CNA Rules

All CVE Numbering Authorities (CNA) which participate in the CVE Program are bound to the official CNA Operational Rules.

Ruleset

CNA Rules v4.0effective since 2024-08-08
CNA Rules v3.0effective since 2020-03-05
CNA Rules v2.0effective since 2018-01-01
CNA Rules v1.1effective since 2016-09-16
CVE Record Dispute Policy 1.0effective since 2022-09-22

The CNA ruleset is defined by MITRE and published online. CNAs are not allowed to ignore or break these rules. Therefore, there is a clear definition what is accepted as a vulnerability, what is eligible for the assignment of a CVE, how a disclosure has to happen, and how disputes must be resolved.

If somebody approaches a vulnerability submission and we are not able to assign a CVE, you will receive a reason for this CVE Rejection.

If you think we are not following the rules properly, please contact our CNA team to discuss your observations. If we do not come to an agreement, you are always able to escalate our matter to our Root-CNA, which is MITRE itself.

Webinar

Mise à jour: 09/09/2024 par VulDB Documentation Team

Interested in the pricing of exploits?

See the underground prices here!