Understanding Our CVE Data Sources
Learn about CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) that power our vulnerability intelligence platform.
What are CVE Numbering Authorities (CNAs)?
CVE Numbering Authorities (CNAs) are organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities affecting products within their distinct scope. Think of them as the official "vulnerability reporters" for specific technology areas, vendors, or product categories.
Key CNA Responsibilities
CNAs assign unique CVE IDs to vulnerabilities in their scope and publish detailed CVE records with technical information. They coordinate with researchers and vendors on disclosure while maintaining accuracy and timeliness of vulnerability data.
Types of CNAs
There are four main types of CNAs, each serving different roles in the vulnerability ecosystem. Vendor CNAs like Microsoft and Apple handle their own products, while research CNAs discover vulnerabilities across multiple vendors.
Coordinator CNAs manage complex multi-vendor issues, and government CNAs focus on critical infrastructure vulnerabilities.
Top 5 Most Active CNAs
CVE assignments by organization (all-time totals)
CISA: The Authorized Data Publisher (ADP)
The Cybersecurity and Infrastructure Security Agency (CISA) serves a unique role as the sole Authorized Data Publisher (ADP) in the CVE ecosystem.
Only ADP Status
CISA is currently the sole organization with Authorized Data Publisher status, giving it unique authority to enhance CVE records.
Data Enhancement
While CNAs provide basic details, CISA adds CVSS scores, exploitation status, and comprehensive threat intelligence.
KEV Catalog
CISA maintains the authoritative Known Exploited Vulnerabilities catalog, providing critical context for active threats.
How CISA Functions Differently
While CNAs assign CVE IDs and create initial records, CISA enhances existing CVE records with additional data and government perspective. CNAs focus on specific products within their authority, but CISA covers all CVEs affecting US critical infrastructure.
This dual approach ensures vulnerabilities get both technical accuracy from domain experts and strategic context from national cybersecurity leadership.
CVE Lifecycle Process
CNA Assigns CVE
Organization assigns unique CVE ID to discovered vulnerability
Initial Publication
Basic vulnerability details published to CVE database
CISA Analysis
Government analysis adds threat context and priority
Enhanced Record
Complete record with CVSS scores and KEV status
Timeline: Hours to weeks depending on vulnerability complexity and threat level
The Growing Complexity of CVE Management
The vulnerability landscape shows not just growth in new CVEs, but an explosion in ongoing updates to existing records, with 2024 seeing over 108,000 updates.
The Update Story Behind the Numbers
While new CVE publications have grown steadily to over 40,000 in 2024, the real story is in the updates. With 108,933 updates in 2024 compared to just 40,274 new publications, we see a critical trend: existing vulnerabilities require constant maintenance and refinement.
This 2.7:1 ratio of updates to new publications reflects the maturing CVE ecosystem. CNAs and CISA continuously enhance records with better CVSS scores, exploit information, affected version details, and remediation guidance. A single CVE might be updated dozens of times as more information becomes available.
The gap became most pronounced starting in 2019, when update activity began significantly outpacing new publications. This indicates the ecosystem's shift from simply cataloging vulnerabilities to actively maintaining and improving the quality of vulnerability intelligence.
The 2022-2024 period shows explosive growth in both metrics, with updates growing even faster than new publications, creating an unprecedented volume of vulnerability intelligence changes to track and process.
What This Means for Security Teams
Managing 100,000+ annual updates plus 40,000+ new CVEs makes manual vulnerability management impossible. Organizations need platforms that can process both new threats and evolving intelligence about existing vulnerabilities in real-time.
CVE Published vs Updated Per Year
Annual CVE publications and updates showing rapid growth and increasing maintenance activity
How We Handle This Scale
Real-time Processing
Our systems continuously monitor all 300+ CNAs and CISA updates, processing hundreds of thousands of changes in real-time.
Smart Prioritization
AI algorithms analyze threat patterns to surface the vulnerabilities that actually pose risk to your specific infrastructure.
Quality Validation
Every update is validated for accuracy and cross-referenced with multiple authoritative sources before reaching you.
Ready to Leverage This Intelligence?
Explore our platform to see how comprehensive CNA and ADP data translates into actionable security insights for your organization.