What is a CNA (CVE Numbering Authority)?
Last reviewed June 2, 2026
A CNA (CVE Numbering Authority) is an organization authorized by the CVE Program to assign CVE IDs and publish CVE records for vulnerabilities within an agreed scope. CNAs include software vendors such as Microsoft, Google, and Red Hat, as well as open-source projects and third-party coordinators. This federated model lets the organizations closest to a product handle its vulnerabilities, rather than routing everything through MITRE.
CNA in one sentence
A CVE Numbering Authority (CNA) is an organization that the CVE Program has authorized to assign CVE IDs from a pool and to publish the corresponding CVE records, all within a defined scope.
Scope is usually a product line or technology area. Microsoft is a CNA for Microsoft products, the Linux kernel project is a CNA for the kernel, and a coordinator like CERT/CC handles vulnerabilities that fall outside any single vendor's scope.
What a CNA does
- Reserves and assigns CVE IDs to vulnerabilities within its scope.
- Writes and publishes the CVE record, including the description and references.
- Coordinates disclosure timing with researchers and downstream consumers.
- Maintains the record over time as new information arrives.
Why the model is federated
A single central body could never keep up with the global volume of disclosed vulnerabilities. By delegating assignment to hundreds of CNAs, the CVE Program pushes the work to the organizations with the most context about each product.
A vendor that maintains its own software knows its codebase, its versions, and its patch process better than any outside party, so it can write a more accurate record faster.
Kinds of CNAs
Most CNAs are vendors covering their own products. Others are open-source projects, bug bounty platforms, or research organizations. A special class of coordinator CNAs handles vulnerabilities in products whose vendor is not itself a CNA, or that span multiple vendors.
Above the rank-and-file CNAs sit Roots and Top-Level Roots, which manage and train groups of CNAs and allocate blocks of CVE IDs. A separate role, the Authorized Data Publisher (ADP), enriches existing records without assigning IDs.
Keep exploring
- CNA directoryBrowse all CVE Numbering Authorities.
- CNA vs Root vs ADPHow the three roles differ.
- CNA overviewHow the CNA system is structured.
- CNA data sourcesWhere CNA records come from.
- What is a CVE?The identifier CNAs assign.
- NVD vs CVEThe CVE List versus the NVD enrichment layer.
- What is a GHSA?GitHub Security Advisories and how they map to CVEs.
Frequently asked questions
- What does CNA stand for?
- CNA stands for CVE Numbering Authority -- an organization authorized to assign CVE IDs and publish CVE records within its scope.
- Can any company become a CNA?
- An organization can apply to the CVE Program and, once it meets the requirements and agrees to the rules, be onboarded as a CNA under a Root.
- What is a CNA's scope?
- Scope defines which vulnerabilities a CNA may assign IDs for, typically a specific set of products or a technology area.
- How is a CNA different from a Root or ADP?
- A CNA assigns IDs within its scope, a Root manages and trains groups of CNAs and allocates ID blocks, and an ADP enriches existing records without assigning IDs.
