CVE Numbering Authority (CNA)
What is CVE Numbering Authority (CNA)?
CVE Numbering Authority (CNA)An organization authorized by the CVE Program to assign CVE IDs and publish CVE records for vulnerabilities within its defined scope.
A CVE Numbering Authority (CNA) is an organization authorized by the CVE Program — coordinated by the MITRE Corporation under sponsorship from CISA — to assign CVE IDs and publish CVE records for vulnerabilities affecting products or projects within a defined scope. CNAs include vendors, open-source projects, bug bounty platforms, national CERTs, and research organizations. Each CNA operates under the CNA Rules, must follow coordinated disclosure timelines, and submits records (CVE JSON 5.x) to the CVE List via the CVE Services API. A top-level Root CNA (such as CISA-ICS or MITRE) coordinates and arbitrates disputes for sub-CNAs within its hierarchy. CNAs are the gateway through which CVE entries enter the global vulnerability ecosystem.
● Examples
- 01
A software vendor becoming a CNA so it can assign CVE IDs for vulnerabilities in its own products.
- 02
A bug bounty platform acting as a CNA of Last Resort to assign IDs for researcher-reported flaws.
● Frequently asked questions
What is CVE Numbering Authority (CNA)?
An organization authorized by the CVE Program to assign CVE IDs and publish CVE records for vulnerabilities within its defined scope. It belongs to the Compliance & Frameworks category of cybersecurity.
What does CVE Numbering Authority (CNA) mean?
An organization authorized by the CVE Program to assign CVE IDs and publish CVE records for vulnerabilities within its defined scope.
How do you defend against CVE Numbering Authority (CNA)?
Defences for CVE Numbering Authority (CNA) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CVE Numbering Authority (CNA)?
Common alternative names include: CNA.