1. Home
  3. CNA Data Sources
RadicalNotion.AIRadicalNotion.AIRadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

  • CWE Directory
  • CAPEC Directory
  • CNA Directory
  • CNA Report Cards
  • Data Sources

Calculators

  • CVSS Calculator
  • CVSS 4.0
  • CVSS 3.1
  • CVSS 3.0
  • CVSS 2.0

Platform

  • My Vulnerabilities
  • Insights
  • Notifications
  • Account
  • Pricing

Learn

  • All guides
  • What is a CVE?
  • What is CVSS?
  • The CISA KEV catalog
  • What is EPSS?

Company

  • About us
  • Blog
  • Book a demo

Get Started

  • Sign up
  • Log in

Legal

  • Privacy
  • Terms
RadicalNotion.AIRadicalNotion.AI

Security data

  • Weaknesses (CWE)The MITRE CWE weakness catalog
  • Attack Patterns (CAPEC)MITRE CAPEC attack patterns
  • CNAsNumbering authorities + report cards
  • VendorsVulnerabilities by vendor

Tools

  • CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

  • LearnPlain-English security guides
  • Data SourcesHow we source CVE data
About UsBlogPricingBook a Demo
Log in

Understanding our CVE data sources

How CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) power the vulnerability intelligence behind RadicalNotion.AI.

What are CVE Numbering Authorities (CNAs)?

CVE Numbering Authorities (CNAs) are organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities affecting products within their distinct scope. Think of them as the official “vulnerability reporters” for specific technology areas, vendors, or product categories.

CNAs assign unique CVE IDs to vulnerabilities in their scope and publish detailed CVE records with technical information. They coordinate with researchers and vendors on disclosure while maintaining the accuracy and timeliness of vulnerability data.

There are four main types of CNAs. Vendor CNAs like Microsoft and Apple handle their own products; research CNAs discover vulnerabilities across multiple vendors; coordinator CNAs manage complex multi-vendor issues; and government CNAs focus on critical-infrastructure vulnerabilities.

Top 5 most active CNAs

CVE assignments by organization (all-time totals).

Browse the full CNA directory or read What is a CNA?.

CISA: the Authorized Data Publisher (ADP)

The Cybersecurity and Infrastructure Security Agency serves a unique role as the sole Authorized Data Publisher in the CVE ecosystem.

Sole ADP status

CISA is currently the only organization with Authorized Data Publisher status, giving it unique authority to enhance CVE records.

Data enhancement

While CNAs provide the basic details, CISA adds CVSS scores, exploitation status, and comprehensive threat intelligence.

KEV catalog

CISA maintains the authoritative Known Exploited Vulnerabilities catalog, providing critical context for active threats.

How CISA functions differently

While CNAs assign CVE IDs and create the initial records, CISA enhances existing CVE records with additional data and a government perspective. CNAs focus on specific products within their authority, but CISA covers all CVEs affecting US critical infrastructure.

This dual approach ensures vulnerabilities get both technical accuracy from domain experts and strategic context from national cybersecurity leadership.

Related: CNA vs. Root CNA vs. ADP, Vulnrichment, and the CISA KEV catalog.

The CVE lifecycle

From assignment to enrichment, a CVE record passes through four stages — and keeps updating long after publication.

  1. 1

    CNA assigns the CVE

    A CVE Numbering Authority assigns a unique CVE ID to a newly discovered vulnerability within its scope.

  2. 2

    Initial publication

    Basic vulnerability details are published to the CVE List and propagate to downstream databases.

  3. 3

    CISA analysis

    As the ADP, CISA adds threat context, exploitation status, and prioritization signals.

  4. 4

    Enhanced record

    The record is enriched with CVSS scores, KEV status, and remediation guidance — and keeps updating over time.

Timeline: hours to weeks, depending on the vulnerability’s complexity and threat level. See the full CVE lifecycle guide.

The growing complexity of CVE management

The vulnerability landscape shows not just growth in new CVEs, but an explosion in ongoing updates to existing records — 2024 saw over 108,000 updates.

While new CVE publications have grown steadily to over 40,000 in 2024, the real story is in the updates. With 108,933 updates in 2024 compared to just 40,274 new publications, we see a critical trend: existing vulnerabilities require constant maintenance and refinement.

This 2.7:1 ratio of updates to new publications reflects the maturing CVE ecosystem. CNAs and CISA continuously enhance records with better CVSS scores, exploit information, affected-version details, and remediation guidance. A single CVE might be updated dozens of times as more information becomes available.

The gap became most pronounced starting in 2019, when update activity began significantly outpacing new publications — the ecosystem’s shift from simply cataloging vulnerabilities to actively maintaining and improving the quality of vulnerability intelligence.

Managing 100,000+ annual updates plus 40,000+ new CVEs makes manual vulnerability management impossible. Organizations need platforms that can process both new threats and evolving intelligence about existing vulnerabilities in real-time.

CVEs published vs. updated per year

Annual CVE publications and updates, showing rapid growth and increasing maintenance activity.

How we handle this scale

Three capabilities that turn this firehose of data into actionable intelligence.

Real-time processing

Our systems continuously monitor all 300+ CNAs and CISA updates, processing hundreds of thousands of changes in real-time.

Smart prioritization

AI algorithms analyze threat patterns to surface the vulnerabilities that actually pose risk to your specific infrastructure.

Quality validation

Every update is validated for accuracy and cross-referenced with multiple authoritative sources before reaching you.

Related reading

Plain-English guides to the people, programs, and data behind every CVE.

  • What is a CNA?How CVE Numbering Authorities assign and publish CVE records.
  • CNA vs. Root CNA vs. ADPThe roles in the CVE hierarchy and where CISA fits.
  • What is Vulnrichment?CISA’s program for enriching CVE records as an ADP.
  • What is the CISA KEV catalog?The authoritative list of known-exploited vulnerabilities.
  • The CVE lifecycleFrom assignment to enrichment — how a CVE record evolves.
  • What is the NVD?The National Vulnerability Database and how it relates to CVE.
  • What is MITRE?The organization that operates the CVE Program.
  • What is a CVE?The basics of Common Vulnerabilities and Exposures.

Ready to leverage this intelligence?

See how comprehensive CNA and ADP data translates into actionable security insights for your organization.

Explore dashboardSearch CVEs

On this page

  • What are CNAs?
  • CISA: the Authorized Data Publisher
  • The CVE lifecycle
  • The growing complexity of CVE data
  • How we handle this scale
  • Related reading
Log in