CNA vs Root vs ADP: CVE Program Roles Compared
Last reviewed June 2, 2026
In the CVE Program, a CNA assigns CVE IDs and publishes records within its scope, a Root manages and trains a group of CNAs and allocates blocks of IDs to them, and an ADP (Authorized Data Publisher) enriches existing CVE records without assigning any IDs. MITRE and CISA are the two Top-Level Roots. CISA's Vulnrichment is the main ADP, adding SSVC, CVSS, CWE, and CPE data to published records.
CNA vs Root vs ADP at a glance
| Role | Assigns CVE IDs? | Primary job | Examples |
|---|---|---|---|
| CNA | Yes | Assigns CVE IDs and publishes records within a defined scope. | Microsoft, Google, Red Hat, CERT/CC |
| Root | Yes (and allocates blocks) | Manages and trains a group of CNAs and allocates ID blocks to them. | MITRE, CISA, Red Hat, INCIBE |
| Top-Level Root | Yes (oversees Roots) | Sits at the top of the hierarchy and oversees the Roots beneath it. | MITRE, CISA |
| ADP | No | Enriches existing CVE records with extra data; never assigns IDs. | CISA Vulnrichment |
The CNA: assigns and publishes
A CVE Numbering Authority is the worker bee of the program. It reserves and assigns CVE IDs to vulnerabilities in its scope, writes the descriptions, lists references, and publishes the records. The vast majority of organizations in the program are plain CNAs.
The Root: manages and allocates
A Root is itself a CNA, but with added responsibility: it manages a group of CNAs beneath it, trains and onboards them, resolves disputes, and allocates blocks of CVE IDs for them to draw from. MITRE, CISA, Red Hat, and INCIBE act as Roots.
Two Roots are designated Top-Level Roots and sit at the very top of the hierarchy: MITRE and CISA. They oversee the Roots and set program-wide direction.
The ADP: enriches, never assigns
An Authorized Data Publisher (ADP) is a distinct role. An ADP does not assign CVE IDs and does not own the base record. Instead, it attaches additional data to records that already exist.
CISA's Vulnrichment program is the flagship ADP. It adds enrichment such as SSVC decision points, CVSS scores, CWE weakness mappings, and CPE product identifiers to published CVEs, helping defenders triage without changing the original CNA's record.
How the roles fit together
Think of it as a tree. Top-Level Roots oversee Roots, Roots manage CNAs, and CNAs do the day-to-day assignment and publishing. ADPs sit alongside this structure, layering enrichment onto the records the CNAs produce.
An organization can hold more than one role. Red Hat, for instance, is both a CNA for its own products and a Root for a group of CNAs.
Keep exploring
Frequently asked questions
- What is the difference between a CNA and a Root?
- Both assign CVE IDs, but a Root additionally manages and trains a group of CNAs and allocates ID blocks to them. Every Root is also a CNA.
- Does an ADP assign CVE IDs?
- No. An ADP only enriches existing CVE records with extra data such as CVSS, CWE, CPE, and SSVC. It never assigns new IDs.
- Who are the Top-Level Roots?
- MITRE and CISA are the two Top-Level Roots that sit at the top of the CVE Program hierarchy.
- What is Vulnrichment?
- Vulnrichment is CISA's ADP program. It adds SSVC, CVSS, CWE, and CPE enrichment to published CVE records.
