CVE Numbering Authorities

    Participating CNAs
    Become a CNA
    Documentation for CNAs
    Submitting CVE Assignment Info

CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVEs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVEs are provided to researchers, vulnerability disclosers, and information technology vendors.

Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA's scope by researchers who request a CVE ID from them.

To review the products covered by each CNA, visit the CNA Coverage section on the Request a CVE ID page.

Participating CNAs

There are 81 organizations participating as CNAs as of November 9, 2017:

View the current list of CNAs.

CNAs World Map as of November 2017

CNAs World Map - November 2017

CNAs World Map

Number of CNAs by country as shown above, as of November 9, 2017:

Become a CNA

IMPORTANT: The information below is reprinted from the "CNA Candidate Process" section of the "CVE Numbering Authorities (CNA) Rules" document. Please review the entire CNA Rules document before requesting to become a CNA.

4. CNA Candidate Process

The CVE Program, through both Root CNAs and the Primary CNA, adds qualified organizations (hereinafter referred to as candidates) as CNAs through the on-boarding process described in this section. The on-boarding process is designed to set expectations for CNAs regarding the oversight and administration of CVE assignment for products within their scope. The goals of the CNA candidate process:

  1. The candidate understands its roles and responsibilities.
  1. Individual members of the new CNA's team are able to perform CVE assignment and counting processes.
  1. Clear communication channels exist between CNAs and the rest of the CVE Program.

4.1. CNA Qualifications

A candidate is qualified if they meet the following criteria:

  1. A candidate must be interested in becoming a CNA and willing to follow established CNA rules.
  1. A CNA must be

    1. vendor with a significant user base and an established security advisory capability, or

    2. an established entity with an established security advisory capability that typically acts as a neutral interface between researchers and vendors. A Root CNA may be a regional coordinator (such as a Computer Emergency Response Team [CERT]) or a domain publisher (such as an Information Sharing and Analysis Center [ISAC] representing a particular sector). A CNA may also be a mature research organization.

    A Root CNA may be a regional coordinator (such as a Computer Emergency Response Team [CERT]) or a domain publisher (such as an Information Sharing and Analysis Center [ISAC] representing a particular sector). A CNA may also be a mature research organization.
  1. The CNA must be an established distribution point or source for first-time product vulnerability announcements (which may concern their own products). In keeping with the CVE requirement to identify public issues, the CNA must only assign CVEs to security issues that will be made public. (Refer to the definition of  "vulnerability" in Appendix A for clarification on what products should and should not be considered when assigning a CVE ID.)
  1. The CNA must follow coordinated disclosure practices as determined by the community which they serve. Coordinated disclosure practices reduce the likelihood that duplicate or inaccurate information will be introduced into CVE.

4.2. CNA On-Boarding Process

  1. A candidate may be identified by a Root CNA, the Primary CNA, a member of the CVE Board, or they may approach the Root CNA, the Primary CNA, or a member of the CVE Board to request a CNA appointment.
  1. The candidate is reviewed to determine whether it is qualified by the appropriate Root CNA or the Primary CNA, hereinafter referred to as the vetting CNA, using the guidance in this section. A Root CNA is appropriate if the candidate fits within the domain of the Root CNA.
  1. The vetting CNA engages the candidate and shares information about becoming a CNA, including this document.
  1. The candidate assigns a primary and secondary POC for initial coordination with the vetting CNA.
  1. Anyone acting in a CVE analyst capacity at the candidate's organization will be given training by their vetting CNA, which will include:
  • Examples and exercises to work through with instruction and feedback;

  • Counting rules to review and follow. During this training, an initial block of CVE IDs will be allocated to the candidate for use with their training. This block will be allocated by the vetting CNA. The Primary CNA will provide guidance and templates to assist with the creation of examples and exercises.
  1. The candidate will document how CVE processes will be integrated into their operations.
  • The candidate's documentation will include how they will process new requests for CVE IDs, internally and externally. If the candidate will process external CVE assignment requests, processes to submit requests will be documented for public release.

  • All documentation will be shared with the vetting CNA and may also be shared publicly by the candidate.
  1. The vetting CNA will review the candidate's documentation and work with the candidate to address any issues in their processes that may conflict with the established CNA rules.
  1. The vetting CNA allocates the candidate a block of CVE IDs to assign.
  1. The candidate's POCs are added to the appropriate communications channels.
  1. After successfully completing the above, required steps, the candidate enters operational mode and is now considered a CNA. If the CNA was added by a Root CNA, the Root CNA notifies the Primary CNA.
  1. The Primary CNA updates public documentation to include the new CNA and makes public announcements introducing the new CNA. Any changes in a CNA's program, including staff changes or process changes, must be documented and shared with the CVE Program through a CNA's Root CNA or the Primary CNA.
Contacting MITRE to Become a CNA:

After reviewing the "CVE Numbering Authorities (CNA) Rules" document and the information above, please use the CVE Request web form and select "Other" from the dropdown menu to contact us about becoming a CNA.

Documentation for CNAs

To learn more about CNAs rules and requirements—including becoming a CNA—please review the documents below.

New! CVE Numbering Authorities (CNA) Rules, Version 2.0

This updated version of the CNA Rules document will take effect on January 1, 2018, and is posted here now for community review in advance of the implementation date. For details, view the blog post, issue tracker, and change logs.

CVE Numbering Authorities (CNA) Rules, Version 1.1 – September 16, 2016

Includes detailed information about the following:
  • CNAs Overview – Federated CNA Structure, and Purpose and Goal of the CNA Rules
  • Rules for All CNAs – Assignment, Communication, and Administration
  • Responsibilities of Root and Primary CNAs – Specific Assignment, Communications, and Administration Rules for Root CNAs and for the Primary CNA
  • CNA Candidate Process – Qualifications, and On-Boarding Process
  • Appeals Process
  • Definitions
  • CVE Information Format
  • Common Vulnerabilities and Exposures (CVE) Counting Rules – Purpose, Introduction, Definitions, Vulnerability Report, Inclusion Decisions, and Counting Decisions
  • Terms of Use
  • Process to Correct Counting Issues
  • Acronyms

New! CVE Overview for Prospective CNAs, Version 1.0 – September 29, 2017

Provides detailed information for prospective CNAs about the following: Conceptual Basis of CVE; Design and Operational Choices for CVE – CVEs Purposely Provide Minimal Information About a Vulnerability, The CVE List is a Simple List, CVE Only Publishes Already-Disclosed Vulnerabilities, and The Anatomy of a CVE Entry - Example; CVE and the National Vulnerability Database (NVD); CVE and CNAs – Sources of Vulnerability Information, Benefits of Early CVE ID Assignment, Roles and Responsibilities of a CVE CNA - High Level View, and Benefits of Operating as a CNA; and Special Considerations for Prospective CNAs – Requirements for Assigning a CVE ID and Challenges When Assigning CVE IDs; More Information; Acronyms; and References.

Researcher Reservation Guidelines, Version 0.1 – August 29, 2016

Provides information on how to reserve a CVE ID before publicizing a new vulnerability so that CVE ID can be included in the initial public announcement of the vulnerability and can be used to track the vulnerability.

Submitting CVE Assignment Information to CVE Team

Please use one of the following three methods to submit CVE assignment information to the CVE Team.

(1) CVE Request Web Form

Submitting through the CVE Request Web Form:
  1. Visit the CVE Request web form.
  2. Select “Notify CVE about a publication” and enter your email address.
  3. Fill in the form.
  4. NOTE: “Link to the advisory” and “CVE IDs of vulnerabilities to be published” fields are required.
  5. The assignment information (in Flat File, CSV, or JSON format) should be entered in the “Additional information and CVE ID description updates” field.
  6. NOTE: Alternatively, you can send the assignment information as a file attachment in a reply to an email message generated by CVE’s ticketing system when the submission has been received.
  7. Enter the security code.
  8. Press “Submit Request.”

(2) Email Address

(3) Git (Experimental)

Page Last Updated or Reviewed: November 09, 2017