CNA
VulDB is an officially certified CVE Numbering Authority (CNA) by MITRE and Authorized Data Publisher (ADP) by NIST NVD. CNAs are organizations which are authorized by the CVE program to assign CVEs to vulnerabilities and disclose CVE records within their own scope of coverage. ADPs are allowed to submit data to enrich CVE records.
Submission Process
You are able to submit a new vulnerability to our database and request a CVE assignment. Please read our submission guidelines for new CVE requests.
Be sure that there is no CVE assigned for your finding and no CVE assignment in process by another CNA. If you have approached another CNA before and received a reply, please include this reply so we may co-ordinate the CVE assignment properly.
Coordination Handling
Our processing of CVE assignment requests is defined by the official CNA Rules and handled like this:
- Contact the responsible CNA with the matching scope (if available, usually the vendor).
- Ask the responsible CNA for acceptance, reject, or dispute of report.
- If the responsible CNA accepts the report, the whole CNA processing is transferred to them. If they reject or dispute the report, we handle further CNA processing.
- If a report is eligible for a CVE assignment we will reserve a CVE, attach it to our vulnerability entry, and make it public.
CVE and NVD Feed Availability
As soon as we reserve a CVE, we assign it to an entry and inform the submitter about the associated identifier. The CVE shall then used from then on even though it is officially in the Reserved state. We also push the data to the CVE stream via the CNA API. It might take up to several hours until the entry details are shown on cve.org and nvd.nist.gov. Such processing might be delayed on weekends and holidays. We are not able to speed this up to change the CVE entry to the Published state.
CNA Activity Changes
We are always eager to improve. These are the activity and workflow changes that we have established:
| Date | Change |
|---|---|
| 2024-05-12 | Updating all references to align with the new structure of the upcoming CNA Rules 4.0. |
| 2024-04-13 | Vulnerability list views associated with our work as a CNA show the associated user submission. |
| 2024-04-08 | Improved vulnerability submission quality analaysis system to provide fair blacklisting due to weak submissions. |
| 2024-01-12 | Our CVE entries distinguish between identifier (finder), submitter (reporter), and commiter (analyst). |
| 2023-07-05 | We do now show CVE duplicates of other CNAs to help to better understand connections between CVE entries. |
| 2023-04-29 | Due to our intensive involvement as a CNA we have extended the main menu to access CVE details that are maintained by us. |
| 2023-04-15 | Access to all entries that are maintained by us as the responsible CNA are accessible without any restrictions for all users. |
| 2023-01-11 | Our vulnerability entries contain a clear indicator if they are disputed. |
| 2022-03-26 | Submissions of new vulnerabilities will automatically handle a CVE assignment and inform the submitter about the CNA decision. |
| 2022-01-28 | In API 2.30/3.38 multiple fields to reflect our capabilities as a CNA to assign and disclose CVE entries are introduced. |
| 2021-12-22 | VulDB has been officially approved by the CVE program as a CVE Numbering Authority (CNA). |