Introduction to CVE Numbering Authorities
As the number of disclosed vulnerabilities has grown dramatically, the process of assigning CVE identifiers has become complex and distributed. Rather than a single organization assigning all CVEs, MITRE (the CVE program sponsor) delegates CVE assignment authority to trusted organizations called CVE Numbering Authorities (CNAs).
CNAs are organizations authorized to:
- Identify vulnerabilities eligible for CVE assignment
- Assign CVE identifiers to vulnerabilities
- Provide initial vulnerability descriptions and metadata
- Coordinate disclosure with vendors and researchers
CNAs essentially decentralize CVE administration to ensure timely, accurate CVE assignment across diverse technology sectors.
History and Evolution of the CNA Program
When the CVE program began in 1999, MITRE alone assigned all CVE identifiers. As software vulnerability rates increased exponentially, this centralized approach became a bottleneck. Vulnerabilities would wait weeks or months for CVE assignment while MITRE processed requests sequentially.
In 2017, MITRE introduced the CNA program to distribute CVE assignment authority. This allowed organizations closest to vulnerability discovery and disclosure—vendors, security researchers, and vulnerability databases—to assign CVEs for their domains. The CNA program has grown to include hundreds of authorized organizations.
Types of CVE Numbering Authorities
CNAs fall into several categories based on their role in the vulnerability ecosystem:
Software vendor CNAs: Major software companies like Microsoft, Google, Apple, and Cisco are CNAs for vulnerabilities in their products. They can assign CVEs for any vulnerability in their software directly.
Open-source project CNAs: GitHub, Apache Software Foundation, and other open-source organizations are CNAs that assign CVEs for open-source projects.
Security research organizations CNAs: Organizations like Tenable, Qualys, and other security companies are CNAs for research vulnerabilities.
Government/critical infrastructure CNAs: CISA (Cybersecurity and Infrastructure Security Agency) operates a CNA for U.S. government and critical infrastructure vulnerabilities.
National CVE Authorities: Some countries operate CNAs for vulnerabilities discovered within their borders or affecting national interests.
Bug bounty platform CNAs: Platforms like HackerOne and Bugcrowd operate CNAs, assigning CVEs for vulnerabilities discovered through their programs.
Academic and independent researcher CNAs: Some independent security researchers and academic organizations are authorized CNAs for their research.
The CNA Designation Process
Becoming a CNA requires meeting MITRE's criteria:
Technical expertise: The organization must demonstrate deep understanding of vulnerability disclosure, CVE policies, and vulnerability assessment.
Infrastructure and processes: The organization must have systems and procedures for:
- Receiving vulnerability disclosures
- Validating that vulnerabilities meet CVE requirements
- Assigning CVE identifiers appropriately
- Maintaining records and metadata
- Coordinating with other CNAs
Trusted reputation: The organization must have a track record of responsible disclosure and demonstrated commitment to security.
Scope definition: The CNA must clearly define its scope (which products/projects/sectors it will assign CVEs for).
Organizations apply to MITRE, which evaluates whether they meet criteria. Active CNAs must maintain their systems and processes or risk losing CNA status.
CNA Responsibilities and Requirements
CNAs operate under specific rules set by MITRE:
Vulnerability assessment: CNAs must verify that vulnerabilities meet CVE requirements before assignment:
- Vulnerability exists in publicly available software or hardware
- Vulnerability is exploitable or represents a real security flaw
- Vulnerability meets CVE scope (publicly disclosed or disclosed responsibly)
Timely assignment: CNAs should assign CVEs promptly after confirming eligibility, ideally within 72 hours of determination that a CVE is warranted.
Accurate metadata: CNAs must provide:
- Vulnerability description explaining what the vulnerability is
- Affected products and versions
- Attack vector and impact assessment
- Initial CVSS score (if available at assignment time)
- References to vendor advisories, patches, and research
Coordinate with other CNAs: When vulnerabilities affect multiple vendors' products, CNAs coordinate to ensure consistent information and avoid duplicate assignments.
Maintain data quality: CNAs are responsible for initial accuracy. While MITRE and NVD can enhance or correct information later, CNAs should strive for accuracy upfront.
Follow responsible disclosure practices: CNAs should not publicly assign CVEs before vendors have had reasonable time to develop patches (typically 0-90 days depending on coordination).
How CVE Assignment Works
When a vulnerability is discovered, the path to CVE assignment typically follows one of these routes:
Route 1: Direct vendor assignment
- Vendor discovers vulnerability in their software
- Vendor (as CNA) assigns CVE internally
- Vendor publicizes CVE with patch simultaneously
- CVE is listed in public databases
This fastest route, possible for vendors acting as CNAs, enables same-day CVE assignment and patching.
Route 2: Researcher to vendor to CNA
- Security researcher discovers vulnerability
- Researcher privately discloses to affected vendor
- Vendor (as CNA) assigns CVE after confirmation
- Vendor releases patch; CVE published
- Timeline: Typically 30-90 days
Route 3: Researcher to CNA (vendor not CNA)
- Security researcher discovers vulnerability
- Researcher discloses to a CNA (like Tenable, Qualys, or GitHub)
- CNA contacts vendor and assigns CVE
- Vendor develops patch
- CNA and vendor coordinate disclosure
- Timeline: Typically 30-90 days
Route 4: Discovered in the wild
- Vulnerability is discovered during active exploitation
- Researcher or security company reports to CNA or vendor
- CVE is assigned urgently (often within days)
- Patch development is accelerated
- Timeline: Immediate to weeks
Route 5: Vulnerability databases and aggregators
- Vulnerabilities found in public disclosures, GitHub issues, etc.
- CNA like GitHub or security databases assign CVEs
- Timeline: When public disclosure occurs
Coordination Between CNAs
With hundreds of CNAs operating globally, coordination is essential to prevent:
- Duplicate CVE assignments for the same vulnerability
- Conflicting vulnerability descriptions
- Confusion about which CVE refers to which vulnerability
CNA coordination mechanisms:
CVE Advisory Working Group: CNAs and MITRE participants coordinate on assignment standards and policies.
CNA mailing list: Active communication channel for CNAs to alert others about pending assignments and coordinate on cross-vendor vulnerabilities.
MITRE as arbiter: When conflicts arise (multiple CNAs claiming a vulnerability), MITRE resolves disputes and maintains the authoritative CVE record.
Vulnerability scope coordination: CVE's scope rules (e.g., "this vulnerability affects these specific products") help determine which CNA assigns a particular CVE.
CNA Coverage Gaps
Not all vulnerabilities have a designated CNA:
Small software vendors: A small vendor might not be a CNA. Researchers discovering vulnerabilities in their software must work with another CNA (security company, GitHub, etc.) for CVE assignment.
Academic software: Research code or limited-use software might not trigger any CNA's scope.
Hardware and embedded systems: Some hardware manufacturers aren't CNAs; government or independent CNAs might handle their vulnerabilities.
International software: Some software, especially from countries without established CNA programs, might lack dedicated CNA coverage.
In these cases, researchers work with available CNAs or MITRE directly to obtain CVE assignment.
The CNA Program and Vulnerability Economics
The CNA program has important effects on vulnerability disclosure:
Incentivizes vendor participation: Vendors wanting direct control over CVE assignment become CNAs, ensuring rapid assignment and accurate descriptions.
Enables responsible disclosure: Researchers can contact CNAs to assign CVEs responsibly before public disclosure.
Creates competition for responsibility: Multiple CNAs in the same sector compete on quality of service, encouraging good practices.
Reduces disclosure bottlenecks: Distributed assignment eliminates the wait time that once characterized the centralized system.
However, some criticism exists:
Vendor bias: Vendors acting as CNAs might downplay severity or delay assignment of vulnerabilities in their products.
Variable standards: Different CNAs might apply different assignment criteria, leading to inconsistency.
Rapid assignment without review: CNAs sometimes assign CVEs quickly without thorough vetting, leading to questionable assignments.
Vulnerability Vendors as CNAs
Companies like Tenable, Qualys, and others are CNAs specializing in vulnerabilities discovered through their research or disclosed to them:
Benefits:
- Rapid CVE assignment (can be same-day)
- Integration with their vulnerability databases
- Detailed analysis and documentation
- Coordination of disclosure timing
Process:
- Vulnerability discovered or reported
- Vendor validates vulnerability meets CVE criteria
- Vendor assigns CVE
- Vendor works with affected software vendors on patch timing
- Disclosure happens on agreed timeline
This has become the standard path for many independent security researcher disclosures.
The Future of CVE Assignment
The CNA program continues to evolve:
Automated assignment: Some proposals suggest automatic CVE assignment for certain categories of vulnerabilities to accelerate the process.
Federated assignment: Rather than strict CNA scope, a more federated model allowing multiple CNAs to assign overlapping vulnerabilities.
Blockchain or distributed ledger: Some proposals suggest using blockchain to create immutable CVE records.
Expanded scope: As vulnerabilities in AI systems, supply chain components, and emerging technologies increase, new CNA categories might be created.
Quality standards: Ongoing efforts to improve CNA assignment standards and consistency across different organizations.
Practical Implications for Organizations
Understanding the CNA system helps with vulnerability management:
Vendor vulnerability response time: Vendors that are CNAs can assign CVEs immediately; non-CNAs depend on other CNAs, potentially delaying assignment.
Vulnerability data quality: CVEs assigned by the affected vendor often have the most detailed and accurate information.
Disclosure coordination: Understanding CNA participation helps predict when vulnerabilities will be publicly disclosed and patches released.
Research and disclosure: Researchers can identify the appropriate CNA for their discoveries, enabling responsible disclosure.
Conclusion
CVE Numbering Authorities (CNAs) are organizations authorized by MITRE to assign CVE identifiers, enabling distributed, scalable vulnerability assignment globally. Major software vendors, open-source organizations, security research companies, government agencies, and other trusted entities serve as CNAs within their defined scopes. The CNA program has dramatically improved vulnerability disclosure timelines while maintaining quality control through MITRE oversight. Understanding the CNA landscape helps security professionals anticipate CVE assignments and understand the path from vulnerability discovery to public disclosure. As vulnerability discovery rates continue to accelerate, the CNA program will likely continue evolving to meet increasing demand for rapid, accurate vulnerability identification and disclosure.
