

CNA Onboarding Slides & Videos

These videos and slides on the CNA Onboarding Guidance playlist on the CVE Program Channel on YouTube should be reviewed by new CNAs in the order presented below prior to your onboarding meeting with the CNA Coordination Team.

view as slides: English | Japanese

view as slides (only): English | Git setup documents

view as slides: English | Japanese

Onboarding Questions or Help:

Submitting CVE Entry Information to CVE Team

Please use one of the following two methods to submit CVE Entry information to the CVE Team.

(1) CVE Request Web Form

The CVE Request web form is the preferred method for submitting CVE Entry information.
This method supports all three file types: Flat File, CSV file, and JSON.
NOTE: The form has limits on form field sizes, which may cause problems when submitting multiple CVE ID requests at one time.
Use this method for both new and updated submissions.

Submitting through the CVE Request Web Form:

Visit the CVE Request web form.
Select “Notify CVE about a publication” and enter your email address.
Fill in the form.
NOTE: “Link to the advisory” and “CVE IDs of vulnerabilities to be published” fields are required.
The assignment information (in Flat File, CSV, or JSON format) should be entered in the “Additional information and CVE ID description updates” field.
NOTE: Alternatively, you can send the CVE Entry information as a file attachment in a reply to an email message generated by CVE’s ticketing system when the submission has been received.
Enter the security code.
Press “Submit Request.”

(2) Git

This method supports CVE JSON only.
NOTE: Avoid files with MS-DOS style line endings (CR/LF).
This method is suited to both new and updated submissions.