|
|
||||
Power user
shortcuts:
Request CVE IDs
CVE prioritizes the assignment of CVE Identifiers (CVE IDs) for the products, vendors, and product categories listed below, but you may request a CVE ID for any vulnerability.
New users, follow these steps to request CVE IDs:
- Locate the correct CVE Numbering Authority (CNA) whose scope includes the product affected by the vulnerability in the CNAs table below.
- Contact that CNA using the contact method provided.
- If the product affected by the vulnerability is not covered by a CNA listed below, please contact the appropriate CNA of Last Resort in the Roots table below.
Participating CNAs
Roots, CNAs of Last Resort, and all other CNAs, are listed below.
| Root Name & Scope | Contact Method | Disclosure Policy | Security Advisories | Program Role & Type |
Country |
| MITRE Corporation
All vulnerabilities, and Open Source software product vulnerabilities, not already covered by a CNA listed on this page |
MITRE CVE Request web form | N/A | N/A | Top-Level Root CNA of Last Resort |
USA |
| Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
Industrial control systems and medical devices |
CISA ICS contact page | Policy | Alerts Advisories |
Top-Level Root CNA of Last Resort National & Industry CERTs |
USA |
| JPCERT/CC
Japan organizations |
vuls@jpcert.or.jp
JPCERT/CC contact page |
Policy | Advisories | Root National & Industry CERTs |
Japan |
CNAs are listed alphabetically:
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
| CNA Name & Scope | CNA Contact Method | Disclosure Policy | Security Advisories | CNA Role & Type |
CNA’s Root | Country |
| Adobe Systems Incorporated
Adobe issues only |
psirt@adobe.com
Adobe security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Advanced Micro Devices Inc.
AMD branded products and technologies only |
psirt@amd.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Airbus
All Airbus products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Airbus that are not in another CNA’s scope |
vuln@airbus.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | Netherlands |
| Alias Robotics S.L.
All Alias Robotics products, as well as vulnerabilities in third-party robots and robot components (software and hardware) discovered by Alias Robotics that are not in another CNA’s scope |
cve@aliasrobotics.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
CISA ICS | Spain |
| Alibaba, Inc.
Projects listed on its Alibaba GitHub website only |
alibaba-cna@list.alibaba-inc.com
Alibaba website Alibaba GitHub website |
Policy | Advisories | CNA Vendors and Projects |
MITRE | China |
| Ampere Computing
Ampere issues only |
psirt@amperecomputing.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Android (associated with Google
Inc. or Open Handset Alliance)
Android issues, as well as vulnerabilities in third-party software discovered by Android that are not in another CNA’s scope |
android-cna-team@google.com
Android Security Rewards Program |
Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Apache Software Foundation
All Apache Software Foundation issues only |
security@apache.org
Apache security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Apple Inc.
Apple issues only |
product-security@apple.com
Apple security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Arista Networks, Inc.
All Arista products only |
psirt@arista.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Asea Brown Boveri Ltd. (ABB)
ABB issues only |
cybersecurity@ch.abb.com | Policy | Advisories | CNA Vendors and Projects |
CISA ICS | Switzerland |
| Atlassian
All Atlassian products, as well as Atlassian-maintained projects hosted on https://bitbucket.org/atlassian and https://github.com/atlassian/ |
security@atlassian.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Australia |
| Autodesk
All currently supported Autodesk Applications and Cloud Services |
psirt@autodesk.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Avaya, Inc.
All Avaya products only |
securityalerts@avaya.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Axis Communications AB
Axis products and solutions only |
product-security@axis.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Sweden |
| Bitdefender
All Bitdefender products, as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope |
cve-requests@bitdefender.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | Romania |
| BlackBerry
BlackBerry and Good product issues only |
secure@blackberry.com
Blackberry security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | Canada |
| Brocade Communications Systems, LLC
Brocade products only |
brocade.sirt@broadcom.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Canonical Ltd.
All Canonical issues (including Ubuntu Linux) only |
security@ubuntu.com
Ubuntu security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | UK |
| CA Technologies - A Broadcom Company
CA Technologies issues only |
ca.psirt@broadcom.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| CERT/CC
Vulnerability assignment related to its vulnerability coordination role |
cert@cert.org
CERT/CC contact page |
Policy | Advisories | CNA National and Industry CERTs |
MITRE | USA |
| CERT@VDE
Products of the vendors: Beckhoff, Bender, Endress+Hauser, Etherwan Systems, HIMA, Festo, Koramis, ifm, Miele, Pepperl+Fuchs, Phoenix Contact, PILZ, Sysmik, Weidmueller, and WAGO. Also, industrial and infrastructure control systems (and its components) of European Union (EU) based vendors as long as there is no CNA with a more specific scope for the vulnerability |
info@cert.vde.com | Policy | Advisories | CNA National and Industry CERTs |
CISA ICS | Germany |
| Check Point Software Ltd.
Check Point Security Gateways product line only, and any vulnerabilities discovered by Check Point that are not in another CNA’s scope |
cve@checkpoint.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | Israel |
| Chrome
Chrome and Chrome OS issues, and projects that are not in another CNA’s scope |
Report Chrome vulnerabilities (email) Questions about Chrome’s CVE Records (email) |
Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Cisco Systems, Inc.
All Cisco and Duo Security products, and any third-party research targets that are not in another CNA’s scope |
psirt@cisco.com
psirt@duosecurity.com |
Cisco Policy
Duo Policy |
Cisco Advisories
Duo Advisories |
CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Cloudflare, Inc.
All Cloudflare products, projects hosted at https://github.com/cloudflare/, and any vulnerabilities discovered by Cloudflare that are not in another CNA’s scope |
cna@cloudflare.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Coalfire Labs
All CoalfireONE products, as well as vulnerabilities in third-party software discovered by Coalfire Labs that are not in another CNA’s scope |
support@coalfire.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Crafter CMS
Crafter CMS issues only |
security@craftersoftware.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Cybellum Technologies LTD
All Cybellum products, as well as vulnerabilities in third-party software discovered by Cybellum that are not in another CNA’s scope |
info@cybellum.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Israel |
| Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
Industrial control systems and medical devices |
CISA ICS contact page | Policy | Advisories | Top-Level Root CNA National & Industry CERTs |
N/A | USA |
| Cyber Security Works Pvt. Ltd.
Vulnerabilities in third-party software discovered by CSW that are not in another CNA’s scope |
disclose@cybersecurityworks.com | Policy | Advisories | CNA Vulnerability Researchers |
MITRE | India |
| Dahua Technologies
Dahua issues only |
cybersecurity@dahuatech.com
Dahua security page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | China |
| Debian GNU/Linux
Debian issues only |
security@debian.org
Debian security page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| DeepSurface Security, Inc.
All DeepSurface products, as well as vulnerabilities in third-party software discovered by DeepSurface that are not in another CNA’s scope |
security@deepsurface.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Dell
Dell, Dell EMC, RSA, and VCE issues only |
secure@dell.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Document Foundation, The
Projects within The Document Foundation only, e.g., LibreOffice, LibreOffice Online; The Document Foundation discourages reporting denial of service bugs as security issues |
security@documentfoundation.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | Germany |
| Drupal.org
All projects hosted under drupal.org only |
security@drupal.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Eaton
Eaton issues only |
cybersecuritycoe@eaton.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Ireland |
| Eclipse Foundation
Eclipse IDE and the Eclipse Foundation's eclipse.org, polarysys.org, and locationtech.org open source projects only |
security@eclipse.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | Canada |
| Elastic
Elasticsearch, Kibana, Beats, Logstash, X-Pack, and Elastic Cloud Enterprise products only |
security@elastic.co | Policy | Advisories | CNA Vendors and Projects |
MITRE | Netherlands |
| Electronic Arts, Inc.
EA issues only |
secure@ea.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Environmental Systems Research Institute, Inc.
All Esri products only |
psirt@esri.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| F5 Networks
F5 issues only |
f5sirt@f5.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Facebook, Inc.
Facebook-supported open source projects, mobile apps, and other software, as well as vulnerabilities in third-party software discovered by Facebook that are not in another CNA’s scope; see: https://www.facebook.com/whitehat and https://github.com/facebook/ |
Facebook security contact page | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Fedora Project
Vulnerabilities in open-source projects affecting the Fedora Project, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported releases by the Fedora Project |
Fedora Bug Report page | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Flexera Software LLC
All Flexera products, and vulnerabilities discovered by Secunia Research that are not in another CNA’s scope |
PSIRT-CNA@flexerasoftware.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| floragunn GmbH
All issues related to Search Guard only |
security@search-guard.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Germany |
| Forcepoint
Forcepoint products only |
psirt@forcepoint.com
Forcepoint security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Fortinet, Inc.
Fortinet issues only |
PSIRT contact form | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| FreeBSD
Primarily FreeBSD issues only |
secteam@freebsd.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| F-Secure
All F-Secure products and security vulnerabilities discovered by F-Secure in third-party software not in another CNA’s scope |
cve@f-secure.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | Finland |
| Gallagher Group Ltd.
All Gallagher security products only |
disclosures@gallagher.com | Policy | Advisories | CNA Vendors and Projects |
CISA ICS | New Zealand |
| GitHub, Inc.
GitHub currently only covers CVEs requested by software maintainers using the GitHub Security Advisories feature |
security-advisories@github.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| GitHub, Inc. (Products Only)
GitHub Enterprise Server issues only |
product-cna@github.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| GitLab Inc.
The GitLab application, any project hosted on GitLab.com in a public repository, and any vulnerabilities discovered by GitLab that are not in another CNA’s scope |
cve@gitlab.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Google LLC
Google products that are not covered by Android and Chrome, as well as vulnerabilities in third-party software discovered by Google that are not in another CNA’s scope |
security@google.com
Report a vulnerability |
Policy | Cloud Advisories
Application Advisories |
CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| HackerOne
Provides CVE IDs for its customers as part of its bug bounty and vulnerability coordination platform |
support@hackerone.com
HackerOne contact page |
Policy | Advisories | CNA Bug Bounty Programs |
MITRE | USA |
| Hangzhou Hikvision Digital Technology Co., Ltd.
All Hikvision Internet of Things (IoT) products including cameras and digital video recorders (DVRs) |
hsrc@hikvision.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | China |
| HCL Software
All HCL products only |
psirt@hcl.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | India |
| Hewlett Packard Enterprise (HPE)
HPE issues only |
security-alert@hpe.com
Report vulnerabilities to HPE |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Hillstone Networks, Inc.
All Hillstone products only |
sec@hillstonenet.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | China |
| HP Inc.
HP Inc. issues only |
hp-security-alert@hp.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Huawei Technologies
Huawei issues only |
psirt@huawei.com
Huawei security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | China |
| IBM Corporation
All IBM products, as well as vulnerabilities in third-party software discovered by IBM X-Force Red that are not in another CNA’s scope |
psirt@us.ibm.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Intel Corporation
Intel branded products and technologies and Intel managed open source projects |
secure@intel.com
Intel security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Internet Systems Consortium (ISC)
All ISC.org projects |
security-officer@isc.org
ISC report a bug page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Jenkins Project
Jenkins and Jenkins plugins distributed by the Jenkins Project (listed on plugins.jenkins.io) only |
jenkinsci-cert@googlegroups.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Johnson Controls
Johnson Controls products only |
productsecurity@jci.com | Policy | Advisories | CNA Vendors and Projects |
CISA ICS | USA |
| Joomla! Project
Core Joomla! CMS, the Joomla Framework, and Joomla! Extensions issues only |
security@joomla.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| JPCERT/CC
Vulnerability assignment related to its vulnerability coordination role |
vuls@jpcert.or.jp
JPCERT/CC contact page |
Policy | Advisories | Root CNA National & Industry CERTs |
MITRE | Japan |
| Juniper Networks, Inc.
Juniper issues only |
sirt@juniper.net
Juniper security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Kaspersky
Kaspersky B2C and B2B products, as well as vulnerabilities discovered in third-party software not in another CNA’s scope |
vulnerability@kaspersky.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | Russia |
| KrCERT/CC
Vulnerability assignment related to its vulnerability coordination role |
vuln@krcert.or.kr | None | Advisories | CNA National and Industry CERTs |
MITRE | South Korea |
| Kubernetes
Kubernetes issues only |
security@kubernetes.io | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Larry Cashdollar
Third-party products he researches |
larry0@me.com | Policy | Advisories | CNA Vulnerability Researchers |
MITRE | USA |
| Lenovo Group Ltd.
Lenovo general-purpose computers, software for general-purpose operating systems, mobile devices, enterprise storage, and networking products only |
psirt@lenovo.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| LINE Corporation
Current versions of LINE Messenger Application for iOS, Android, Mac, and Windows, plus LINE Open Source projects hosted on https://github.com/line. |
dl_cve@linecorp.com | Policy | Advisories | CNA Vendors and Projects |
JPCERT/CC | Japan |
| Logitech
All current products/software/apps made by Logitech, Ultimate Ears, Jaybird, Streamlabs, Logitech G, Logicool, Blue, and Astro Gaming |
cve-coordination@logitech.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Switzerland |
| MarkLogic Corporation
MarkLogic issues only |
security@marklogic.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Mattermost, Inc.
All Mattermost issues, and vulnerabilities discovered by Mattermost that are not in another CNA’s scope |
responsibledisclosure@ mattermost.com |
Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Mautic
Mautic core and officially supported plugins |
Mautic Security Team security@mautic.org |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| McAfee
All McAfee products, as well as vulnerabilities in third-party software discovered by McAfee ATR that are not in another CNA’s scope |
security_report@mcafee.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Micro Focus International
All Attachmate, Borland, Gwava, Micro Focus, NetIQ, Novell, and Serena products, as well as all former HP Enterprise software suites |
security@microfocus.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Microsoft Corporation
Microsoft issues only |
secure@microsoft.com
Microsoft security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Mitsubishi Electric Corporation
Mitsubishi Electric issues only |
Mitsubishielectric.Psirt@ yd.MitsubishiElectric.co.jp |
Policy | Advisories | CNA Vendors and Projects |
JPCERT/CC | Japan |
| MongoDB, Inc.
MongoDB products only |
cna@mongodb.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Mozilla Corporation
Mozilla issues only |
security@mozilla.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Naver Corporation
Naver products only, except Line products |
cve@navercorp.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | South Korea |
| NEC Corporation
NEC issues only |
psirt-info@cyber.jp.nec.com | Policy | Advisories | CNA Vendors and Projects |
JPCERT/CC | Japan |
| NetApp, Inc.
All NetApp products as well as projects hosted on https://github.com/netapp |
security-alert@netapp.com
NetApp security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Netflix, Inc.
Current versions of Netflix Mobile Streaming Application for iOS, Android, and Windows Mobile, plus all Netflix Open Source projects hosted on https://github.com/Netflix and https://github.com/spinnaker |
security-report@netflix.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| NLnet Labs
All NLnet Labs projects |
sep@nlnetlabs.nl | Policy |
RPKI Advisories NSD Advisories Unbound Advisories |
CNA Vendors and Projects |
MITRE | Netherlands |
| Node.js
All actively developed versions of software developed under the Node.js project on https://github.com/nodejs |
cve-request@iojs.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| NortonLifeLock Inc.
All NortonLifeLock product issues only |
security@nortonlifelock.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Nozomi Networks Inc.
All Nozomi Networks products, as well as vulnerabilities in third-party software discovered by Nozomi Networks that are not in another CNA’s scope |
prodsec@nozominetworks.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| NVIDIA Corporation
NVIDIA issues only |
psirt@nvidia.com
NVIDIA security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Objective Development Software GmbH
Objective Development issues only |
Objective Development security page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | Austria |
| Odoo
Odoo issues only |
security@odoo.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Belgium |
| openEuler
openEuler issues only |
security-openeuler@openeuler.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | China |
| OpenSSL Software Foundation
OpenSSL software projects only |
openssl-security@openssl.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| OpenVPN Inc.
All products and projects in which OpenVPN is directly involved commercially and for OpenVPN community projects, including Private Tunnel |
security@openvpn.net | Policy | Business VPN Advisories
Community Advisories |
CNA Vendors and Projects |
MITRE | USA |
| Opera
Opera issues only |
Opera security contact page | Policy | Advisories | CNA Vendors and Projects |
MITRE | Norway |
| OPPO Mobile Telecommunication Corp., Ltd.
OPPO devices only |
security@oppo.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | China |
| Oracle
Oracle supported version product issues only; CVE IDs will not be assigned for unsupported products or versions (Oracle will confirm support status and notify researcher) |
secalert_us@oracle.com
Oracle security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| OTRS AG
Vulnerabilities for OTRS and ((OTRS)) Community Edition and modules only |
security@otrs.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Germany |
| Palo Alto Networks, Inc.
All Palo Alto Networks products, and vulnerabilities discovered by Palo Alto Networks that are not in another CNA’s scope |
psirt@paloaltonetworks.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Pegasystems Inc.
Pegasystems products only |
security@pega.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| PHP Group
Vulnerabilities in PHP code (code in https://github.com/php/php-src) only |
security@php.net | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Pivotal Software, Inc.
Pivotal, Spring, and Cloud Foundry issues only |
security@pivotal.io | Pivotal Policy
Cloud Foundry Policy |
Pivotal Advisories
Spring Advisories Cloud Foundry Advisories |
CNA Vendors and Projects |
MITRE | USA |
| Puppet
All Puppet products, as well as all projects on https://github.com/puppetlabs |
security@puppet.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| QNAP Systems, Inc.
QNAP QTS, QES, and QVR products as well as its mobile apps and utilities |
security@qnap.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Taiwan |
| Qualcomm, Inc.
Qualcomm and Snapdragon issues only |
product-security@ qualcomm.com |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Rapid7, Inc.
All Rapid7 products, and vulnerabilities discovered by Rapid7 that are not in another CNA’s scope |
cve@rapid7.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Red Hat, Inc.
Vulnerabilities in open-source projects affecting Red Hat offerings, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported Red Hat offerings |
secalert@redhat.com
Red Hat security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Replicated, Inc.
Replicated products and services only |
security@replicated.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Robert Bosch GmbH
Bosch products only |
psirt@bosch.com | Policy | Advisories | CNA Vendors and Projects |
CISA ICS | Germany |
| Salesforce, Inc.
Salesforce products only |
security@salesforce.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Samsung Mobile
Samsung Mobile Galaxy products, personal computers, and related services only |
mobile.security@samsung.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | South Korea |
| SAP SE
All SAP products |
cna@sap.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Germany |
| Secomea A/S
Supported Secomea products only |
vulnerabilityreporting@ secomea.com |
Policy | Advisories | CNA Vendors and Projects |
CISA ICS | Denmark |
| Schneider Electric
All Schneider Electric products, including Proface, APC, and Eurotherm |
cybersecurity@se.com
Schneider Electric security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | France |
| SICK AG
SICK AG issues only |
psirt@sick.de | Policy | Advisories | CNA Vendors and Projects |
MITRE | Germany |
| Siemens
Siemens issues only |
productcert@siemens.com
Siemens security contact page |
Policy | Advisories | CNA Vendors and Projects |
CISA ICS | Germany |
| Sierra Wireless Inc.
Sierra Wireless products only |
security@sierrawireless.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Canada |
| Silver Peak Systems, Inc.
Silver Peak product issues only |
sirt@silver-peak.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Simplinx Ltd.
Simplinx products only |
security@simplinx.com | Policy | Advisories | CNA Vendors and Projects |
CISA ICS | Turkey |
| Snyk
Vulnerabilities in third-party products discovered by Snyk only |
report@snyk.io | Policy | Advisories | CNA Vulnerability Researchers |
MITRE | UK |
| SonicWall, Inc.
SonicWall issues only |
PSIRT@sonicwall.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Sophos Limited
Sophos issues only |
security-alert@sophos.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | UK |
| Spanish National Cybersecurity Institute, S.A. (INCIBE)
Vulnerability assignment related to its vulnerability coordination role for Industrial Control Systems (ICS), Information Technologies (IT), and Internet of Things (IoT) systems issues at the national level |
 |
Policy (Spanish)
Policy (English) |
Advisories (Spanish)
Advisories (English) |
CNA National and Industry CERTs |
MITRE | Spain |
| Splunk Inc.
Splunk products only |
prodsec@splunk.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| SUSE
SUSE and Rancher issues only |
security@suse.de | Policy | Advisories
Advisories (by CVE ID) |
CNA Vendors and Projects |
MITRE | USA |
| Swift Project
The Swift Project only |
cve@forums.swift.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Symantec - A Division of Broadcom
Symantec Enterprise products as well as vulnerabilities in third-party software discovered by Symantec that are not in another CNA’s scope |
symantec.psirt@broadcom.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Synaptics, Inc.
Synaptics issues only |
psirt@synaptics.com | Policy | Touchpad Family Advisories
Biomentrics Advisories Far-Field Voice DSPs Advisories |
CNA Vendors and Projects |
MITRE | USA |
| Synology Inc.
Synology issues only |
security@synology.com
Synology security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | Taiwan |
| Synopsys
All Synopsys SIG products, as well as vulnerabilities in third-party software discovered by Synopsys SIG that are not in another CNA’s scope |
disclosure@synopsys.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| Talos
Third-party products it researches |
talos-cna@cisco.com
Talos security page |
Policy | Advisories | CNA Vulnerability Researchers |
MITRE | USA |
| Tcpdump Group
Tcpdump and Libpcap only |
security@tcpdump.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | Canada |
| Tenable Network Security, Inc.
Tenable products and third-party products it researches not covered by another CNA |
vulnreport@tenable.com
Tenable security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Teradici Corporation
Teradici issues only |
security@teradici.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Canada |
| 360 Security Technology, Inc.
360 Total Security, 360 Safeguard, 360 Mobile Safe, and 360 Safe Router products, and vulnerabilities in third-party products discovered by 360 that are not covered by another CNA |
security@360.cn | Policy | Advisories | CNA Vendors and Projects Vulnerability Researcher |
MITRE | China |
| TianoCore.org
Software vulnerabilities related to the TianoCore Open Source |
infosec@edk2.groups.io | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| TIBCO Software Inc.
TIBCO, Talarian, Spotfire, Data Synapse, Foresight, Kabira, Proginet, LogLogic, StreamBase, JasperSoft, and Mashery products/brands only |
security@tibco.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Tigera, Inc.
All vulnerabilities for Calico and all of Tigera’s products only |
psirt@tigera.io | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Trend Micro, Inc.
Trend Micro supported products and end-of-life products issues only |
security@trendmicro.com
Trend Micro security contact page |
Policy | Advisories | CNA Vendors and Projects |
MITRE | Japan |
| TWCERT/CC
Vulnerability assignment related to its vulnerability coordination role |
cve@cert.org.tw | Policy (Chinese)
Policy (English) |
Advisories (Chinese)
Advisories (English) |
CNA National and Industry CERTs |
MITRE | Taiwan |
| Vaadin Ltd.
All Vaadin products and supported open-source projects hosted at https://github.com/vaadin |
security@vaadin.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Finland |
| VDOO Connected Trust Ltd.
All VDOO products (supported products and end-of-life/end-of-service products); Vulnerabilities in third-party software discovered by VDOO that are not in another CNA’s scope; Vulnerabilities in third-party software discovered by external researchers and disclosed to VDOO (includes any embedded devices and their associated mobile applications) that are not in another CNA’s scope |
vuln@vdoo.com | Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | Israel |
| Vivo Mobile Communication Co., Ltd.
Vivo issues only |
security@vivo.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | China |
| VMware
VMware issues only |
security@vmware.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| WhiteSource
Vulnerabilities in WhiteSource products and vulnerabilities in third-party software discovered by WhiteSource that are not in another CNA’s scope |
vulnerabilitylab@ whitesourcesoftware.com |
Policy | Advisories | CNA Vendors and Projects Vulnerability Researchers |
MITRE | USA |
| WPScan
WordPress core, plugins, and themes |
contact@wpscan.com
WPScan Submit Vulnerability |
Policy | Word Press Advisories
Word Press Plug In Advisories Word Press Theme Advisories |
CNA Vendors and Projects |
MITRE | France |
| Xen Project
All sub-projects under Xen Project’s umbrella (see Xen Project Teams), except those sub-projects that have their own security response process; and the Xen components inside other projects, where Xen Project is the primary developer |
security@xen.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | UK |
| Xiaomi Technology Co., Ltd.
Xiaomi issues only |
security@xiaomi.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | China |
| Xylem
Xylem products and technologies only |
product.security@xyleminc.com | Policy | Advisories | CNA Vendors and Projects |
CISA ICS | USA |
| Yandex N.V.
Yandex issues only |
browser-security@yandex-team.ru | Policy | Advisories | CNA Vendors and Projects |
MITRE | Russia |
| Zabbix
Zabbix products and Zabbix projects listed on https://git.zabbix.com/ only |
security@zabbix.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | Latvia |
| Zephyr Project
Zephyr project components, and vulnerabilities that are not in another CNA’s scope |
vulnerabilities@zephyrproject.org | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| Zero Day Initiative
Products and projects covered by its bug bounty programs that are not in another CNA’s scope |
zdi-disclosures@trendmicro.com
ZDI contact page |
Policy | Advisories | CNA Bug Bounty Programs |
MITRE | Japan |
| Zscaler, Inc.
Zscaler issues only |
cve@zscaler.com | Policy | Advisories | CNA Vendors and Projects |
MITRE | USA |
| ZTE Corporation
ZTE products only |
psirt@zte.com.cn | Policy | Advisories | CNA Vendors and Projects |
MITRE | China |
Key to CNA Roles, Types, and Countries
Roles
- CNA - organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing.
- CNA of Last Resort (CNA-LR) - organization authorized to assign CVE IDs and to create and publish CVE Records for vulnerabilities not covered by the scope of another CNA.
- Root - organization authorized within the CVE Program that is responsible, within a specific Scope, for the recruitment, training, and governance of one or more entities that are a CVE CNA, CNA-LR, an ADP, or another Root.
- Top-Level Root - a Root that does not report to another Root, and is thus responsible to the CVE Board.
Types
- Bug Bounty Programs - assigns CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings.
- Hosted Services - assigns CVE IDs for vulnerabilities found in their own services.
- National and Industry CERTs - performs incident response and vulnerability disclosure services for nations or industries. They may assign CVE IDs as part of their role and scope.
- Vendors and Projects - assigns CVE IDs for vulnerabilities found in their own products and projects.
- Vulnerability Researchers (Independents) - assigns CVE IDs to products and projects upon which the individual performs vulnerability analysis. Note that independent vulnerability researchers are approved by the CVE Board.
- Vulnerability Researchers (Organizations) - assigns CVE IDs to products and projects upon which they perform vulnerability analysis.
Countries
- Countries - self-identified by the CNA.
MITRE CNA of Last Resort PGP Key
Please use our CVE Request web form to request CVE IDs directly from the MITRE CNA of Last Resort (CNA-LR). Upon completion of the form, you will receive a confirmation email message that includes a reference number. Any additional communications related to that request will be done through email using the same subject line as the confirmation email.
View our web form help.
A PGP key is available for encrypted communications:
Key ID: 903E4008 Fingerprint: F59F 1525 57C5 3CE4 BEAE B86E F357 D0E9 903E 4008 Key size: 4096 Public key: Click to download
NOTE: PGP key updated March 2020
For questions, or assistance about how to use the information on this page, please contact us.
