CNA Directory: CVE Numbering Authorities & Data Quality Report Cards

Largest CNAs by CVE volume

The organizations that have published the most CVE records.

The CNA Directory: CVE Numbering Authorities

A CVE Numbering Authority (CNA) is an organization authorized to assign CVE IDs to vulnerabilities in its own products or scope. Browse every CNA, see how many CVEs each has published, and a data-quality report card grading the completeness of their CVE records — vendor, product, CVSS, and CWE coverage.

CNA vs Root vs ADP: How the CVE Program Works

Understand the roles in the CVE Program hierarchy — who assigns CVE IDs, who enriches records, and who governs the program.

The CVE Program is a community effort that identifies, defines, and catalogs publicly disclosed cybersecurity vulnerabilities. It is operated by MITRE and sponsored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), with funding and oversight from the U.S. Department of Homeland Security. Every published vulnerability receives a unique CVE Identifier (for example, CVE-2024-12345) so that vendors, researchers, and defenders can reference the same issue without ambiguity.

Because no single organization can triage every vulnerability across all software in the world, the program distributes the work of assigning CVE IDs to a federated network of authorized partners. These partners — CVE Numbering Authorities — operate within defined scopes and report up through a tiered structure of Roots and Top-Level Roots. A separate role, the Authorized Data Publisher, adds extra context to records without assigning new IDs.

CNA — CVE Numbering Authority

A CVE Numbering Authority (CNA) is an organization authorized to assign CVE IDs and publish CVE records for vulnerabilities within a specific, agreed-upon scope. Most CNAs cover their own products — when a vendor confirms a flaw in its software, it can assign a CVE ID directly rather than going through a third party. Other CNAs serve as third-party coordinators for open-source projects or for researchers who report issues outside any vendor scope.

Each CNA receives a block of CVE IDs from the Root that oversees it and is responsible for the accuracy and completeness of the records it publishes. Examples of CNAs include Microsoft, Google, Red Hat, Apple, Oracle, and GitHub.

Root — CNA of CNAs

A Root is a CNA that manages and trains a group of CNAs operating beneath it. Roots recruit and onboard new CNAs within their domain, allocate blocks of CVE IDs to those CNAs, and provide governance, dispute resolution, and quality oversight for their part of the program. A Root sits above the CNAs it manages and below a Top-Level Root.

Examples of Roots include MITRE, CISA, Red Hat, and INCIBE (Spain). Note that an organization can hold more than one role — Red Hat, for instance, is both a CNA for its own products and a Root that manages other open-source CNAs.

Top-Level Root (TL-Root)

A Top-Level Root is the highest tier of the hierarchy. Top-Level Roots oversee the Roots beneath them, set program-wide rules and processes, and are responsible for the overall governance of their branch of the program. They are the final point of escalation for disputes that cannot be resolved at lower tiers.

There are two Top-Level Roots: MITRE and CISA. MITRE operates the program and serves as the Top-Level Root for the broad international community, while CISA serves as the Top-Level Root focused on Industrial Control Systems (ICS) and U.S. government interests.

ADP — Authorized Data Publisher

An Authorized Data Publisher (ADP) enriches existing CVE records with additional data. Critically, an ADP does not assign CVE IDs — it works alongside the CNA that originally published a record, attaching a separate container of supplementary information rather than altering the original CNA data.

The primary ADP is CISA, through its Vulnrichment program. Vulnrichment adds context such as SSVC decision points, CVSS severity scores, CWE weakness classifications, and CPE applicability data to records that would otherwise lack it. This enrichment helps defenders prioritize which vulnerabilities to remediate first.

CNA vs Root vs ADP at a glance

Comparison of CVE Program roles across responsibilities and examples
Capability	CNA	Root	ADP
Assigns CVE IDs?	Yes, within its scope	Yes, and allocates ID blocks to its CNAs	No
Enriches existing records?	Maintains its own records	Maintains its own records	Yes, adds a supplementary data container
Manages other CNAs?	No	Yes, recruits, trains, and oversees CNAs	No
Examples	Microsoft, Google, Red Hat, Apple	MITRE, CISA, Red Hat, INCIBE	CISA (Vulnrichment)

How an organization becomes a CNA

Becoming a CNA is a structured process governed by the CVE Program rules. In short, an organization must:

Define a clear scope — typically its own products, or a coordinator role for a project or research community — within which it will assign CVE IDs.
Agree to abide by the CVE Program rules, including how records are created, published, updated, and disputed.
Work under a Root, which onboards the new CNA, provides training, and allocates the blocks of CVE IDs the CNA will assign.

Related references

CNA Directory — browse every CVE Numbering Authority with CVE counts and data-quality report cards.
CWE Directory — explore the Common Weakness Enumeration categories that classify the root causes of vulnerabilities.
CNA Data Sources — learn where the underlying CVE and CNA data comes from.

Largest CNAs by CVE volume

CNA vs Root vs ADP: How the CVE Program Works

CNA — CVE Numbering Authority

Root — CNA of CNAs

Top-Level Root (TL-Root)

ADP — Authorized Data Publisher

CNA vs Root vs ADP at a glance

How an organization becomes a CNA

Related references

Largest CNAs by CVE volume

Frequently asked questions