CNA Rules

All CNAs (CVE Numbering Authorities) are bound to the official CNA Rules. These are defined by MITRE and published online. CNAs are not allowed to ignore or break these rules. Therefore, there is a clear definition what is accepted as a vulnerability and what is eligible for the assignment of a CVE.

If you make a vulnerability submission and we are not able to assign a CVE, you will receive a reason for this rejection.

If you think we are not following the rules properly, please contact our CNA team to discuss your observations. If we do not come to an agreement, you are always able to escalate our matter to our Root-CNA, which is MITRE itself.