CVE Numbering Authorities
CVE Numbering Authorities (CNAs) are organizations that are authorized to assign CVEs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVEs are provided to researchers, vulnerability disclosers, and information technology vendors.
Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA's scope by researchers who request a CVE ID from them.
To review the products covered by each CNA, visit the CNA Coverage section on the Request a CVE ID page.
Participating CNAs
The 57 organizations below are participating as CNAs as of April 2017:
Primary CNA
Software Vendors
- Adobe Systems Incorporated (Adobe issues only)
- Apache Software Foundation (Apache software projects only)
- Apple Inc. (Apple issues only)
- BlackBerry (BlackBerry issues only)
- Brocade Communications Systems, Inc. (Brocade and Ruckus Wireless issues only)
- Canonical Ltd. (Ubuntu/Linux issues only)
- Check Point Software Technologies Ltd. (Check Point issues only)
- Cisco Systems, Inc. (Cisco issues only)
- Debian GNU/Linux (Debian issues only)
- Dell EMC (Dell EMC, Dell, RSA, Pivotal, VCE issues only)
- Drupal.org (Drupal issues only)
- Eclipse Foundation (Eclipse IDE and the Eclipse Foundation's eclipse.org, polarsys.org, and locationtech.org open source projects issues only)
- F5 Networks, Inc. (F5 issues only)
- Flexera Software LLC (vulnerabilities discovered by Secunia Research that are not covered by another CNA and Flexera issues only)
- Fortinet, Inc. (Fortinet issues only)
- FreeBSD (primarily FreeBSD issues only)
- Google Inc. (Chrome, Chrome OS, and Android Open Source Project issues only)
- Hewlett Packard Enterprise (HPE issues only)
- HP Inc. (HP Inc. issues only)
- Huawei Technologies Co., Ltd. (Huawei issues only)
- IBM Corporation (IBM issues only)
- Intel Corporation (Intel issues only)
- Internet Systems Consortium (all ISC.org projects)
- Juniper Networks, Inc. (Juniper issues only)
- Lenovo Group Ltd. (Lenovo issues only)
- MarkLogic Corporation (MarkLogic issues only)
- McAfee (McAfee issues only)
- Micro Focus (Micro Focus/Attachmate/Novell/SUSE/NetIQ issues only)
- Microsoft Corporation (Microsoft issues only)
- Mozilla Corporation (Mozilla issues only)
- Netgear, Inc. (Netgear issues only)
- Nvidia Corporation (Nvidia issues only)
- Objective Development Software GmbH (Objective Development issues only)
- OpenSSL Software Foundation (OpenSSL software projects only)
- Oracle (Oracle issues only)
- Puppet (Puppet issues only)
- Qihoo 360 Technology Co. Ltd. (360 Safeguard/360 Mobile Safe/360 Safe Router issues only)
- Qualcomm, Inc. (Qualcomm and Snapdragon issues only)
- Red Hat, Inc. (Linux issues only)
- Schneider Electric SE (Schneider Electric issues only)
- Siemens AG (Siemens issues only)
- Silicon Graphics, Inc. (SGI issues only)
- Symantec Corporation (Symantec issues only)
- TIBCO Software Inc. (TIBCO/Talarian/Spotfire/Data Synapse/Foresight/Kabira/Proginet/LogLogic/StreamBase/JasperSoft/Mashery issues only)
- VMware (VMware issues only)
- Yandex N.V. (Yandex issues only)
Third-Party Coordinators
Vulnerability Researchers
Documentation for CNAs
To learn more about CNAs rules and requirements—including becoming a CNA—please review the documents below.
CVE Numbering Authorities (CNA) Rules, Version 1.1 – September 16, 2016
Includes detailed information about the following:
- CNAs Overview – Federated CNA Structure, and Purpose and Goal of the CNA Rules
- Rules for All CNAs – Assignment, Communication, and Administration
- Responsibilities of Root and Primary CNAs – Specific Assignment, Communications, and Administration Rules for Root CNAs and for the Primary CNA
- CNA Candidate Process – Qualifications, and On-Boarding Process
- Appeals Process
- Definitions
- CVE Information Format
- Common Vulnerabilities and Exposures (CVE) Counting Rules – Purpose, Introduction, Definitions, Vulnerability Report, Inclusion Decisions, and Counting Decisions
- Terms of Use
- Process to Correct Counting Issues
- Acronyms
Researcher Reservation Guidelines, Version 0.1 – August 29, 2016
Provides information on how to reserve a CVE ID before publicizing a new vulnerability so that CVE ID can be included in the initial public announcement of the vulnerability and can be used to track the vulnerability.
Requesting CVE IDs from CNAs
Visit Request a CVE ID to find the appropriate CNA to contact for your issue, as well as CNA contact information.
Become a CNA
IMPORTANT: The information below is reprinted from the "CNA Candidate Process" section of the "CVE Numbering Authorities (CNA) Rules" document. Please review the entire CNA Rules document before requesting to become a CNA.
4. CNA Candidate Process
The CVE Program, through both Root CNAs and the Primary CNA, adds qualified organizations (hereinafter referred to as candidates) as CNAs through the on-boarding process described in this section. The on-boarding process is designed to set expectations for CNAs regarding the oversight and administration of CVE assignment for products within their scope. The goals of the CNA candidate process:
- The candidate understands its roles and responsibilities.
- Individual members of the new CNA's team are able to perform CVE assignment and counting processes.
- Clear communication channels exist between CNAs and the rest of the CVE Program.
4.1. CNA Qualifications
A candidate is qualified if they meet the following criteria:
- A candidate must be interested in becoming a CNA and willing to follow established CNA rules.
- A CNA must be
- vendor with a significant user base and an established security advisory capability, or
- an established entity with an established security advisory capability that typically acts as a neutral interface between researchers and vendors. A Root CNA may be a regional coordinator (such as a Computer Emergency Response Team [CERT]) or a domain publisher (such as an Information Sharing and Analysis Center [ISAC] representing a particular sector). A CNA may also be a mature research organization.
A Root CNA may be a regional coordinator (such as a Computer Emergency Response Team [CERT]) or a domain publisher (such as an Information Sharing and Analysis Center [ISAC] representing a particular sector). A CNA may also be a mature research organization.
- The CNA must be an established distribution point or source for first-time product vulnerability announcements (which may concern their own products). In keeping with the CVE requirement to identify public issues, the CNA must only assign CVEs to security issues that will be made public. (Refer to the definition of "vulnerability" in Appendix A for clarification on what products should and should not be considered when assigning a CVE ID.)
- The CNA must follow coordinated disclosure practices as determined by the community which they serve. Coordinated disclosure practices reduce the likelihood that duplicate or inaccurate information will be introduced into CVE.
4.2. CNA On-Boarding Process
- A candidate may be identified by a Root CNA, the Primary CNA, a member of the CVE Board, or they may approach the Root CNA, the Primary CNA, or a member of the CVE Board to request a CNA appointment.
- The candidate is reviewed to determine whether it is qualified by the appropriate Root CNA or the Primary CNA, hereinafter referred to as the vetting CNA, using the guidance in this section. A Root CNA is appropriate if the candidate fits within the domain of the Root CNA.
- The vetting CNA engages the candidate and shares information about becoming a CNA, including this document.
- The candidate assigns a primary and secondary POC for initial coordination with the vetting CNA.
- Anyone acting in a CVE analyst capacity at the candidate's organization will be given training by their vetting CNA, which will include:
- Examples and exercises to work through with instruction and feedback;
- Counting rules to review and follow. During this training, an initial block of CVE IDs will be allocated to the candidate for use with their training. This block will be allocated by the vetting CNA. The Primary CNA will provide guidance and templates to assist with the creation of examples and exercises.
- The candidate will document how CVE processes will be integrated into their operations.
- The candidate's documentation will include how they will process new requests for CVE IDs, internally and externally. If the candidate will process external CVE assignment requests, processes to submit requests will be documented for public release.
- All documentation will be shared with the vetting CNA and may also be shared publicly by the candidate.
- The vetting CNA will review the candidate's documentation and work with the candidate to address any issues in their processes that may conflict with the established CNA rules.
- The vetting CNA allocates the candidate a block of CVE IDs to assign.
- The candidate's POCs are added to the appropriate communications channels.
- After successfully completing the above, required steps, the candidate enters operational mode and is now considered a CNA. If the CNA was added by a Root CNA, the Root CNA notifies the Primary CNA.
- The Primary CNA updates public documentation to include the new CNA and makes public announcements introducing the new CNA. Any changes in a CNA's program, including staff changes or process changes, must be documented and shared with the CVE Program through a CNA's Root CNA or the Primary CNA.
After reviewing the "CVE Numbering Authorities (CNA) Rules" document and the information above, please use the CVE Request web form and select "Other" from the dropdown menu to contact us about becoming a CNA.
