CNA

VulDB is an officially certified CVE Numbering Authority (CNA) by MITRE and Authorized Data Publisher (ADP) by NIST NVD. CNAs are organizations which are authorized by the CVE program to assign CVEs to vulnerabilities and disclose CVE records within their own scope of coverage. ADPs are allowed to submit data to enrich CVE records.

Submission Process

You are able to submit a new vulnerability to our database and request a CVE assignment. Please read our submission guidelines for new CVE requests.

Be sure that there is no CVE assigned for your finding and no CVE assignment in process by another CNA. If you have approached another CNA before and received a reply, please include this reply so we may co-ordinate the CVE assignment properly.

Coordination Handling

Our processing of CVE assignment requests is defined by the official CNA Rules and handled like this:

1. Contact the responsible CNA with the matching scope (if available, usually the vendor).
2. Ask the responsible CNA for acceptance, reject, or dispute of report.
3. If the responsible CNA accepts the report, the whole CNA processing is transferred to them. If they reject or dispute the report, we handle further CNA processing.
4. If a report is eligible for a CVE assignment we will reserve a CVE, attach it to our vulnerability entry, and make it public.

CVE and NVD Feed Availability

As soon as we reserve a CVE, we assign it to an entry and inform the submitter about the associated identifier. The CVE shall then used from then on even though it is officially in the Reserved state. We also push the data to the CVE stream via the CNA API. It might take up to several hours until the entry details are shown on cve.org and nvd.nist.gov. Such processing might be delayed on weekends and holidays. We are not able to speed this up to change the CVE entry to the Published state.