FAQ

CVE identifiers are assigned by a U.S. non-profit organization called the MITRE Corporation, which manages the CVE program on behalf of the Cybersecurity and Infrastructure Security Agency (CISA). MITRE does not assign all identifiers itself: it relies on a network of partners known as CNAs (CVE Numbering Authorities).

A CNA can be a software vendor, a security provider, a CERT, or an organization specializing in vulnerabilities. Each CNA is authorized to assign CVE identifiers for vulnerabilities discovered in its own products or scope. This system speeds up the disclosure process while maintaining a centralized structure via MITRE.