News & Events

Please use our LinkedIn page to comment on the articles below, or use our CVE Request Web Form by selecting “Other” from the dropdown.
Right-click and copy a URL to share an article.

Minutes from CVE Board Teleconference Meeting on December 11 Now Available
December 17, 2019 | Share this article

The CVE Board held a teleconference meeting on December 11, 2019. Read the meeting minutes.

Opera Added as CVE Numbering Authority (CNA)
December 13, 2019 | Share this article

Opera Software AS is now a CVE Numbering Authority (CNA) for Opera issues only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 110 organizations from 21 countries currently participate as CNAs: ABB; Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Opera; OPPO; Oracle; OTRS; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; SICK; Siemens; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

New CVE Board Charter Is Approved
December 6, 2019 | Share this article

We are pleased to announce that the CVE Board has approved the latest version of the “CVE Board Charter,” version 3.0, which includes important updates to the CNA Liaison board member description and requirements; addition of a new section focused on organizational voting; and other updates to voting policies and procedures.

This update was the result of many hours of hard work by the Board, and the resulting document better positions CVE for success as it continues to expand.

Visit Our CVE Booth at Black Hat Europe 2019 on December 4-5
December 2, 2019 | Share this article

The CVE Program will host a CVE Booth on December 4-5, 2019 at Black Hat Europe 2019 at the ExCeL London in London, United Kingdom. Members of the CVE Team will be in attendance, as will some CVE Board members and CVE Numbering Authorities (CNAs).

Please stop by Booth #615 and say hello! Visitors will learn how using CVE Entries for vulnerability coordination and management helps enhances cybersecurity, how easy it is to assign your own CVE IDs, and more.

CVE Booth #615 at Black Hat Europe 2019

CVE Booth #615 at Black Hat Europe 2019

Business Hall exhibition hours are from 10:00 AM – 6:30 PM on December 4, and 10:00 AM – 4:00 PM on December 5. The conference itself runs December 2-5. View the exhibition hall floor plan.

We look forward to seeing you there!

SICK Added as CVE Numbering Authority (CNA)
December 2, 2019 | Share this article

SICK AG is now a CVE Numbering Authority (CNA) for SICK AG issues only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 109 organizations from 20 countries currently participate as CNAs: ABB; Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; OTRS; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; SICK; Siemens; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

OTRS Added as CVE Numbering Authority (CNA)
November 21, 2019 | Share this article

OTRS AG is now a CVE Numbering Authority (CNA) for OTRS and ((OTRS)) Community Edition and modules only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 108 organizations from 20 countries currently participate as CNAs: ABB; Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; OTRS; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Minutes from CVE Board Teleconference Meeting on November 13 Now Available
November 19, 2019 | Share this article

The CVE Board held a teleconference meeting on November 13, 2019. Read the meeting minutes.

Eaton Added as CVE Numbering Authority (CNA)
November 15, 2019 | Share this article

Eaton is now a CVE Numbering Authority (CNA) for Eaton issues only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 107 organizations from 20 countries currently participate as CNAs: ABB; Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

ABB Added as CVE Numbering Authority (CNA)
November 13, 2019 | Share this article

Asea Brown Boveri Ltd. (ABB) is now a CVE Numbering Authority (CNA) for ABB issues only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 106 organizations from 19 countries currently participate as CNAs: ABB; Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Splunk Added as CVE Numbering Authority (CNA)
November 12, 2019 | Share this article

Splunk Inc. is now a CVE Numbering Authority (CNA) for Splunk products only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 105 organizations from 18 countries currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Minutes from CVE Board Teleconference Meeting on October 30 Now Available
November 6, 2019 | Share this article

The CVE Board held a teleconference meeting on October 30, 2019. Read the meeting minutes.

NOTICE: CVE Request Web Form – Possible Intermittent Outages from 6:00am-1:00pm EDT on October 26
October 22, 2019 | Share this article

Due to scheduled maintenance, the CVE Request Web Form for contacting the Program Root CNA may be temporarily unavailable at times from 6:00 a.m. until 1:00 p.m. Eastern time on Saturday, October 26, 2019.

The 103 other CVE Numbering Authority (CNA) organizations can still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact us with any comments or concerns.

Minutes from CVE Board Teleconference Meeting on October 16 Now Available
October 22, 2019 | Share this article

The CVE Board held a teleconference meeting on October 16, 2019. Read the meeting minutes.

20 Years of CVE Entries – 1999-2019
CVE Celebrates 20 Years!
October 16, 2019 | Share this article

The CVE Program was created 20 years ago this month, and since then, the CVE List has become a global, community-driven and continuously growing open data registry with more than 124,000 vulnerabilities listed. The list continues to grow, with new CVE Entries added daily.

20 Years of Community Participation

CVE has always been an international community effort, with representatives from across the security community participating on the initial CVE Editorial Board, which guided the program and voted on which CVE Entries would be included on the CVE List.

Today, community participation remains integral to the success of CVE. The CVE Program relies heavily on the community—researchers, vendors, end users, etc.—to discover and register new vulnerabilities. The CVE Board, which has expanded to include other types of organizations, such as academic and government agencies, as well as end-users of vulnerability information, continues to provide operational and strategic guidance to the CVE Program. CVE Working Groups, which are open to the community for participation, develop the program’s policies for consideration and approval by the CVE Board. Most importantly, organizations from around the world now actively participate as “CVE Numbering Authorities (CNAs)” to assign and populate CVE Entries for vulnerabilities within their own specific scopes of coverage.

CNA Participation Continues to Expand Worldwide

CNAs World Map - October 2019

CNAs are integral to the ongoing success of the CVE Program; today, 104 organizations from 18 countries actively participate as CNAs. The CVE Program continues to actively recruit organizations from around the world to participate as CNAs.

CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, and research groups that assign CVE Entries to vulnerabilities within their own specific scopes of coverage. By assigning and populating their own CVE Entries, CNAs responsibly control the vulnerability disclosure process for those vulnerabilities, improve security for their own customers, and enhance vulnerability management practices for the entire community.

CNAs join the program from a variety of business sectors; there are minimal requirements, it is easy to join, and there is no fee or contract to sign. CNAs volunteer their own time for their own benefit.

Widespread Use of CVE by the Community

The cybersecurity community endorsed the importance of incorporating CVE into products and services from the moment the CVE Program was launched in 1999. Today, that adoption has increased significantly with numerous products and services from around the world incorporating CVE Entries.

Another compelling factor for adoption is the ongoing inclusion of CVE IDs in security advisories. Numerous major open source (OS) vendors and other organizations from around the world include CVE IDs in their alerts to ensure that the international community benefits by having the CVE IDs as soon as a problem is announced. In addition, CVE IDs are also frequently cited in trade publications and general news media reports regarding software bugs, including “named” vulnerabilities such as CVE-2014-0160 for “Heartbleed;” CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 for “Shellshock;” and CVE-2019-0708 for “BlueKeep,” among others.

CVE has also been used as the basis for entirely new services. The National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) is synchronized with, and based upon, the CVE List. NVD also includes Security Content Automation Protocol (SCAP) mappings for CVE Entries. In addition, the U.S. Federal Desktop Core Configuration (FDCC) requires verification of compliance with FDCC requirements using SCAP-validated scanning tools. CVE Change Logs is a tool created by CERIAS/Purdue University that monitors additions and changes to the CVE List and allows users to obtain daily or monthly reports. Common Weakness Enumeration (CWE™) is a formal dictionary of common software weaknesses that is based, in part, on the 124,000+ CVE Entries on the CVE List, and the recently released “2019 CWE Top 25 Most Dangerous Software Errors” leveraged CVE Entries to help determine the Top 25.

Finally, the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, adopted CVE as a part of its new “Global Cybersecurity Information Exchange techniques (X.CYBEX)” by issuing Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE).

Our Anniversary Celebration

Please join us on December 4-5, 2019 at Black Hat Europe 2019 as we continue to celebrate our 20-year anniversary with a CVE booth, #615.

Additional events will be announced soon, but in the meantime, follow us on the CVE website, CVE-Announce, GitHub, LinkedIn, and Twitter, as we continue our celebration throughout our anniversary year.

Finally, thank you very much for your continuing use of CVE and your ongoing interest and participation over these last 20 years. It is greatly appreciated. We look forward to the next 20 years!

Minutes from CVE Board Teleconference Meeting on October 2 Now Available
October 8, 2019 | Share this article

The CVE Board held a teleconference meeting on October 2, 2019. Read the meeting minutes.

Tigera Added as CVE Numbering Authority (CNA)
October 3, 2019 | Share this article

Tigera, Inc. is now a CVE Numbering Authority (CNA) for all vulnerabilities for Calico and all of Tigera’s products only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 104 organizations from 18 countries currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Tigera; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

HCL Added as CVE Numbering Authority (CNA)
September 24, 2019 | Share this article

HCL Software is now a CVE Numbering Authority (CNA) for all HCL products only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 103 organizations from 18 countries currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

GitHub Added as CVE Numbering Authority (CNA)
September 18, 2019 | Share this article

GitHub, Inc. is now a CVE Numbering Authority (CNA) for all libraries and products hosted on github.com in a public repository, unless they are otherwise covered by another CNA.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 102 organizations from 17 countries currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Minutes from CVE Board Teleconference Meeting on September 4 Now Available
September 11, 2019 | Share this article

The CVE Board held a teleconference meeting on September 4, 2019. Read the meeting minutes.

Bitdefender Added as CVE Numbering Authority (CNA)
September 3, 2019 | Share this article

Bitdefender is now a CVE Numbering Authority (CNA) for all Bitdefender products, as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 101 organizations from 17 countries currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Salesforce Added as CVE Numbering Authority (CNA)
August 29, 2019 | Share this article

Salesforce, Inc. is now a CVE Numbering Authority (CNA) for Salesforce products only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 101 organizations from 16 countries currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Minutes from CVE Board Teleconference Meeting on August 21 Now Available
August 29, 2019 | Share this article

The CVE Board held a teleconference meeting on August 21, 2019. Read the meeting minutes.

100 Organizations Now Participating as CVE Numbering Authorities (CNAs)
August 14, 2019 | Share this article

The CVE Numbering Authority (CNA) Program now includes 100 organizations from around the world that are authorized to assign CVE IDs to software and firmware vulnerabilities.

CNAs are organizations authorized to assign CVE IDs to vulnerabilities that affect products or projects within their own distinct, agreed-upon scopes, so that the CVE IDs can be included in first-time public announcements of the new vulnerabilities. CNAs may be software vendors, open source projects, vulnerability researchers, national and industry CERTs, or bug bounty programs.

CNAs are how the CVE List is built. Every CVE Entry added to the list is assigned by a CNA.

CNA Program Continues to Grow

Since 2016, 78 CNAs have joined CVE’s CNA Program. The current 100 organizations participating as CNAs as of August 14, 2019 are:

  1. Adobe
  2. Airbus
  3. Alibaba
  4. Android
  5. Apache
  6. Apple
  7. Appthority
  8. Atlassian
  9. Autodesk
  10. Avaya
  11. BlackBerry
  12. Bosch
  13. Brocade
  14. CA
  15. Canonical
  16. CERT/CC
  17. Check Point
  18. Cisco
  19. Cloudflare
  20. CyberSecurity Philippines - CERT
  21. Dahua
  22. Debian GNU/Linux
  23. Dell
  24. Document Foundation
  25. Drupal.org
  26. Duo
  27. Eclipse Foundation
  28. Elastic
  29. F5
  30. Facebook
  31. Fedora Project
  32. Flexera Software
  33. floragunn
  34. Forcepoint
  35. Fortinet
  36. FreeBSD
  37. Google
  38. HackerOne
  39. Hewlett Packard Enterprise
  40. Hikvision
  41. Hillstone
  42. HP
  43. Huawei
  44. IBM
  45. ICS-CERT
  46. Intel
  47. ISC
  48. Jenkins Project
  49. Johnson Controls
  50. JPCERT/CC
  51. Juniper
  52. Kaspersky
  53. KrCERT/CC
  54. Kubernetes
  55. Larry Cashdollar
  56. Lenovo
  57. MarkLogic
  58. McAfee
  59. Micro Focus
  60. Microsoft
  61. The MITRE Corporation (CVE Program Root CNA)
  62. MongoDB
  63. Mozilla
  64. Naver
  65. NetApp
  66. Netflix
  67. Node.js
  68. Nvidia
  69. Objective Development
  70. Odoo
  71. OpenSSL
  72. OPPO
  73. Oracle
  74. Palo Alto Networks
  75. PHP Group
  76. Pivotal Software
  77. Puppet
  78. Qihoo 360
  79. QNAP
  80. Qualcomm
  81. Rapid 7
  82. Red Hat
  83. SAP
  84. Schneider Electric
  85. Siemens
  86. Sonicwall
  87. SUSE
  88. Symantec
  89. Snyk
  90. Synology
  91. Talos
  92. Tenable
  93. TIBCO
  94. Trend Micro
  95. TWCERT/CC
  96. VMware
  97. Yandex
  98. Zephyr Project
  99. Zero Day Initiative
  100. ZTE

Of these, 82 are Vendors and Projects that assign CVE IDs for vulnerabilities found in their own products and projects, 8 are Vulnerability Researchers that assign CVE IDs to products and projects upon which they perform vulnerability analysis, 5 are National and Industry CERTs that perform incident response and vulnerability disclosure services for nations or industries; 2 are Bug Bounty Programs that assign CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings, 1 is a Root CNA that manages a group of sub-CNAs within a given domain or community, and 1 is the CVE Program Root CNA that coordinates the CNA Program.

Participation is also global, with CNAs from the following 16 countries participating: Australia: 1, Austria: 1, Belgium: 1, Canada: 2, China: 9, France: 1, Germany: 6, Israel: 1, Japan: 3, Netherlands: 2, Philippines: 1, Russia: 2, South Korea: 2, Taiwan: 3, UK: 2, and USA: 64.


CNAs World Map as of August 2019
CNAs World Map - August 2019

Resources for CNAs Continuing to Expand

As the number of participating CNAs has grown, so have the guidance materials and other resources. In addition to the main CNA Rules Version 2.0 document, our CNA Processes Documentation & Slides collection hosted on the CVE Documentation website on GitHub includes information for both current and prospective CNAs.

Examples of these resources include CVE Overview for Prospective CNAs, CNA Onboarding Processes, CNA Resources, CVE Content Decisions, Creating a CVE Entry for Submission, Submitting CVE Entries to Program Root CNA, and more.

These materials provide guidance and assistance to CNAs so that they can correctly fulfill their responsibilities for properly writing and completing the information required for each CVE Entry they submit to the CVE List.

Should Your Organization Become a CNA?

Numerous organizations from around the world are already participating as CNAs, while more and more organizations are deciding to become a CNA and join the CNA community to help build the CVE List.

Participation is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA’s scope by researchers who request a CVE ID.

If your organization would like to become a CNA, please visit How to Become a CNA.

OPPO Added as CVE Numbering Authority (CNA)
August 14, 2019 | Share this article

OPPO Mobile Telecommunication Corp., Ltd. is now a CVE Numbering Authority (CNA) for OPPO devices only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 100 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

NOTICE: CVE Main Website – Possible Intermittent Outages from 8:00am-1:00pm EDT on August 17
August 14, 2019 | Share this article

Due to scheduled maintenance, the CVE List and all other pages on this main CVE Website may be temporarily unavailable at times from 8:00 a.m. until 1:00 p.m. Eastern time on Saturday, August 17, 2019.

We apologize for any inconvenience. Please contact us with any comments or concerns.

Minutes from CVE Board Teleconference Meeting on July 24 Now Available
July 30, 2019 | Share this article

The CVE Board held a teleconference meeting on July 24, 2019. Read the meeting minutes.

Minutes from CVE Board Teleconference Meeting on July 10 Now Available
July 29, 2019 | Share this article

The CVE Board held a teleconference meeting on July 10, 2019. Read the meeting minutes.

New CVE Board Member from Trend Micro/Zero Day Initiative
July 2, 2019 | Share this article

Shannon Sabens of Trend Micro Incorporated/Zero Day Initiative (ZDI) has joined the CVE Board.

Read the full announcement and welcome message in the CVE Board email discussion list archive.

Minutes from CVE Board Teleconference Meeting on June 26 Now Available
July 2, 2019 | Share this article

The CVE Board held a teleconference meeting on June 26, 2019. Read the meeting minutes.

floragunn GmbH Added as CVE Numbering Authority (CNA)
June 26, 2019 | Share this article

floragunn GmbH is now a CVE Numbering Authority (CNA) for all issues related to Search Guard only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 99 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

NOTICE: CVE Request Web Form – System Maintenance from 8:00pm EDT June 28 through 8:00pm EDT June 30
June 20, 2019 | Share this article

Due to scheduled maintenance, the CVE Request Web Form for contacting the Program Root CNA will be unavailable from 8:00 p.m. Eastern time on Friday, June 28, 2019 until 8:00 p.m. Eastern time on Sunday, June 30, 2019.

The 97 other CVE Numbering Authority (CNA) organizations may still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact us with any comments or concerns.

Minutes from CVE Board Teleconference Meeting on June 12 Now Available
June 19, 2019 | Share this article

The CVE Board held a teleconference meeting on June 12, 2019. Read the meeting minutes.

New CVE Board Member from Cisco
June 18, 2019 | Share this article

Patrick Emsweller of Cisco Systems, Inc. has joined the CVE Board.

Read the full announcement and welcome message in the CVE Board email discussion list archive.

CVE at FIRST 2019
June 12, 2019 | Share this article

Members of the CVE Team will be at FIRST Conference 2019 at the Edinburgh International Conference Centre in Edinburgh, Scotland on June 16-21, 2019. Please look for us and say hello!

In addition, CVE will be a discussion topic in two talks by Chandan Nandakumaraiah of Juniper Networks, Inc.:

Chandan is a member of the CVE Automation Working Group, and Juniper is a CVE Numbering Authority (CNA).

UPDATED NOTICE: Issue with CVE Request Web Form Automatic Responses Is Resolved
June 11, 2019 (updated June 12, 2019) | Share this article

We have recently detected that automatic responses from the CVE Request Web Form are not being sent when a request is submitted via the form. As a result, although your CVE requests are being received, automatic confirmation emails are not being sent.

We are actively addressing this issue, and will update this notice once we have resolved the problem. We apologize for any inconvenience.

UPDATE: This issue is resolved as of June 12, 2019.

Minutes from CVE Board Teleconference Meeting on May 29 Now Available
June 5, 2019 | Share this article

The CVE Board held a teleconference meeting on May 29, 2019. Read the meeting minutes.

Minutes from CVE Board Teleconference Meeting on May 15 Now Available
May 21, 2019 | Share this article

The CVE Board held a teleconference meeting on May 15, 2019. Read the meeting minutes.

NOTICE: CVE Main Website – Possible Intermittent Outages from 8:00am-1:00pm EDT on May 18
May 17, 2019 | Share this article

Due to scheduled maintenance, the CVE List and all other pages on this main CVE Website may be temporarily unavailable at times from 8:00 a.m. until 1:00 p.m. Eastern time on Saturday, May 18, 2019.

We apologize for any inconvenience. Please contact us with any comments or concerns.

Bosch Added as CVE Numbering Authority (CNA)
May 9, 2019 | Share this article

Robert Bosch GmbH is now a CVE Numbering Authority (CNA) for Bosch products only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 98 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Minutes from CVE Board Teleconference Meeting on May 1 Now Available
May 7, 2019 | Share this article

The CVE Board held a teleconference meeting on May 1, 2019. Read the meeting minutes.

Minutes from CVE Board Teleconference Meeting on April 17 Now Available
April 23, 2019 | Share this article

The CVE Board held a teleconference meeting on April 17, 2019. Read the meeting minutes.

Fedora Project, Jenkins Project, Kubernetes, PHP Group, Pivotal Software, and Snyk Added as CVE Numbering Authorities (CNAs)
April 18, 2019 | Share this article

Six additional organizations are now CVE Numbering Authorities (CNAs): Fedora Project for Fedora Project issues only; Jenkins Project for Jenkins and Jenkins plugins distributed by the Jenkins project (listed on plugins.jenkins.io) only; Kubernetes for Kubernetes issues only; PHP Group for vulnerabilities in PHP code (code in https://github.com/php/php-src) only; Pivotal Software, Inc. for Pivotal, Spring, and Cloud Foundry issues only; and Snyk for vulnerabilities in third-party products discovered by Snyk only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 97 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

CVE Board Adds a “CNA Coordination Working Group Liaison” Board Member
April 17, 2019 | Share this article

Tod Beardsley of Rapid7 has been added as the “CNA Coordination Working Group Liaison” CVE Board member, and will represent the CVE Numbering Authorities (CNAs) in CVE Board meetings.

Minutes from CVE Board Teleconference Meetings on March 20 and April 3 Now Available
April 17, 2019 | Share this article

The CVE Board held teleconference meetings on March 20, 2019 and April 3, 2019. Read the March 20 and April 3 meeting minutes.

How CVE Content Is Provided Has Changed
March 20, 2019 | Share this article

The CVE Program has upgraded the infrastructure used to process and post CVE Entries to the CVE List, resulting in some changes to how CVE content is provided on the individual CVE Entry pages and in the various CVE List download files on the CVE website. These changes may affect products, services, and processes that incorporate vulnerability content from the CVE download files.

See “Changes to How CVE Content Is Provided Begins on March 17” for a list of the specific changes resulting from the infrastructure upgrades.

Please use our CVE Request Web Form by selecting “Other” from the dropdown to contact us with any comments or concerns.

CVEProject GitHub Submissions Service for CNAs Is Now Restored
March 20, 2019 | Share this article

The CVE Program's infrastructure upgrades are now complete (see “NOTICE: CVEProject GitHub Submissions Service Will Be Temporarily Unavailable March 17-18” for details). As a result, the CVEProject GitHub.com website service for CVE Numbering Authorities (CNAs) is now restored. There were no changes to the GitHub submission service itself.

Please contact the CNA Coordinator directly with any comments or concerns, or use our CVE Request Web Form to contact us by selecting “Other” from the dropdown.

The Document Foundation Added as CVE Numbering Authority (CNA)
March 18, 2019 | Share this article

The Document Foundation is now a CVE Numbering Authority (CNA) for projects within The Document Foundation only, e.g., LibreOffice, LibreOffice Online. The Document Foundation discourages reporting denial of service bugs as security issues.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 92 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

Changes to How CVE Content Is Provided Begins on March 17
March 7, 2019 | Share this article

The CVE Program is upgrading the infrastructure used to process and post CVE Entries to the CVE List. This upgrade process will begin at 12:00 a.m. EST on March 17, 2019, and last for one or two days. As a result of the upgrades, some of the ways in which CVE content is provided on the individual CVE Entry pages and in the various CVE List download files on the CVE website will change. These changes may affect products, services, and processes that incorporate vulnerability content from the CVE download files. We will make a follow-up announcement once the rollout is complete.

Specific changes include:

Also, please note that during the rollout process searching and downloading of the CVE List may be temporarily unavailable or incomplete at times as the changes are rolled out. Other pages on the website such as supporting information, documents, news, blog, etc., will remain available.

Please use our CVE Request Web Form by selecting “Other” from the dropdown to contact us with any comments or concerns.

NOTICE: CVEProject GitHub Submissions Service Will Be Temporarily Unavailable March 17-18
March 7, 2019 | Share this article

The CVE Program is upgrading the infrastructure used to process and post CVE Entries to the CVE List. This upgrade process will begin on March 17, 2019, and last one or two days. Because of the upgrade, we are requesting that CVE Numbering Authorities (CNAs) with access to the CVEProject GitHub.com website service NOT USE the service—and especially NOT MAKE ANY PULL REQUESTS—beginning at 12:00 a.m. EST on March 17, 2019. This outage will last one or two days. We will make a follow-up announcement here, and on the CNA email list, once service resumes.

We apologize for any inconvenience. Please contact the CNA Coordinator directly with any comments or concerns, or use our CVE Request Web Form to contact us by selecting “Other” from the dropdown.

CVE Program Root CNA to Assume DWF’s Open Source Product Coverage Responsibilities Beginning March 7
March 7, 2019 | Share this article

The Distributed Weakness Filing (DWF) project, which assigns vulnerability identifiers for Open Source products, was incorporated into CVE in 2016 as a pilot, becoming a Root CVE Numbering Authority (CNA) consistent with the CVE Program’s federated governance and operational strategy. As a result of the important work of Kurt Seifried of the Cloud Security Alliance (CSA) and other community volunteers, the CVE Program significantly increased Open Source product coverage and added several new CNAs. The program also gained important experience in onboarding and operating Root CNAs as part of the effort to federate the CVE Program.

The DWF pilot will end on March 7, 2019. The sub-CNAs that previously reported to DWF will coordinate with MITRE, the CVE Program Root CNA. Many thanks to Kurt Seifried for his dedication to security and for his enthusiasm and energy in establishing DWF and expanding CVE’s reach.

If you made a CVE ID request through a DWF web form (such as https://iwantacve.org) in the past but the CVE Entry was never populated, then DWF automatically made your request data public, and MITRE has a copy of that public data. Because of this, please do not send duplicate requests to MITRE. You should make a new CVE ID request to MITRE only if there was an embargo on the vulnerability information and your contact with DWF was only through email (i.e., you never used a DWF web form).

Follow these steps to request CVE IDs:

  1. Locate the correct CVE Numbering Authority (CNA) whose scope includes the product affected by the vulnerability in the Participating CNAs table on the Request a CVE ID page on the CVE website.
  2. Contact the appropriate CNA using the contact method provided.
  3. If the product affected by the vulnerability is not covered by an existing CNA, please contact the CVE Program Root CNA (MITRE) by completing our CVE Request Web Form.

Please use our CVE Request Web Form by selecting “Other” from the dropdown to contact us with any comments or concerns.

CVE at RSA 2019
March 3, 2019 | Share this article

Members of the CVE Team will be at RSA Conference 2019 at the Moscone Center in San Francisco, California, USA on March 4-8, 2019. Please stop by the MITRE booth #3124 in the South Expo and say hello. We look forward to seeing you!

NOTICE: CVE Request Web Form – Possible Outage from 8:00pm-10:00pm EST on February 21
February 20, 2019 | Share this article

Due to scheduled maintenance, the CVE Request Web Form for contacting the Program Root CNA may be temporarily unavailable from 8:00 p.m. until 10:00 p.m. Eastern time on Thursday, February 21, 2019.

The 92 other CVE Numbering Authority (CNA) organizations can still be contacted during this time to request CVE IDs.

We apologize for any inconvenience. Please contact us with any comments or concerns.

Minutes from CVE Board Teleconference Meeting on February 6 Now Available
February 14, 2019 | Share this article

The CVE Board held a teleconference meeting on February 6, 2019. Read the meeting minutes.

Minutes from CVE Board Teleconference Meeting on January 23 Now Available
February 11, 2019 | Share this article

The CVE Board held a teleconference meeting on January 23, 2019. Read the meeting minutes.

Updated NOTICE: Intermittent Issues with CVE List Downloads is Resolved
February 8, 2019 (updated February 28, 2019) | Share this article

Recently, we have detected that downloads of the CVE List available on the Download CVE page occasionally do not finish because of an infrastructure problem, e.g., a download attempt may make no further progress after the first 80 MB.

To work around this, please ensure that the URL has “https:” rather than “http:” at the beginning. We will update this notice when we have resolved the problem. We apologize for any inconvenience. Please contact us with any comments or concerns.

UPDATE: This issue is resolved as of February 28, 2019.

Johnson Controls Added as CVE Numbering Authority (CNA)
February 7, 2019 | Share this article

Johnson Controls is now a CVE Numbering Authority (CNA) for Johnson Controls products only.

CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

CNAs are the main method for requesting a CVE ID. The following 92 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; BlackBerry; Booz Allen Hamilton; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Drupal.org; Duo; Eclipse Foundation; Elastic; F5; Facebook; Flexera Software; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Netgear; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; Oracle; Palo Alto Networks; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.

For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.

CVE Is Main Source of Vulnerability Data Used in Article about Application Security Vulnerabilities
January 23, 2019 | Share this article

CVE is the main source of vulnerability data used in a January 15, 2019 article entitled “Top 10 Application Security Vulnerabilities of 2018” on the WhiteHat Security blog. The article, which uses CVE Entries to identify the vulnerabilities discussed, describes the “most common web exploits used by malicious attackers during the past 12 months—as well as valuable prevention tips for enterprises to implement in the new year.”

The CVE Entries cited in the article are: CVE-2018-9206, CVE-2018-6389, CVE-2018-7600, CVE-2018-7602, CVE-2018-1273, CVE-2018-1999024, CVE-2018-4878, and CVE-2018-1260. Visit these CVE Entry pages to learn more about these issues.

Minutes from CVE Board Teleconference Meeting on January 9 Now Available
January 23, 2019 | Share this article

The CVE Board held a teleconference meeting on January 9, 2019. Read the meeting minutes.

CVE Is Main Topic of Article on WhiteSource Blog
January 23, 2019 | Share this article

CVE is the main topic of a January 7, 2019 article entitled “What Is a CVE Vulnerability And How To Understand Its Details” on the WhiteSource blog.

In the article, the author explains what CVE is and how the program works; defines CVE Entries and discusses the role of CVE Numbering Authorities (CNAs) in assigning them; discusses what the CVE Program currently considers to be a vulnerability [for a detailed explanation, refer to Appendix C of the CNA Rules v2.0, a community consensus document authored by CNAs and the CVE Board]; discusses CVSS and severity scoring of CVE Entries by NVD; and explains the difference between the U.S. National Vulnerability Database (NVD) and CVE List.

The author concludes the article by stating that while “Security flaws are a wide and varied mix, reported in various databases, advisory boards and bug trackers and consisting of a diverse set of features and qualities … [CVE is] the foremost list for the documentation of security vulnerabilities in publicly released software.”

CVE Mentioned in Article about NVD
January 23, 2019 | Share this article

CVE is mentioned throughout a December 18, 2018 article entitled “The National Vulnerability Database Explained” on the WhiteSource blog. The main topic of the article is the National Institute of Standards and Technology’s U.S. National Vulnerability Database (NVD).

CVE is first mentioned when the author discusses the types of information in NVD, when the author notes that the base information of “a description of the CVE [Entry] and the source of the information” is provided by the CVE List, which NVD then builds upon by providing CVSS scores and other enhanced content. CVE is mentioned again in a section entitled “How The National Vulnerability Database Differs From The CVE,” in which the author explains how CVE and NVD are separate programs, and that the CVE List was established five years before NVD; that the CVE List provides the basic information for CVE Entries—identification number, description, and at least one public reference—that NVD then builds upon; and that the two efforts “work hand-in-hand, making the information more accessible for the readers. To put it simply, the CVE is the organization that receives submissions and IDs them, while the NVD adds the analysis and makes it easier to search and manage them.”

CVE is mentioned a third time in a section entitled “The Vulnerability Publishing Roadmap,” when the author briefly describes the process of how a vulnerability becomes a CVE Entry on the CVE List and is then posted to NVD. The author states: “NVD relies solely on the CVE for its feed of submitted vulnerabilities and does not perform any of its own searches for vulnerabilities in the wild … This means that the NVD has turned into a pretty exhaustive and dependable database that will continue to grow over time.”

Minutes from CVE Board Teleconference Meeting on December 12 Now Available
January 9, 2019 | Share this article

The CVE Board held a teleconference meeting on December 12, 2018. Read the meeting minutes.

CVE Is Main Source of Vulnerability Data Used in Tenable’s 2018 Vulnerability Intelligence Report
January 3, 2019 | Share this article

CVE is the main source of vulnerability data used in Tenable, Inc.'s 2018 Vulnerability Intelligence Report, which discusses “general overall trends in vulnerabilities and operationalized intelligence based on what enterprises actually have to deal with in their own environments.”

The authors of the report found that the “discovery and disclosure of vulnerabilities continue to grow in volume and pace. In 2017 alone, an average of 41 new vulnerabilities were published every single day, for a total of 15,038 for the year. Additionally, the growth in newly disclosed vulnerabilities from the first half of 2018 showed a 27 percent increase over the first half of 2017.”

In the report, the authors “provide an overview of current vulnerability disclosure trends and insights into real-world vulnerability demographics in enterprise environments [and] analyze vulnerability prevalence in the wild, based on the number of affected enterprises, to highlight vulnerabilities that security practitioners are dealing with in practice – not just in theory.” From their study, the authors conclude that “managing vulnerabilities is a challenge of scale, velocity and volume. It is not just an engineering challenge, but requires a risk-centric view to prioritize thousands of vulnerabilities that superficially all seem the same.”

Read the complete report at: https://www.tenable.com/cyber-exposure/vulnerability-intelligence/. The report is free to download, but sign-up may be required.

Page Last Updated or Reviewed: December 17, 2019