CNA

📌 Article pinned by VulDB Support Team

VulDB is an officially certified CVE Numbering Authority (CNA) by MITRE and Authorized Data Publisher (ADP) by NIST NVD. CNAs are organizations which are authorized by the CVE program to assign CVEs to vulnerabilities and disclose CVE records within their own scope of coverage. ADPs are allowed to submit data to enrich CVE records.

Submission Process

You are able to submit a new vulnerability to our database and request a CVE assignment. Please read our submission guidelines for new CVE requests.

Be sure that there is no CVE assigned for your finding and no CVE assignment in process by another CNA. If you have approached another CNA before and received a reply, please include this reply so we may co-ordinate the CVE assignment properly.

Coordination Handling

Our processing of CVE assignment requests is defined by the official CNA Rules and handled like this:

  1. Contact the responsible CNA with the matching scope (if available, usually the vendor).
  2. Ask the responsible CNA for acceptance, reject, or dispute of report.
  3. If the responsible CNA accepts the report, the whole CNA processing is transferred to them. If they reject or dispute the report, we handle further CNA processing.
  4. If a report is eligible for a CVE assignment we will reserve a CVE, attach it to our vulnerability entry, and make it public.

CVE and NVD Feed Availability

As soon as we reserve a CVE, we assign it to an entry and inform the submitter about the associated identifier. The CVE shall then used from then on even though it is officially in the Reserved state. We also push the data to the CVE stream via the CNA API. It might take up to several hours until the entry details are shown on cve.org and nvd.nist.gov. Such processing might be delayed on weekends and holidays. We are not able to speed this up to change the CVE entry to the Published state.

CNA Activity Changes

We are always eager to improve. These are the activity and workflow changes that we have established:

DateChange
2024-05-12Updating all references to align with the new structure of the upcoming CNA Rules 4.0.
2024-04-13Vulnerability list views associated with our work as a CNA show the associated user submission.
2024-04-08Improved vulnerability submission quality analaysis system to provide fair blacklisting due to weak submissions.
2024-01-12Our CVE entries distinguish between identifier (finder), submitter (reporter), and commiter (analyst).
2023-07-05We do now show CVE duplicates of other CNAs to help to better understand connections between CVE entries.
2023-04-29Due to our intensive involvement as a CNA we have extended the main menu to access CVE details that are maintained by us.
2023-04-15Access to all entries that are maintained by us as the responsible CNA are accessible without any restrictions for all users.
2023-01-11Our vulnerability entries contain a clear indicator if they are disputed.
2022-03-26Submissions of new vulnerabilities will automatically handle a CVE assignment and inform the submitter about the CNA decision.
2022-01-28In API 2.30/3.38 multiple fields to reflect our capabilities as a CNA to assign and disclose CVE entries are introduced.
2021-12-22VulDB has been officially approved by the CVE program as a CVE Numbering Authority (CNA).

已更新: 2024-05-26

Interested in the pricing of exploits?

See the underground prices here!