Go to for: CVSS Scores CPE Info      CVE List▾ CVE List Home Search Tips Terms of Use CVE Request Web Form Web Form Help PGP Key CVE List Documents & Guidance New to the CVE List?  Start Here        CNAs▾ CVE Numbering Authorities (CNAs) Participating CNAs Growth of CNA Program Worldwide CNA Documents, Policies & Guidance CNA Rules, Version 3.0 CVE ID Assignment Rules EOL CNA Resources New CNA Onboarding Slides & Videos Why Become a CNA? Business Benefits Join Today!         WGs▾ CVE Working Groups Automation (AWG) Strategic Planning (SPWG) CNA Coordination (CNACWG) CVE Quality (QWG) Outreach and Communications (OCWG) Transition (TWG)         Board▾ CVE Board Members Email Archives Meeting Archives Board Charter         About▾ About CVE Professional Code of Conduct CVE & NVD Relationship History Sponsor Documentation & Guidance FAQs Terminology New to the CVE Program?  Start Here       News & Blog▾ Latest CVE News Blog Podcast Calendar Archive Follow CVE Free CVE Newsletter CVEnew Twitter Feed CVEannounce Twitter Feed CVE on Medium CVE on LinkedIn CVEProject on GitHub CVE on YouTube
Search CVE List         Downloads         Data Feeds         Update a CVE Record         Request CVE IDs
TOTAL CVE Records: 162458 NOTICE: Transition to the all-new CVE website at www.cve.org is underway and will last up to one year. (details)



For the latest CVE Program news, go to the new “News” page on the CVE.ORG website.

About the Transition

The CVE Program has begun transitioning to the all-new CVE website at its new CVE.ORG web address. The phased quarterly transition process began on September 29, 2021 and will last for up to one year. Items moved to the new website will no longer be maintained on this website. Learn more about the transition here.

News & Events

Please use our LinkedIn page to comment on the articles below, or use our CVE Request Web Form by selecting “Other” from the dropdown.
Right-click and copy a URL to share an article.

The CVE Board held a teleconference meeting on September 29, 2021. Read the meeting minutes.

MediaTek, Inc. is now a CVE Numbering Authority (CNA) for MediaTek product issues only. In addition, MediaTek’s Root is the MITRE Top-Level Root.

To date, 190 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Switzerland National Cyber Security Centre (NCSC) is now a CVE Numbering Authority (CNA) for the Switzerland Government Common Vulnerability Program. In addition, Switzerland NCSC’s Root is the MITRE Top-Level Root.

To date, 189 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

JFrog is now a CVE Numbering Authority (CNA) for all JFrog products (supported products and end-of-life/end-of-service products); vulnerabilities in third-party software discovered by JFrog that are not in another CNA’s scope; and vulnerabilities in third-party software discovered by external researchers and disclosed to JFrog (includes any embedded devices and their associated mobile applications) that are not in another CNA’s scope. In addition, JFrog’s Root is the MITRE Top-Level Root.

To date, 188 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

M-Files Corporation is now a CVE Numbering Authority (CNA) for all M-Files products only. In addition, M-Files’ Root is the MITRE Top-Level Root.

To date, 187 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Palantir Technologies is now a CVE Numbering Authority (CNA) for Palantir products and technologies only. In addition, Palantir’s Root is the MITRE Top-Level Root.

To date, 186 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Ping Identity Corporation is now a CVE Numbering Authority (CNA) for all Ping Identity products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Ping Identity that are not in another CNA’s scope. In addition, Ping Identity’s Root is the MITRE Top-Level Root.

To date, 185 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

The CVE Board held a teleconference meeting on September 15, 2021. Read the meeting minutes.

LG Electronics is now a CVE Numbering Authority (CNA) for LG Electronics products only. In addition, LG Electronics’ Root is the MITRE Top-Level Root.

To date, 184 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Snow Software is now a CVE Numbering Authority (CNA) for all Snow Software products. In addition, Snow Software’s Root is the MITRE Top-Level Root.

To date, 183 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

The CVE Board held a teleconference meeting on September 1, 2021. Read the meeting minutes.

Censys is now a CVE Numbering Authority (CNA) for all Censys products, and vulnerabilities discovered by Censys that are not in another CNA’s scope. In addition, Censys’s Root is the MITRE Top-Level Root.

To date, 182 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

As part of the CVE Program’s effort to improve the information and services the program provides, the CVE website is transitioning to a new web address: CVE.ORG. The phased quarterly transition process will begin no earlier than late September and will last for one year. During the transition, the new CVE.ORG website will operate concurrently with the CVE.MITRE.ORG website and new releases of the new website will occur at least every quarter. Upon completion of the phased transition, the CVE.MITRE.ORG website will be archived and retired at some point.

The new CVE.ORG website will host a new and modern version of the CVE.MITRE.ORG website. More information about the new website, and how the new and old websites will work together during the transition, will be available soon.

Please contact us with any comments or concerns.

Computer Emergency Response Team of the Republic of Turkey (TR-CERT) is now a CVE Numbering Authority (CNA) for vulnerability assignment related to its vulnerability coordination role. In addition, TR-CERT’s Root is the MITRE Top-Level Root.

To date, 182 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

The CVE Board held a teleconference meeting on August 18, 2021. Read the meeting minutes.

In his article on the CVE Blog, CVE community member Rob Cowsley of Gallagher discusses how and why his organization partnered with the CVE Program as a CVE Numbering Authority (CNA) in “Our CVE Story: Leading the Way for Vulnerability Disclosures in Physical Security Systems.”

The CVE Board held a teleconference meeting on August 4, 2021. Read the meeting minutes.

The CVE Board held a teleconference meeting on July 21, 2021. Read the meeting minutes.

NetMotion Software is now a CVE Numbering Authority (CNA) for NetMotion issues only. In addition, NetMotion’s Root is the MITRE Top-Level Root.

To date, 181 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

FPT Software Co., Ltd. is now a CVE Numbering Authority (CNA) for all products and services developed and operated by FPT Software, as well as vulnerabilities in third-party software discovered by FPT Software. In addition, FPT Software’s Root is the MITRE Top-Level Root.

To date, 180 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Devolutions Inc. is now a CVE Numbering Authority (CNA) for Remote Desktop Manager and Devolutions Server products. In addition, Devolutions’ Root is the MITRE Top-Level Root.

To date, 179 organizations from 30 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

The CVE Board held a teleconference meeting on July 7, 2021. Read the meeting minutes.

Israel National Cyber Directorate (INCD) is now a CVE Numbering Authority (CNA) for vulnerability assignment related to its vulnerability coordination role. In addition, INCD’s Root is the MITRE Top-Level Root. Read INCD’s news release.

To date, 178 organizations from 30 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

In his article on the CVE Blog, CVE community member Tomo Ito of JPCERT/CC, a member of two CVE Working Groups (CNACWG and OCWG), discusses how his organization became the CVE Program’s first-ever Root more than 10 years ago in “Our CVE Story: JPCERT/CC.”

The CVE Board held a teleconference meeting on June 23, 2021. Read the meeting minutes.

ESET, spol. s r.o. is now a CVE Numbering Authority (CNA) for all ESET products only and vulnerabilities discovered by ESET that are not covered by another CNA’s scope. In addition, ESET’s Root is the MITRE Top-Level Root.

To date, 177 organizations from 30 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Hitachi ABB Power Grids is now a CVE Numbering Authority (CNA) for Hitachi ABB Power Grids products. In addition, Hitachi ABB Power Grids’ Root is the CISA ICS Top-Level Root.

To date, 176 organizations from 29 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

SolarWinds is now a CVE Numbering Authority (CNA) for Solarwinds products only. In addition, SolarWinds’ Root is the MITRE Top-Level Root.

To date, 175 organizations from 29 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Fidelis Cybersecurity, Inc. is now a CVE Numbering Authority (CNA) for Fidelis issues only. In addition, Fidelis’ Root is the MITRE Top-Level Root.

To date, 174 organizations from 29 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Spanish National Cybersecurity Institute, S.A. (INCIBE) is now a Root for Spain organizations. Read INCIBE’s news release.

A “Root” is an organization authorized within the CVE Program that is responsible, within a specific scope, for the recruitment, training, and governance of one or more entities that are a CVE Numbering Authority (CNA), CNA of Last Resort (CNA-LR), or another Root. CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. CNA-LRs or organizations authorized within the CVE Program to assign CVE IDs and to create and publish CVE Records for vulnerabilities not covered by the scope of another CNA.

Read the CVE Program news release or see our “CVE Program Expands Partnership with Spanish National Cybersecurity Institute (INCIBE)” blog post for additional information.

To date, 173 organizations from 29 countries participate in the CVE Program as CNAs, and of these 2 are Top-Level Roots and 2 are Roots. To request a CVE ID number from a CNA, visit Request a CVE ID.

The CVE Board held a teleconference meeting on June 9, 2021. Read the meeting minutes.

Patchstack is now a CVE Numbering Authority (CNA) for vulnerabilities in third-party PHP products discovered by Patchstack and Patchstack Red Team. In addition, Patchstack’s Root is the MITRE Top-Level Root.

To date, 173 organizations from 29 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Toshiba Corporation is now a CVE Numbering Authority (CNA) for vulnerabilities related to products and services of Toshiba Corporation. In addition, Toshiba’s Root is the JPCERT/CC Root. Read the Toshiba news release.

To date, 172 organizations from 28 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

The goal of the CVE Services is to simplify and automate the reservation of CVE IDs and the submission and uploading of CVE Records to the CVE List for CNAs.

Released June 15-16, 2021, CVE Services v1.1.1 updates include implementing new initial User Registry functions/endpoints for CNAs for improved management of their CVE Services users and accounts. In addition, cvelib, a library and a command line interface for the CVE Services API that is free to use by all CNAs, was developed and released by Martin Prpic of Red Hat.

CVE Services v1.1.1 is a minor release and is backwards compatible with CVE Services v1.0.1, which was deployed for CNAs in December 2020.

Zyxel Corporation is now a CVE Numbering Authority (CNA) for Zyxel products issues only. In addition, Zyxel’s Root is the MITRE Top-Level Root.

To date, 171 organizations from 28 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Wordfence is now a CVE Numbering Authority (CNA) for WordPress Plugins, Themes, and Core Vulnerabilities discovered by, or reported to, the Wordfence/Defiant team. In addition, Wordfence’s Root is the MITRE Top-Level Root.

To date, 170 organizations from 28 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

In his article on the CVE Blog, CVE community member and Endika Gil-Uriarte Chief Strategy Officer at Alias Robotics discusses how his organization partnered with the CVE Program as a CVE Numbering Authority (CNA) in “Our CVE Story: From Robot Security Research to Managing Robot Vulnerabilities.”

UPDATE: Infrastructure upgrades on the CVE website were completed, and normal operations resumed, on June 16, 2021 at 1:00 p.m. (EDT). We apologize for any inconvenience.

The CVE Program is upgrading the infrastructure used to add CVE List content to the CVE website. As a result, from 6:00 a.m. (EDT) on June 15, 2021 through 11:00 p.m. (EDT) on June 16, 2021 any data that is updated daily on a periodic basis (e.g., CVE List, @CVEnew tweets, download files) will not be updated. Normal operations are now scheduled to resume on June 16, 2021 at 11:00 p.m. (EDT).

Previously published CVE List content on the CVE website will remain accessible, as will all other website content, during the upgrades. In addition, submissions via the CVE Request Web Form and GitHub (CVE Numbering Authorities (CNAs)-only) may still be made during this time but will be processed once the upgrade is completed. We apologize for any inconvenience. Please contact us with any comments or concerns.

This announcement was also posted to Twitter and LinkedIn.

Becton, Dickinson and Company (BD) is now a CVE Numbering Authority (CNA) for BD software-enabled medical devices only. In addition, BD’s Root is the CISA ICS Top-Level Root.

To date, 169 organizations from 28 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Fluid Attacks is now a CVE Numbering Authority (CNA) for vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNA’s scope. In addition, Fluid Attack’s Root is the MITRE Top-Level Root.

To date, 168 organizations from 28 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

The CVE Board held a teleconference meeting on May 26, 2021. Read the meeting minutes.

The CVE Board continues to encourage innovative approaches to improving the vulnerability management ecosystem, and encourages feedback specifically related to improving the CVE Program.

Subject to previous communications, the CVE Board is aware of existing and increasing confusion within the community regarding unauthorized entities assigning “CVE” identification (ID) numbers and publishing “CVE” records. To this end, the Distributed Weakness Filing (DWF) project, which is not an authorized CVE Numbering Authority (CNA) and is not following the established CVE Program rules, is infringing on the CVE namespace by issuing IDs using the CVE Program syntax in the CVE-2021-xxxxxxx (million) range.

These are not valid CVE IDs and records. They will not be included in the CVE List. The CVE Board wants to make this clear to community stakeholders to eliminate the confusion caused by the unauthorized use of the CVE namespace.

To obtain a valid CVE ID, please contact a legitimate CNA or contact the CVE Program Secretariat to become an authorized CNA. The list of CNAs is located at https://cve.mitre.org/cve/request_id.html#cna_participants.

- The CVE Board

Chandan Nandakumaraiah of Palo Alto Networks has joined the CVE Board.

Read the full announcement and welcome message in the CVE Board email discussion list archive.

The CVE Board held a teleconference meeting on April 28, 2021. Read the meeting minutes.

GS McNamara LLC is now a CVE Numbering Authority (CNA) for GS McNamara LLC products and services, including the Floodspark portfolio, and any vulnerabilities discovered in components or projects that we are researching or coordinating that are not in another CNA’s scope. In addition, GS McNamara LLC’s Root is the MITRE Top-Level Root.

To date, 167 organizations from 27 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

huntr.dev is now a CVE Numbering Authority (CNA) for vulnerabilities in third-party code reported to huntr.dev. In addition, huntr.dev’s Root is the MITRE Top-Level Root.

To date, 166 organizations from 27 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Octopus Deploy is now a CVE Numbering Authority (CNA) for all Octopus Deploy products, as well as Octopus Deploy maintained projects hosted on https://github.com/OctopusDeploy. Octopus’ Root is the MITRE Top-Level Root. Read the Octopus news release.

To date, 165 organizations from 27 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Zoom Video Communications, Inc. is now a CVE Numbering Authority (CNA) for Zoom and Keybase issues only. Zoom’s Root is the MITRE Top-Level Root.

To date, 164 organizations from 27 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

The CVE Board held a teleconference meeting on April 14, 2021. Read the meeting minutes.

Vaadin Ltd. is now a CVE Numbering Authority (CNA) for all Vaadin products and supported open-source projects hosted at https://github.com/vaadin. Vaadin’s Root is the MITRE Top-Level Root. Read the Vaadin news release.

To date, 163 organizations from 27 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

In his article on the CVE Blog, CVE Board Member Mark Cox of the Apache Software Foundation (ASF) discusses how ASF has partnered with the CVE Program as a CVE Numbering Authority (CNA) and its participation in the CVE Automation Working Group in “Our CVE Story: An Open-Source, Community-Based Example.”

Axis Communications AB is now a CVE Numbering Authority (CNA) for Axis products and solutions only. Axis’ Root is the MITRE Top-Level Root. Read the Axis news release.

To date, 162 organizations from 27 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

The CVE Board held a teleconference meeting on March 31, 2021. Read the meeting minutes.

Kurt Seifried and Josh Bressers,

The CVE Board encourages innovative approaches to improve cybersecurity. In this regard, we wish you the best of luck with respect to improving the vulnerability management ecosystem.

It has come to the CVE Board’s attention that DWF has recently begun attempting to issue CVE IDs via its GitHub community site. To the CVE Board’s knowledge, DWF has issued at least eight ID numbers that DWF purports to be “CVE” IDs. As you are aware, only CVE Numbering Authorities (CNAs) approved by the CVE Board are authorized to issue valid CVE IDs. DWF is not an approved CNA.

Attempts by non-CNAs to issue unauthorized “CVE” IDs is disruptive to the CVE numbering system no matter where these unapproved IDs fall in the numbering order, and this creates confusion in the CVE contributor and user communities. Issuing unauthorized “CVE” IDs undermines public trust in the entire CVE system. This erosion of trust degrades the CVE community’s ability to provide a free public resource to track vulnerabilities and reduce cybersecurity risk. Further, we consider issuing unauthorized “CVE” IDs to be unfair competition and a misappropriation of the trusted “CVE” brand that the CVE community has spent many years building. Finally, MITRE confirms it has not licensed DWF to use this mark, which is a registered trademark of the MITRE Corporation.

The CVE Board welcomes contributions from the cybersecurity community and encourages organizations to apply for CNA status. The CVE Board notes that DWF has not attempted to reapply for CNA status, and invites DWF do so. However, until DWF is an approved CNA, the CVE Board requests that DWF cease issuing “CVE” IDs and rename all current and future IDs that DWF issues.

Thank you for your prompt attention to this matter.

- The CVE Board

Synopsys is now a CVE Numbering Authority (CNA) for all Synopsys SIG products, as well as vulnerabilities in third-party software discovered by Synopsys SIG that are not in another CNA’s scope. Synopsys’ Root is the MITRE Top-Level Root.

To date, 161 organizations from 26 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

NEC Corporation is now a CVE Numbering Authority (CNA) for NEC issues only. NEC’s Root is the JPCERT/CC Root.

To date, 160 organizations from 26 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

The CVE Board held a teleconference meeting on March 17, 2021. Read the meeting minutes.

DeepSurface Security, Inc. is now a CVE Numbering Authority (CNA) for all DeepSurface products, as well as vulnerabilities in third-party software discovered by DeepSurface that are not in another CNA’s scope. DeepSurface’s Root is the MITRE Top-Level Root.

To date, 159 organizations from 26 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Environmental Systems Research Institute, Inc. (Esri) is now a CVE Numbering Authority (CNA) for all Esri products only. Esri’s Root is the MITRE Top-Level Root.

To date, 158 organizations from 26 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Xen Project is now a CVE Numbering Authority (CNA) for all sub-projects under Xen Project’s umbrella (see Xen Project Teams), except those sub-projects that have their own security response process; and the Xen components inside other projects, where Xen Project is the primary developer. Xen Project’s Root is the MITRE Top-Level Root.

To date, 158 organizations from 26 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

In his article on the CVE Blog, CVE community member and independent vulnerability researcher CVE Numbering Authority (CNA) Larry Cashdollar discusses “My CVE Story: How I Became the CVE Program’s First Vulnerability Researcher CNA.”

The CVE Board held a teleconference meeting on March 3, 2021. Read the meeting minutes.

This is a reminder to the community that only CVE Numbering Authorities (CNAs) are authorized to assign CVE IDs.

CVE IDs obtained in some other way are not recognized by the CVE Program.

Arista Networks, Inc. is now a CVE Numbering Authority (CNA) for all Arista products only. Arista’s Root is the MITRE Top-Level Root.

To date, 157 organizations from 26 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Mautic is now a CVE Numbering Authority (CNA) for Mautic core and officially supported plugins. Mautic’s Root is the MITRE Top-Level Root.

To date, 156 organizations from 26 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Simplinx Ltd. is now a CVE Numbering Authority (CNA) for Simplinx products only. Simplinx’s Root is the CISA ICS Top-Level Root.

To date, 155 organizations from 26 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Xylem is now a CVE Numbering Authority (CNA) for Xylem products and technologies only. Xylem’s Root is the CISA ICS Top-Level Root.

To date, 154 organizations from 25 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

The CVE Board held a teleconference meeting on February 17, 2021. Read the meeting minutes.

The CVE Board held a teleconference meeting on February 3, 2021. Read the meeting minutes.

Swift Project is now a CVE Numbering Authority (CNA) for the Swift Project only. Swift Project’s Root is the MITRE Top-Level Root.

To date, 153 organizations from 25 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

In his article on the CVE Blog, CVE community member Jonn Perez of CVE Numbering Authority (CNA) Trend Micro discusses the benefits of leveraging the CVE Program in its vulnerability discovery and disclosure processes in “Our CVE Story: Learning to Embrace Recognition and Mitigations of Vulnerabilities as a Strength.”

Ken Munro of Pen Test Partners LLP has joined the CVE Board.

Read the full announcement and welcome message in the CVE Board email discussion list archive.

The CVE Board held a teleconference meeting on January 6, 2021. Read the meeting minutes.

Sophos Limited is now a CVE Numbering Authority (CNA) for Sophos issues only. Sophos’ Root is the MITRE Top-Level Root. Read the Sophos news release.

To date, 152 organizations from 25 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

WPScan is now a CVE Numbering Authority (CNA) for WordPress core, plugins, and themes. WPScan’s Root is the MITRE Top-Level Root. Read the WPScan news release.

To date, 151 organizations from 25 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.

Samsung Mobile is now a CVE Numbering Authority (CNA) for Samsung Mobile Galaxy products, personal computers, and related services only. Samsung Mobile’s Root is the MITRE Top-Level Root.

To date, 150 organizations from 25 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To request a CVE ID number from a CNA, visit Request a CVE ID.