Skip to main content

In today’s digital world, the necessity to secure valuable data and information is more important than ever. As more businesses and individuals rely on technological advancements, the risks associated with vulnerabilities within systems and applications increase. To address these risks, it’s crucial to be aware of publicly disclosed security vulnerabilities that may affect your systems or software. This knowledge allows organizations and individuals to be proactive in protecting their digital assets and ensuring overall security.

One way to stay informed about these security vulnerabilities is through vulnerability databases. These databases serve as comprehensive resources that catalog publicly disclosed cybersecurity vulnerabilities in a standardized format, making it easier for individuals and professionals to search, use, and incorporate the information into their security measures. With a wide range of databases available, it’s essential to identify the most powerful and reputable ones to assist you in staying up-to-date with the latest vulnerabilities and securing your systems against potential threats.

In this article, we explore six powerful vulnerability databases that provide valuable information on publicly disclosed security vulnerabilities. These databases cater to a wide range of users, from security experts to general IT professionals, ensuring comprehensive coverage of the most relevant and up-to-date security vulnerabilities.

But, before we directly land on the list of powerful vulnerability databases, let’s learn abut these additional things. It’s not mandatory for everybody to read. However, it is for those who want comprehensive information about the Vulnerability Management and Vulnerability Database.

In this comprehensive blog post, we will cover the following topics:

  • What are security vulnerabilities and how they are tracked
  • Understanding CVE IDs, CVSS scoring system, and vectors
  • Introduction to CVE Numbering Authorities (CNAs)
  • Where to search publicly disclosed vulnerabilities
  • List of powerful vulnerability databases

What are Security Vulnerabilities? And How Security Vulnerabilities Are Being Tracked?

Security vulnerabilities are flaws or weaknesses in software code or system configurations that can be exploited by attackers to gain unauthorized access to a system or network. Once inside, attackers can leverage authorizations and privileges to compromise systems and assets. Vulnerabilities can be found in IT, network, cloud, web, and mobile application systems.

Some examples of vulnerabilities include:

  • Buffer overflows
  • SQL injection flaws
  • Cross-site scripting bugs
  • Default or weak passwords
  • Race conditions

Vulnerabilities are tracked and documented in databases so that affected vendors, manufacturers, and users are aware of the issue and can take action to remediate or mitigate the vulnerability.

Common practices for vulnerability tracking include:

  • Reporting: Security researchers and users submit newly discovered vulnerabilities to vendors, CERTs, or public vulnerability databases.
  • Assignment of CVE ID: Once a vulnerability report is verified, it is assigned a CVE ID (Common Vulnerabilities and Exposures) for unique identification.
  • Publication: Details of vulnerability are publicly documented in databases like National Vulnerability Database (NVD).
  • Severity analysis: The vulnerability severity is scored using the Common Vulnerability Scoring System (CVSS).
  • Remediation tracking: The fix status of the vulnerability is updated over time.

Thorough vulnerability tracking and robust databases allow the security community to assess the risk posed by flaws and prioritize remediation efforts.

The Vulnerability Management team plays a crustal role in identifying, analyzing, assessing, reporting, and mitigating security vulnerabilities before they can be exploited by attackers. So collected or reported vulnerabilities are recorded or stored in several databases by assigning them a CVE ID. This is how the concept of the Vulnerability Database begins. Before we go further, let’s understand a few more concepts like CVE ID, CVSS Scoring System, And Vectors of CVSS.

Understand CVE ID, CVSS Scoring System, And Vectors of CVSS

When dealing with publicly disclosed security vulnerabilities, it is essential to understand the Common Vulnerabilities and Exposures (CVE) identification, the Common Vulnerability Scoring System (CVSS), and the CVSS vectors. This understanding helps you evaluate the severity of vulnerabilities and prioritize your response.

CVE ID

CVE stands for Common Vulnerabilities and Exposures. It is a unique ID assigned to identify each publicly known security vulnerability.

The CVE ID consists of the following format:

CVE-YYYY-NNNNN

Where:

  • CVE – Constant identifier showing this is a CVE ID
  • YYYY – The year the CVE ID was assigned
  • NNNNN – A unique 5-digit number to identify the specific vulnerability

For example, CVE-2019-19781 was assigned in 2019 and has a unique 5-digit ID of 19781.

Once a vulnerability has been publicly documented and verified, it is added to the CVE master list, formally known as Vulnerability Database. The CVE ID helps to eliminate confusion by allowing all parties to refer to vulnerabilities in a standardized manner.

CVSS Scoring System

The Common Vulnerability Scoring System (CVSS) is an open framework used to quantify the severity of IT vulnerabilities. CVSS assigns a numeric score ranging from 0 to 10 to vulnerabilities, with 10 being the most severe.

The CVSS score represents the ease and impact of exploitation. The metrics used to calculate the score are divided into three metric groups:

Base – Represents the intrinsic characteristics of a vulnerability that do not change over time or user environments. This consists of:

  • Attack Vector (AV) – How the vulnerability can be exploited e.g. network, adjacent, local, physical.
  • Attack Complexity (AC) – The complexity of the attack required to exploit the vulnerability.
  • Privileges Required (PR) – The level of privileges required for an attacker to exploit the flaw.
  • User Interaction (UI) – If user interaction is required to exploit the vulnerability.
  • Scope (S) – If a vulnerability in one component impacts resources beyond its security scope.
  • Confidentiality (C), Integrity (I), Availability (A) Impact – The impact of CIA security principles if a vulnerability is exploited.

Temporal – Represents the characteristics of a vulnerability that may change over time but not user environments. This consists of:

  • Exploit Code Maturity (E) – Reflects the maturity of available exploit code.
  • Remediation Level (RL) – Represents the degree to which a vulnerability can be mitigated through fixes, patches, upgrades, etc.
  • Report Confidence (RC) – Reflects the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.

Environmental – Represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment. This consists of:

  • Collateral Damage Potential (CDP) – The potential for loss of data assets, productivity or revenue if a vulnerability is exploited.
  • Target Distribution (TD) – The number of vulnerable systems that exist in the wild.
  • Security Requirements (CR, IR, AR) – The security requirements for confidentiality, integrity and availability in the user environment.

Using these metrics, CVSS applies a complex calculation to determine the final vulnerability severity score.

Vectors of CVSS

CVSS vectors are a standardized text representation of the metrics used to score a vulnerability.

The vector string contains each metric acronym, followed by the assigned value. For example:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

This vector shows:

  • CVSS version 3.1
  • Attack vector is Network (N)
  • Attack complexity is Low (L)
  • No privileges required (N)
  • No user interaction (N)
  • The scope is Unchanged (U)
  • High impact scores for confidentiality, integrity, availability (H)

The vector highlights the key metrics used to calculate the overall CVSS score for a vulnerability. It provides an easy way for humans to understand the rating factors at a glance.

A Short Introduction to CVE Numbering Authority (CNA)

The next question comes in who assigns the CVE IDs to the vulnerabilities and adds them to the database? The answer is CVE Numbering Authority (CNA). CNAs are organizations that have been authorized by the CVE Program to assign CVE identifiers to vulnerabilities affecting products within their agreed-upon scope. These organizations play a crucial role in ensuring that newly discovered vulnerabilities are assigned unique identifiers and properly documented for the public.

CNA is responsible for establishing the scope of their authority, determining if a vulnerability falls within this scope, and assigning a unique CVE identifier to the vulnerability before its first public announcement. The CNA’s domain of authority can be specific to its own products or cover a broader range of products and vulnerabilities under its scope. Cooperation between CNAs ensures consistency and accuracy in the enumeration and documentation of vulnerabilities.

The CNA Rules provide guidelines for the assignment and management of CVE identifiers by CNAs. These rules outline the responsibilities and requirements for CNAs, including scope definition, vulnerability discovery and reporting, and proper documentation of vulnerabilities in the CVE List.

There are distinct levels in the CNA hierarchy: Root, Top-Level Root, CNA of Last Resort (CNA-LR), and Sub-CNAs. The most common and basic level of CNA is the Sub-CNA, which assigns CVE identifiers to vulnerabilities specifically within their domain of responsibility. CNAs work together with other CNAs, higher-level CNAs, and the CVE Program to maintain an efficient and streamlined CVE assignment process.

The role of CNAs includes:

  • Receiving vulnerability reports from researchers, vendors, etc.
  • Verifying reports and ensuring they represent distinct vulnerabilities warranting a CVE ID.
  • Assigning a CVE ID from their unique block.
  • Notifying the vulnerability submitter about the assigned CVE ID.
  • Publishing CVE details to databases like NVD, their own security advisories, etc.
  • Updating CVE information and notifying affected parties as more details become available.

CNAs are a vital part of the CVE ecosystem. They enable coordinated, reliable assignment of IDs across the rapidly evolving threat landscape. Currently, there are 307 CNAs (305 CNAs and 2 CNA-LRs) from 36 countries participating in the CVE Program.

CNA Partners By Country

 

CNA Partners By Country (Source: cve.org)

 

Where do You Search for Publicly Disclosed Security Vulnerabilities?

There are several reputable databases that can be utilized to search for publicly disclosed security vulnerabilities. One of the most notable is the CVE List, a comprehensive catalog of publicly disclosed cybersecurity vulnerabilities managed by the CVE Numbering Authorities (CNAs). The CVE List is free to search, use, and incorporate into products and services. Organizations and security professionals rely on these resources to find details of known weaknesses impacting the products or technologies present in their environment.

Some places where publicly disclosed vulnerabilities can be searched include:

  • National Vulnerability Database (NVD) – Extensive CVE vulnerability database maintained by NIST, based on CVE List feed. Integrates with CVSS and CPE.
  • MITRE CVE List – Comprehensive list of CVE Records provided by MITRE.
  • US-CERT Vulnerability Notes Database – Contains disclosure records published by CISA.
  • Vulnerability search on vendor/manufacturer websites – Companies like Microsoft, Adobe, Cisco etc. provide vulnerability search capabilities on their own websites. Useful for product-specific flaws.
  • Vulnerability databases – Resources like VulnDB, Vulners, Secunia Research Community etc. provide CVE vulnerability data. Some integrate exploit and patch info.
  • Bug bounty platforms – Bugcrowd, HackerOne, etc. include limited vulnerability details disclosed through their bug bounty programs.
  • GIT repositories – Many security tools and projects provide vulnerability data in GIT repositories that can be searched.
  • Exploit databases – Sites like Exploit-DB contain proof-of-concept exploits that can reveal related vulnerabilities.
  • Search engines – Google hacking for specific keywords can reveal security advisories and vulnerability reports.
  • This list provides a starting point on where security practitioners can search for vulnerability data pertinent to the systems and software relevant to their organization.

    List of Powerful Vulnerability Databases

    Now,, it’s time to take a deeper look into some of the most comprehensive and widely used public vulnerability databases that can be leveraged to streamline vulnerability management programs.

    cve.org

    cve.org

    CVE (Common Vulnerabilities and Exposures) is an international, community-driven security vulnerability database, which is maintained by the MITRE Corporation and funded by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security.

    The website cve.org serves as a public platform that allows users to freely search, use, and incorporate information into their products and services. Each CVE Identifier, or CVE ID, includes a description of the vulnerability or exposure, and reference information from vulnerability reports and advisories. It’s important to note that the CVE system does not include risk, impact, fix, or other technical information, and it does not provide vulnerability management or vulnerability assessment capabilities. Rather, it is a key component that these types of capabilities can leverage.

    Mitre

    cve.mitre.org

    Mitre.org is a well-known organization that manages numerous cybersecurity initiatives, including the CVE Program. Established in 1999, the CVE Program aims to identify, define, and catalog publicly disclosed security vulnerabilities in a standardized manner. This helps security professionals, organizations, and developers effectively address and manage vulnerabilities across their systems.

    Mitre.org is responsible for the distribution and maintenance of the Common Vulnerabilities and Exposures (CVE) database. The CVE database contains a comprehensive list of vulnerabilities identified by both experts and the cybersecurity community. Mitre.org ensures that every vulnerability listed in the CVE database receives a unique identifier, which makes it easier for practitioners to reference and search specific vulnerabilities.

    One of the strengths of Mitre.org’s CVE Program is its ability to integrate with other cybersecurity services and tools. This helps organizations streamline their vulnerability management processes and make informed security decisions based on accurate and up-to-date information.

    For users wishing to download the CVE database, Mitre.org provides it in JSON format. To access the database, users can visit the CVE website’s download page and download the desired data file. The availability of the CVE database in JSON format enables researchers and security professionals to easily parse the information and integrate it with their analytical tools and systems.

    In conclusion, Mitre.org plays a vital role in managing the CVE Program and maintaining the CVE database. Its commitment to standardizing vulnerability information and providing seamless integration capabilities makes it a valuable resource for cybersecurity professionals and organizations.

    National Vulnerability Database

    National Vulnerability Database

    The National Vulnerability Database (NVD) is a U.S. government repository of standards-based vulnerability management data. This data includes security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. Operated by the National Institute of Standards and Technology (NIST), the NVD uses the Common Vulnerabilities and Exposures (CVE) system for its vulnerability identifiers.

    While the CVE system provides a baseline for identifying vulnerabilities, the NVD goes a step further by providing more detailed vulnerability information including severity scores, impact metrics, and enhanced data to support vulnerability management.

    For each vulnerability listed in the database, the NVD includes the vulnerability’s description, published and modified dates, references, and the vulnerability’s severity score as measured by the Common Vulnerability Scoring System (CVSS). The NVD’s website provides users with the ability to search this database for information on specific vulnerabilities.

    The NVD is a critical resource for organizations that want to protect their systems from known vulnerabilities. It allows security researchers, system administrators, and others to understand the nature of potential threats to their systems and to prioritize their actions based on the severity and potential impact of the vulnerabilities.

    VulnDB

    VulnDB

    VulnDB is a vulnerability database that provides comprehensive information on known security vulnerabilities in software products. It is one of the most important sources for people responsible for handling vulnerabilities, vulnerability management, exploit analysis, cyber threat intelligence, and incident response handling.

    VulnDB was originally created in 2002 by a group of security researchers who wanted to provide a central repository for information on security vulnerabilities. The database was originally called Open Source Vulnerability Database (OSVDB), and it was maintained by the Open Security Foundation (OSF). In 2016, the OSF closed down, and VulnDB was acquired by Flashpoint.

    It was built with the goal of providing the most timely and accurate vulnerability intelligence available. The database includes information on each vulnerability’s technical details, mitigation strategies, exploit information, and links to original advisories, as well as a wealth of other relevant information that can be used by cybersecurity professionals to protect their systems.

    It covers an extensive range of security vulnerabilities, including many not found in the CVE (Common Vulnerabilities and Exposures) database. This makes VulnDB the largest and most comprehensive vulnerability database in the industry. Its creators had a clear vision: to help organizations better understand their security risks and prioritize their response strategies accordingly.

    One of the key features of VulnDB is its ability to serve an easy-to-use SaaS Portal and a RESTful API, allowing for seamless integration with GRC (Governance, Risk Management, and Compliance) tools, ticketing systems, and other third-party services. This flexibility empowers organizations to efficiently access and use the valuable vulnerability data provided by VulnDB.

    See Also  FluBot Malware Outbreak: What Users Can Do to Curb This ‘Package Delivery’ Text Message Scam

    VulnDB’s offerings go beyond just providing vulnerability information. The database is frequently updated and enriched with additional details, such as verified fixes, suggested solutions, and relevant chatter from social media platforms like Twitter. This valuable extra context allows security professionals to better understand the potential impact of a vulnerability and implement the most suitable remediation strategies.

    Security Database

    Security Database

    Security Database is a prominent platform that was established to provide comprehensive information on publicly disclosed security vulnerabilities. As the largest vulnerability database in Europe, it has made a significant impact on the cybersecurity landscape, offering a wealth of resources for security professionals to draw upon. With an unwavering focus on presenting accurate and relevant data, Security Database maintains a confident, knowledgeable, neutral, and clear tone.

    This extensive database not only offers a vast repository of vulnerability information but also provides users with numerous additional services. One notable feature is its ability to serve as an Application Programming Interface (API), which enables the seamless integration of its data with various third-party tools and software. This capacity allows users to access up-to-date vulnerability information in real time, ensuring they remain informed and protected from potential threats.

    In addition to its primary function as a vulnerability database, Security Database offers various supplementary resources, including security research papers, exploit databases, and details on upcoming security-related events. These offerings contribute to the platform’s value as a one-stop solution for cybersecurity experts, enabling them to stay current on critical industry developments.

    Vuldb

    Vuldb

    VulDB is the world’s leading vulnerability database, with over 235,000 entries. It was founded in 1998 and is now owned by pyxyp inc. VulDB provides comprehensive information on security vulnerabilities, including their technical details, exploit availability, and impact. It is a valuable resource for vulnerability management, exploit analysis, cyber threat intelligence, and incident response.

    The moderation team at Vuldb actively monitors numerous sources 24/7 for information about new or existing vulnerabilities. Once a new vulnerability is identified, the team gathers additional data from various sources and creates a detailed Vuldb entry, which is then made available to customers through the website and API.

    One of the key features of Vuldb is its ability to seamlessly integrate with third-party services, such as GRC tools and ticketing systems. This is achieved through its RESTful API, which enables easy access to vulnerability information, allowing organizations to quickly identify and respond to potential security risks.

    Which Vulnerability Database is Perfect for You?

    Every service offers distinct features. The CVE project and Mitre are authorized bodies whose primary responsibility is to assign CVE IDs to identified vulnerabilities. NVD’s task is to evaluate these CVE-assigned vulnerabilities and provide Severity and CVSS scores along with vector details. Other CNA authorities like VulnDB, Security Database, and VulDB offer more precise research information such as descriptions, technical details, affected software, hardware, and services, including version information. They also provide exploitation POC details and fix/mitigation information. The choice of a vulnerability database depends on the level of information you require.

    Below is a basic comparison table for these entities based on key parameters. Keep in mind that this table provides a high-level overview, and the actual specifics may vary depending on different use cases, user requirements, and other factors. Some of these databases may offer more specific features, tools, or data through a subscription or specific partnership agreement.

    CVE.org National Vulnerability Database MITRE.org VulnDB Security Database VulDB
    Operated By MITRE Corp NIST MITRE Corp Risk Based Security Varies Scip AG
    Information Provided Vulnerability identifiers Vulnerability details, metrics, and checklists Research, projects, and CVE system Detailed vulnerability info, mitigation strategies, exploit info Generally provides vulnerability info (specifics can vary) Detailed vulnerability info, references, affected software versions
    Free Access Yes Yes Yes Limited free access, subscription for more data Varies Limited free access, subscription for more data
    Scope Global Primarily U.S. focused Global Global Varies Global
    Update Frequency Regularly Regularly Regularly Regularly Varies Regularly
    API Support No Yes No Yes (with subscription) Varies Yes (with subscription)

    Conclusion

    Public vulnerability databases are invaluable resources that allow organizations to search for and analyze known security flaws impacting the myriad technologies they rely upon.

    In this post, we looked at various facets of tracking vulnerabilities using CVE IDs, CVSS scoring and CNAs. We also covered the leading vulnerability data repositories like NVD, VulnDB, Vuldb, and more that security teams can leverage to power risk management programs.

    Here are some key takeaways:

    • CVE IDs offer standardized naming for vulnerabilities. CVSS scores quantify severity. CNAs coordinate CVE assignments.
    • National Vulnerability Database provides extensive CVE listings with CVSS scoring.
    • MITRE CVE List contains the authoritative source of CVE data.
    • Vulnerability intelligence databases like VulnDB, VulDB, and others enhance CVE data with critical context.
    • Options like Security Database and CERT.org provide downloadable vulnerability data dumps.
    • Vendor databases and Git repositories also offer valuable vulnerability data.

    With cyber threats increasing, organizations must proactively monitor disclosure channels to detect new vulnerabilities in their environment and prioritize remediation. Public vulnerability databases combined with internal threat intelligence provide the comprehensive visibility needed to continuously improve organizational risk posture.

    List of 307 CVE Numbering Authority (CNA)

    Partner Scope Program Role Organization Type Country*
    42Gears Mobility Systems Pvt Ltd 42Gears branded products and technologies only CNA Vendor India
    Absolute Software Absolute issues only CNA Vendor USA
    Acronis International GmbH All Acronis products, including Acronis Cyber Protect, Acronis Cyber Protect Home Office, Acronis DeviceLock DLP, and Acronis Snap Deploy CNA Vendor Switzerland
    Adobe Systems Incorporated Adobe issues only CNA Vendor USA
    Advanced Micro Devices Inc. AMD branded products and technologies only CNA Vendor USA
    Airbus All Airbus products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Airbus that are not in another CNA’s scope CNA Vendor, Researcher Netherlands
    Alias Robotics S.L. All Alias Robotics products, as well as vulnerabilities in third-party robots and robot components (software and hardware), as well as machine tool and machine tool components, discovered by Alias Robotics that are not in another CNA’s scope CNA Vendor, Researcher Spain
    Alibaba, Inc. Projects listed on its Alibaba GitHub website only CNA Vendor, Open Source China
    AMI Vulnerabilities that affect AMI firmware and software products CNA Open Source, Vendor USA
    Ampere Computing Ampere issues only CNA Vendor USA
    Android (associated with Google Inc. or Open Handset Alliance) Android issues, as well as vulnerabilities in third-party software discovered by Android that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
    Apache Software Foundation All Apache Software Foundation issues only CNA Vendor, Open Source USA
    AppCheck Ltd. Vulnerabilities discovered by AppCheck that are not within another CNA’s scope CNA Researcher UK
    Apple Inc. Apple issues only CNA Vendor USA
    Arista Networks, Inc. All Arista products only CNA Vendor USA
    Arm Limited Arm-branded products and technologies and Arm-managed open source projects CNA Open Source, Vendor UK
    Artica PFMS Pandora FMS, Integria IMS, and eHorus issues only CNA Vendor Spain
    Asea Brown Boveri Ltd. (ABB) ABB issues only CNA Vendor Switzerland
    ASUSTOR, Inc. ASUSTOR issues only CNA Vendor Taiwan
    Atlassian All Atlassian products, as well as Atlassian-maintained projects hosted on https://bitbucket.org/ and https://github.com/atlassian/ CNA Vendor, Open Source Australia
    Austin Hackers Anonymous Vulnerabilities in the AHA! website and other AHA! controlled assets, as well as vulnerabilities identified in assets owned, operated, or maintained by another organization unless covered by the scope of another CNA CNA Researcher USA
    Autodesk All currently supported Autodesk Applications and Cloud Services CNA Vendor USA
    Automotive Security Research Group (ASRG) All automotive and related infrastructure vulnerabilities that are not in another CNA’s scope CNA Researcher USA
    Avaya, Inc. All Avaya Generally Available (GA) products that are not in another CNA’s scope. A CVE ID will not be issued for End of Manufacturing Support (EoMS) products/versions CNA Vendor USA
    Axis Communications AB Supported Axis products and solutions only CNA Vendor Sweden
    B. Braun SE B. Braun’s commercially available products only CNA Vendor Germany
    Baicells Technologies Co., Ltd. All Baicells products CNA Vendor China
    Baidu, Inc. Projects listed on Baidu’s PaddlePaddle GitHub website only CNA Vendor, Open Source China
    Baxter Healthcare Baxter’s commercially available products only CNA Vendor USA
    Becton, Dickinson and Company (BD) BD software-enabled medical devices only CNA Vendor USA
    Biohacking Village Vulnerabilities discovered by researchers in collaboration with Biohacking Village, with approval of Biohacking Village’s sponsors, that are not in another CNA’s scope CNA Researcher USA
    Bitdefender All Bitdefender products, as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope CNA Vendor, Researcher Romania
    Black Lantern Security Vulnerabilities in vendor products discovered by BLSOPS, or related parties, while performing vulnerability research or security assessments, unless covered by another CNA’s scope CNA Researcher USA
    BlackBerry BlackBerry and Good product issues only CNA Vendor Canada
    Brocade Communications Systems, LLC Brocade products only CNA Vendor USA
    Bugcrowd Inc. Vulnerabilities discovered by researchers in collaboration with Bugcrowd, with approval of Bugcrowd’s clients, and not in the scope of another CNA CNA Bug Bounty Provider, Vendor, Open Source USA
    CA Technologies – A Broadcom Company CA Technologies issues only CNA Vendor USA
    Canon Inc. Vulnerabilities in products and services designed and developed by Canon Inc. CNA Vendor Japan
    Canonical Ltd. All Canonical issues (including Ubuntu Linux) only CNA Vendor, Open Source UK
    Carrier Global Corporation Carrier Global products only CNA Hosted Service, Vendor USA
    Censys All Censys products, and vulnerabilities discovered by Censys that are not in another CNA’s scope CNA Vendor, Researcher USA
    CERT/CC Vulnerability assignment related to its vulnerability coordination role CNA CERT USA
    CERT@VDE Products of the vendors: Beckhoff, Bender, Endress+Hauser, Etherwan Systems, HIMA, Festo, Koramis, ifm, Miele, Pepperl+Fuchs, Phoenix Contact, PILZ, Sysmik, Weidmueller, and WAGO. Also, industrial and infrastructure control systems (and its components) of European Union (EU) based vendors as long as there is no CNA with a more specific scope for the vulnerability CNA CERT Germany
    Check Point Software Ltd. Check Point Security Gateways product line only, and any vulnerabilities discovered by Check Point that are not in another CNA’s scope CNA Vendor, Researcher Israel
    Chrome Chrome and Chrome OS issues, and projects that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
    Cisco Systems, Inc. All Cisco products, and any third-party research targets that are not in another CNA’s scope. Cisco will not issue a CVE ID for issues reported on products that are past the Last Day of Support milestone, as defined on Cisco’s End-of-Life Policy, which is available at https://www.cisco.com/c/en/us/products/eos-eol-policy.html CNA Hosted Service, Open Source, Researcher, Vendor USA
    Citrix Systems, Inc. Citrix issues only CNA Vendor USA
    Cloudflare, Inc. All Cloudflare products, projects hosted at https://github.com/cloudflare/, and any vulnerabilities discovered by Cloudflare that are not in another CNA’s scope CNA Vendor USA
    Crafter CMS Crafter CMS issues only CNA Vendor, Open Source USA
    Crestron Electronics, Inc. Crestron products CNA Vendor USA
    Crowdstrike Holdings, Inc. Crowdstrike Sensor issues, excluding unsupported versions, and issues in third-party products or services identified by Crowdstrike research unless covered in the scope of another CNA CNA Vendor USA
    Cybellum Technologies LTD All Cybellum products, as well as vulnerabilities in third-party software discovered by Cybellum that are not in another CNA’s scope CNA Vendor Israel
    Cyber Security Works Pvt. Ltd. Vulnerabilities in third-party software discovered by CSW that are not in another CNA’s scope CNA Researcher India
    CyberArk Labs Vulnerabilities discovered by CyberArk Labs that are not in another CNA’s scope CNA Vendor, Researcher Israel
    CyberDanube All CyberDanube products, as well as vulnerabilities in third-party hardware/software discovered by CyberDanube or partners actively engaged in vulnerability research coordination, which are not within the scope of another CNA CNA Researcher, Vendor Austria
    Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Industrial control systems and medical devices Top-Level Root, CNA-LR CERT USA
    Dahua Technologies Dahua consumer Internet of Things (IoT) products, excludes End-of-Life products CNA Vendor China
    Dassault Systèmes All websites of the corporate group and of any subsidiaries, including but not limited to www.3ds.com and www.solidworks.com; all Software as a Service solutions, such as 3DEXPERIENCE or ScienceCloud, but also any online hosting linked to our brands; and all Dassault Systèmes licensed software products CNA Vendor France
    Debian GNU/Linux Debian issues only CNA Vendor, Open Source USA
    DeepSurface Security, Inc. All DeepSurface products, as well as vulnerabilities in third-party software discovered by DeepSurface that are not in another CNA’s scope CNA Vendor, Researcher USA
    Dell Dell, Dell EMC, and VCE issues only CNA Vendor USA
    Devolutions Inc. Remote Desktop Manager and Devolutions Server products CNA Vendor, Open Source Canada
    Docker Inc. All Docker products, including Docker Desktop and Docker Hub, as well as Docker maintained open-source projects CNA Vendor, Open Source USA
    Document Foundation, The Projects within The Document Foundation only, e.g., LibreOffice, LibreOffice Online; The Document Foundation discourages reporting denial of service bugs as security issues CNA Vendor, Open Source Germany
    dotCMS LLC All dotCMS product services including the vulnerabilities reported in our open-source core located at https://github.com/dotCMS/core CNA Hosted Service USA
    Dragos, Inc. Dragos products and third-party products it researches related to operational technology (OT)/industrial control systems (ICS) not covered by another CNA CNA Vendor, Researcher USA
    Drupal.org All projects hosted under drupal.org only CNA Vendor, Open Source USA
    Dual Vipers LLC Dual Vipers projects and products (both open and closed source), as well as vulnerabilities in third-party software discovered by Dual Vipers that are not in another CNA’s scope CNA Hosted Service, Open Source, Researcher, Vendor USA
    Dutch Institute for Vulnerability Disclosure (DIVD) Vulnerabilities in software discovered by DIVD, and vulnerabilities reported to DIVD for coordinated disclosure, which are not in another CNA’s scope CNA Researcher Netherlands
    Eaton Eaton issues only CNA Vendor Ireland
    Eclipse Foundation Eclipse IDE and the Eclipse Foundation’s eclipse.orgpolarysys.org, and locationtech.org open source projects only CNA Vendor, Open Source Canada
    Elastic Elasticsearch, Kibana, Beats, Logstash, X-Pack, and Elastic Cloud Enterprise products only CNA Vendor Netherlands
    Electronic Arts, Inc. EA issues only CNA Vendor USA
    Environmental Systems Research Institute, Inc. All Esri products only CNA Vendor USA
    ESET, spol. s r.o. All ESET products only and vulnerabilities discovered by ESET that are not covered by another CNA’s scope CNA Vendor, Researcher Slovak Republic
    Exodus Intelligence Vulnerabilities discovered by Exodus Intelligence as well as acquisitions from independent researchers via its Research Sponsorship Program (RSP) CNA Bug Bounty Provider, Researcher USA
    F-Secure All F-Secure products and security vulnerabilities discovered by F-Secure in third-party software not in another CNA’s scope CNA Vendor, Researcher Finland
    F5, Inc. All F5 products and services, commercial and open source, which have not yet reached End of Technical Support (EoTS). All legacy acquisition products and brands including, but not limited to, NGINX, Shape Security, Volterra, and Threat Stack. F5 does not issue CVEs for products which are no longer supported CNA Vendor, Open Source USA
    Fedora Project Vulnerabilities in open-source projects affecting the Fedora Project, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported releases by the Fedora Project CNA Vendor, Open Source USA
    Fidelis Cybersecurity, Inc. Fidelis issues only CNA Vendor USA
    Flexera Software LLC All Flexera products, and vulnerabilities discovered by Secunia Research that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
    floragunn GmbH All issues related to Search Guard only CNA Vendor, Open Source Germany
    Fluid Attacks Vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNA’s scope CNA Researcher Colombia
    Forcepoint Forcepoint products only CNA Vendor USA
    ForgeRock, Inc. ForgeRock issues only CNA Vendor, Open Source USA
    Fortinet, Inc. Fortinet issues only CNA Vendor USA
    FPT Software Co., Ltd. All products and services developed and operated by FPT Software, as well as vulnerabilities in third-party software discovered by FPT Software that are not in another CNA’s scope CNA Vendor, Researcher Vietnam
    Frappe Technologies Pvt. Ltd. Vulnerabilities relating to Frappe Framework, ERPNext product, erpnext.com, and frappecloud.com hosting services, as well as other vulnerabilities discovered by Frappe Technologies that are not under the scope of any other CNA CNA Bug Bounty Provider India
    FreeBSD Primarily FreeBSD issues only CNA Vendor, Open Source USA
    FULL INTERNET All FULL products, as well as vulnerabilities in third-party software discovered by FULL that are not in another CNA’s scope CNA Bug Bounty Provider, Hosted Service, Vendor, Researcher Brazil
    Gallagher Group Ltd. All Gallagher security products only CNA Vendor New Zealand
    GE Healthcare GE Healthcare products CNA Vendor USA
    General Electric (Gas Power) GE (Gas Power) issues only CNA Vendor USA
    Genetec Inc. Genetec products and solutions only CNA Hosted Service, Vendor Canada
    Gitea Limited Gitea issues only CNA Open Source, Vendor China
    GitHub, Inc. GitHub currently only covers CVEs requested by software maintainers using the GitHub Security Advisories feature CNA Vendor USA
    GitHub, Inc. (Products Only) GitHub Enterprise Server issues only CNA Vendor USA
    GitLab Inc. The GitLab application, any project hosted on GitLab.com in a public repository, and any vulnerabilities discovered by GitLab that are not in another CNA’s scope CNA Vendor, Researcher USA
    Glyph & Cog, LLC Xpdf open source project, including the xpdf viewer and associated command line tools CNA Open Source, Vendor USA
    Go Project Vulnerabilities in software published by the Go Project (including the Go standard library, Go toolchain, and the golang.org modules) and publicly disclosed vulnerabilities in publicly importable packages in the Go ecosystem, unless covered by another CNA’s scope CNA Vendor, Open Source USA
    Google Devices Google Devices – Pixel, Nest, and Chromecast CNA Vendor USA
    Google LLC Root Scope: Alphabet organizationsCNA Scope: Google products that are not covered by Android and Chrome, as well as vulnerabilities in third-party software discovered by Google that are not in another CNA’s scope Root, CNA Vendor, Open Source, Researcher USA
    Google Open Source Software Vulnerabilities in open source software published and maintained by Google CNA Vendor, Open Source USA
    Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) Vulnerabilities discovered by GovTech CSG only that are not in another CNA’s scope CNA Researcher Singapore
    Grafana Labs All Grafana Labs open source and commercial products CNA Vendor, Open Source USA
    Green Rocket Security Inc. Green Rocket Security products including EOL unless covered by another CNA’s scope CNA Vendor USA
    GS McNamara LLC GS McNamara LLC products and services, including the Floodspark portfolio, and any vulnerabilities discovered in components or projects that we are researching or coordinating that are not in another CNA’s scope CNA Vendor, Researcher USA
    HackerOne Provides CVE IDs for its customers as part of its bug bounty and vulnerability coordination platform CNA Bug Bounty Provider USA
    Halborn All blockchain and Web3 products that rely on smart contracts written in Rust, Go, and Solidity, as well as blockchain associated Web2 and Web3 infrastructure not covered by another CNA CNA Researcher USA
    Hallo Welt! GmbH BlueSpice vulnerabilities only CNA Vendor Germany
    Hangzhou Hikvision Digital Technology Co., Ltd. All Hikvision Internet of Things (IoT) products including cameras and digital video recorders (DVRs) CNA Vendor China
    Hanwha Vision Co., Ltd. Hanwha Vision (formerly Samsung Techwin and Hanwha Techwin) products and solutions only, including end-of-life (EOL) CNA Vendor South Korea
    HashiCorp Inc. All HashiCorp products and projects unless covered by another CNA’s scope CNA Vendor USA
    HCL Software All HCL products only CNA Vendor India
    Hewlett Packard Enterprise (HPE) HPE issues only CNA Vendor USA
    Hillstone Networks Inc. Vulnerabilities in our products listed at https://www.hillstonenet.com/hillstone-networks-product-portfolio and the products we sell only in China listed at https://www.hillstonenet.com.cn/product_service/, not including our websites CNA Vendor China
    Hitachi Energy Hitachi Energy products only CNA Vendor Switzerland
    Hitachi Vantara All Hitachi Vantara products and technologies CNA Vendor USA
    Hitachi, Ltd. Hitachi products excluding Hitachi Energy and Hitachi Vantara products CNA Vendor Japan
    Honeywell International Inc. All Honeywell products CNA Vendor USA
    Honor Device Co., Ltd. Vulnerabilities in Honor products and services unless covered by the scope of another CNA CNA Vendor China
    HP Inc. HP Inc. issues only CNA Vendor USA
    Huawei Technologies Huawei issues only CNA Vendor China
    huntr.dev Vulnerabilities in third-party code reported to huntr.dev that are not in another CNA’s scope CNA Bug Bounty Provider UK
    HYPR Corp All HYPR products only CNA Vendor USA
    IBM Corporation All IBM products, as well as vulnerabilities in third-party software discovered by IBM X-Force Red that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
    ID Business Solutions IDBS products as listed on https://www.idbs.com/products/ CNA Vendor UK
    IDEMIA All IDEMIA products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by IDEMIA that are not in another CNA’s scope CNA Researcher, Vendor France
    Illumio Illumio issues only CNA Vendor USA
    Indian Computer Emergency Response Team (CERT-In) Vulnerability coordination for vulnerabilities in all products reported to CERT-In in accordance with our vulnerability coordination role as a CERT. Vulnerability assignments for vulnerabilities impacting all products designed, developed, and manufactured in India CNA CERT India
    Intel Corporation Intel branded products and technologies and Intel managed open source projects CNA Vendor, Open Source USA
    Internet Systems Consortium (ISC) All ISC.org projects CNA Vendor, Open Source USA
    IoT83 Ltd Vulnerabilities in IoT83 product(s), services, and components only. Third-party, open-source components used in IoT83 product(s), services, and components are not in scope CNA Vendor USA
    Israel National Cyber Directorate (INCD) Vulnerability assignment related to its vulnerability coordination role CNA CERT Israel
    Jenkins Project Jenkins and Jenkins plugins distributed by the Jenkins Project (listed on plugins.jenkins.io) only CNA Open Source USA
    JetBrains s.r.o. JetBrains products only CNA Vendor, Open Source Czech Republic
    JFrog All JFrog products (supported products and end-of-life/end-of-service products); vulnerabilities in third-party software discovered by JFrog that are not in another CNA’s scope; and vulnerabilities in third-party software discovered by external researchers and disclosed to JFrog (includes any embedded devices and their associated mobile applications) that are not in another CNA’s scope CNA Vendor, Researcher Israel
    Johnson Controls Johnson Controls products only CNA Vendor USA
    Joomla! Project Core Joomla! CMS, the Joomla Framework, and Joomla! Extensions issues only CNA Vendor, Open Source USA
    JPCERT/CC Root Scope: Japan organizationsCNA Scope: Vulnerability assignment related to its vulnerability coordination role Root, CNA CERT Japan
    Juniper Networks, Inc. Juniper issues only CNA Vendor, Open Source USA
    Kaspersky Kaspersky B2C and B2B products, as well as vulnerabilities discovered in third-party software not in another CNA’s scope CNA Vendor, Researcher Russia
    KNIME AG All vulnerabilities on software products that our company provides, including KNIME Analytics Platform, KNIME Server, and KNIME Hub CNA Vendor Switzerland
    KrakenD, S.L. KrakenD EE, KrakenD CE, and Lura issues only CNA Vendor, Open Source Spain
    KrCERT/CC Vulnerability assignment related to its vulnerability coordination role CNA CERT South Korea
    Kubernetes Kubernetes issues only CNA Vendor, Open Source USA
    Larry Cashdollar Third-party products he researches that are not in another CNA’s scope CNA Researcher USA
    Lenovo Group Ltd. Lenovo general-purpose computers, software for general-purpose operating systems, mobile devices, enterprise storage, and networking products only CNA Vendor USA
    LG Electronics LG Electronics products only CNA Vendor South Korea
    Liferay, Inc. All Liferay supported products and end-of-life/end-of-service products CNA Vendor USA
    LINE Corporation Current versions of LINE Messenger Application for iOS, Android, Mac, and Windows, plus LINE Open Source projects hosted on https://github.com/line CNA Vendor, Open Source Japan
    Logitech All current products/software/apps made by LogitechUltimate EarsJaybirdStreamlabsLogitech GLogicoolBlue, and Astro Gaming CNA Vendor Switzerland
    M-Files Corporation M-Files and Hubshare products CNA Vendor Finland
    MarkLogic Corporation MarkLogic issues only CNA Vendor USA
    Mattermost, Inc. All Mattermost issues, and vulnerabilities discovered by Mattermost that are not in another CNA’s scope CNA Vendor, Researcher USA
    Mautic Mautic core and officially supported plugins CNA Vendor, Open Source USA
    MediaTek, Inc. MediaTek product issues only CNA Vendor Taiwan
    Medtronic All products of Medtronic or a Medtronic company including supported products and end-of-life/end-of-service products, as well as vulnerabilities in third-party software discovered in Medtronic products that are not in another CNA’s scope CNA Vendor USA
    Mend Vulnerabilities in Mend (formerly WhiteSource) products and vulnerabilities in third-party software discovered by Mend that are not in another CNA’s scope CNA Vendor, Researcher USA
    Meta Platforms, Inc. Meta-supported open source projects, mobile apps, and other software, as well as vulnerabilities in third-party software discovered by Meta that are not in another CNA’s scope; see: https://www.facebook.com/whitehat and https://github.com/facebook/ CNA Vendor, Open Source, Researcher USA
    Microsoft Corporation Microsoft issues only CNA Vendor USA
    MIM Software Inc. MIM software products, platforms, and services as well as vulnerabilities reported to MIM Software in third-party components or libraries used by MIM Software products, platforms, and services not covered by another CNA CNA Vendor USA
    Mirantis All Mirantis products (supported products and end-of-life/end-of-service products) and open source offerings, as well as vulnerabilities in third-party software discovered by Mirantis that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
    MITRE Corporation All vulnerabilities, and Open Source software product vulnerabilities, not already covered by a CNA listed on this website Top-Level Root, CNA-LR, Secretariat N/A USA
    Mitsubishi Electric Corporation Mitsubishi Electric issues only CNA Vendor Japan
    MongoDB, Inc. MongoDB products only, not including end-of-life components or products CNA Vendor, Open Source USA
    Moxa Inc. Moxa products only CNA Vendor Taiwan
    Mozilla Corporation Mozilla issues only CNA Vendor, Open Source USA
    National Cyber Security Centre Finland (NCSC-FI) Vulnerabilities in software discovered by NCSC-FI, and vulnerabilities reported to NCSC-FI for coordinated disclosure, which are not in another CNA’s scope CNA CERT Finland
    National Cyber Security Centre Netherlands (NCSC-NL) Vulnerabilities in software discovered by NCSC-NL, and vulnerabilities reported to NCSC-NL for coordinated disclosure, which are not in another CNA’s scope CNA CERT Netherlands
    National Cyber Security Centre SK-CERT Vulnerabilities in software discovered by National Cyber Security Centre SK-CERT, and vulnerabilities reported to National Cyber Security Centre SK-CERT for coordinated disclosure, which are not in another CNA’s scope CNA CERT Slovak Republic
    National Instruments NI products only (including National Instruments) CNA Vendor USA
    Naver Corporation Naver products only, except Line products CNA Vendor South Korea
    NEC Corporation NEC issues only CNA Vendor Japan
    NetApp, Inc. All NetApp products as well as projects hosted on https://github.com/netapp CNA Vendor USA
    Netflix, Inc. Current versions of Netflix Mobile Streaming Application for iOS, Android, and Windows Mobile, plus all Netflix Open Source projects hosted on https://github.com/Netflix/ and https://github.com/spinnaker/ CNA Vendor, Open Source USA
    NetRise Vulnerabilities in third-party Extended Internet of Things (XIoT) devices and firmware NetRise researches that are not covered by another CNA CNA Researcher USA
    Netskope All Netskope products and services CNA Vendor USA
    NLnet Labs All NLnet Labs projects CNA Vendor, Open Source Netherlands
    Node.js All actively developed versions of software developed under the Node.js project on https://github.com/nodejs/ CNA Vendor, Open Source USA
    NortonLifeLock Inc. All NortonLifeLock product issues only CNA Vendor USA
    Nozomi Networks Inc. All Nozomi Networks products, as well as vulnerabilities in third-party software discovered by Nozomi Networks that are not in another CNA’s scope CNA Vendor, Researcher USA
    NVIDIA Corporation NVIDIA issues only CNA Vendor USA
    Objective Development Software GmbH Objective Development issues only CNA Vendor Austria
    Octopus Deploy All Octopus Deploy products, as well as Octopus Deploy maintained projects hosted on https://github.com/OctopusDeploy CNA Vendor, Open Source Australia
    Odoo Odoo issues only CNA Vendor Belgium
    Okta Okta issues only CNA Vendor USA
    ONEKEY GmbH All ONEKEY products and vulnerabilities in third-party software discovered by ONEKEY that are not in another CNA’s scope CNA Vendor, Researcher Germany
    Open Design Alliance Open Design Alliance products only CNA Vendor USA
    Open-Xchange Products and services provided by Open-Xchange, PowerDNS, and Dovecot CNA Open Source, Vendor Germany
    OpenAnolis OpenAnolis issues only CNA Vendor, Open Source China
    OpenCloudOS Community OpenCloud OS issues only, not including EOL products, unless covered by another CNA’s scope CNA Open Source China
    openEuler openEuler issues only CNA Vendor, Open Source China
    openGauss Community openGauss issues only CNA Open Source China
    OpenHarmony openHarmony issues only CNA Open Source China
    OpenSSL Software Foundation OpenSSL  software projects only CNA Vendor, Open Source USA
    OpenText (formerly Micro Focus) All OpenText products (including Carbonite, Zix, Micro Focus, others) CNA Vendor USA
    OpenVPN Inc. All products and projects in which OpenVPN is directly involved commercially and for OpenVPN community projects, including Private Tunnel CNA Vendor, Open Source USA
    Opera Opera issues only CNA Vendor, Open Source Norway
    OPPO Mobile Telecommunication Corp., Ltd. OPPO devices only CNA Vendor China
    Oracle Oracle supported version product issues only; CVE IDs will not be assigned for unsupported products or versions (Oracle will confirm support status and notify researcher) CNA Hosted Service, Open Source, Vendor USA
    OTRS AG Vulnerabilities for OTRS and ((OTRS)) Community Edition and modules only CNA Vendor Germany
    Palantir Technologies Palantir products and technologies only CNA Vendor USA
    Palo Alto Networks, Inc. All Palo Alto Networks products, and vulnerabilities discovered by Palo Alto Networks that are not in another CNA’s scope CNA Vendor, Researcher USA
    Panasonic Holdings Corporation All products and services developed and/or sold by Panasonic Group companies CNA Vendor Japan
    Patchstack Vulnerabilities in third-party PHP products discovered by Patchstack and Patchstack Red Team CNA Bug Bounty Provider, Hosted Service, Open Source, Researcher, Vendor Estonia
    Payara All Payara Platform product distributions (Payara Server, Micro, Embedded) for both Enterprise (commercial) and Community (OSS) distributions CNA Open Source, Vendor UK
    Pegasystems Inc. Pegasystems products only CNA Vendor USA
    Philips Philips issues only CNA Vendor Netherlands
    PHP Group Vulnerabilities in PHP code (code in https://github.com/php/php-src) only CNA Vendor, Open Source USA
    Ping Identity Corporation All Ping Identity products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Ping Identity that are not in another CNA’s scope CNA Hosted Service, Researcher, Bug Bounty Provider USA
    Profelis IT Consultancy Products and services developed by Profelis IT Consultancy including enterprise directory solution SambaBox and password reset product PassBox CNA Vendor Türkiye
    Proofpoint Inc. All Proofpoint products CNA Hosted Service, Vendor USA
    Puppet All Puppet products, as well as all projects on https://github.com/puppetlabs/ CNA Vendor, Open Source USA
    QNAP Systems, Inc. QNAP issues only CNA Vendor Taiwan
    Qualcomm, Inc. Qualcomm and Snapdragon issues only CNA Vendor USA
    Qualys, Inc. All Qualys products and vulnerabilities discovered by Qualys that are not covered by another CNA’s scope CNA Vendor, Researcher USA
    Rapid7, Inc. All Rapid7 products, and vulnerabilities discovered by Rapid7 that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
    Red Hat, Inc. Root Scope: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them betterCNA Scope: Vulnerabilities in open-source projects affecting Red Hat offerings, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported Red Hat offerings Root, CNA Vendor, Open Source USA
    Replicated, Inc. Replicated products and services only CNA Vendor USA
    Rhino Mobility Rhino Mobility issues only CNA Vendor USA
    Ribose Limited All Ribose products and services, including open-source projects, supported products, and end-of-life/end-of-service products CNA Hosted Service, Open Source, Vendor UK
    Robert Bosch GmbH Bosch products only CNA Vendor Germany
    Rockwell Automation All Rockwell Automation products CNA Vendor USA
    SailPoint Technologies SailPoint issues only CNA Vendor USA
    Salesforce, Inc. Salesforce products only CNA Vendor USA
    Samsung Mobile Samsung Mobile Galaxy products, personal computers, and related services only CNA Vendor South Korea
    Samsung TV & Appliance Samsung TV & Appliance products, Samsung-owned open-source projects listed on https://github.com/Samsung/, as well as vulnerabilities in third-party software discovered by Samsung that are not in another CNA’s scope. Vulnerabilities affecting end-of-life/end-of-service products are in scope. The following categories of Samsung Products are in scope: Internet-connected home appliances, B2C product (smart TV, smart monitor, soundbar, and projector), and B2B products (digital signage, interactive display, and kiosk) CNA Open Source, Researcher, Vendor South Korea
    SAP SE All SAP products CNA Vendor Germany
    Schneider Electric All Schneider Electric products, including Proface, APC, and Eurotherm CNA Vendor France
    Schweitzer Engineering Laboratories, Inc. All Schweitzer Engineering Laboratories products CNA Vendor USA
    Seagate Technology Any Seagate or LaCie software or hardware, open or closed source, supported and end of life, as well as any vulnerabilities in third-party software discovered by Seagate that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
    Secomea A/S Supported Secomea products only CNA Vendor Denmark
    Securifera, Inc. Vulnerabilities in vendor products discovered by Securifera, or related parties, while performing vulnerability research or security assessments CNA Researcher USA
    Security Risk Advisors (SRA) Vulnerabilities discovered by SRA that are not within the scope of another CNA CNA Researcher USA
    senhasegura Vulnerabilities in senhasegura products, and other vulnerabilities discovered by senhasegura that are not in another CNA’s scope CNA Vendor, Researcher Brazil
    ServiceNow All ServiceNow products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by ServiceNow that are not in another CNA’s scope CNA Hosted Service, Researcher, Vendor USA
    Shop Beat Solutions (Pty) LTD Vulnerabilities in Shop Beat products and services and vulnerabilities discovered by Shop Beat unless covered by the scope of another CNA CNA Hosted Service, Vendor South Africa
    SICK AG SICK AG issues only CNA Vendor Germany
    Siemens Siemens issues only CNA Vendor Germany
    Sierra Wireless Inc. Sierra Wireless products only CNA Vendor Canada
    Silicon Labs Silicon Labs issues only CNA Vendor USA
    Silver Peak Systems, Inc. Silver Peak product issues only CNA Vendor USA
    Simplinx Ltd. Simplinx products only CNA Vendor Türkiye
    Snow Software All Snow Software products CNA Vendor Sweden
    Snyk Vulnerabilities in Snyk products and vulnerabilities discovered by, or reported to, Snyk that are not in another CNA’s scope CNA Open Source, Researcher UK
    SolarWinds SolarWinds products only CNA Vendor USA
    Solidigm Solidigm branded products and technologies CNA Vendor USA
    SonicWall, Inc. SonicWall issues only CNA Vendor USA
    Sophos Limited Sophos issues only CNA Vendor UK
    Spanish National Cybersecurity Institute, S.A. (INCIBE) Root Scope: Spain organizationsCNA Scope: Vulnerability assignment related to its vulnerability coordination role for Industrial Control Systems (ICS), Information Technologies (IT), and Internet of Things (IoT) systems issues at the national level, and vulnerabilities reported to INCIBE by Spain organizations and researchers that are not in another CNA’s scope Root, CNA CERT Spain
    Splunk Inc. Splunk products only CNA Vendor USA
    STAR Labs SG Pte. Ltd. Vulnerabilities discovered by STAR Labs SG that are not in another CNA’s scope CNA Researcher Singapore
    StrongDM StrongDM issues only CNA Vendor USA
    SUSE SUSE and Rancher issues only CNA Vendor, Open Source USA
    Swift Project The Swift Project only CNA Vendor, Open Source USA
    Switzerland National Cyber Security Centre (NCSC) Switzerland Government Common Vulnerability Program CNA CERT Switzerland
    Symantec – A Division of Broadcom Symantec Enterprise products as well as vulnerabilities in third-party software discovered by Symantec that are not in another CNA’s scope CNA Vendor, Researcher USA
    Synaptics, Inc. Synaptics issues only CNA Vendor USA
    Synology Inc. Synology issues only CNA Vendor Taiwan
    Synopsys All Synopsys SIG products, as well as vulnerabilities in third-party software discovered by Synopsys SIG that are not in another CNA’s scope CNA Vendor, Researcher USA
    Talos Third-party products it researches CNA Researcher USA
    Tcpdump Group Tcpdump and Libpcap only CNA Vendor, Open Source Canada
    TeamViewer Germany GmbH TeamViewer issues only CNA Vendor Germany
    Temporal Technologies Inc. All Temporal Technologies software CNA Hosted Service, Open Source USA
    Tenable Network Security, Inc. Tenable products and third-party products it researches not covered by another CNA CNA Vendor USA
    Thales Group Thales branded products and technologies only CNA Vendor, Researcher France
    The HISP Centre at the University of Oslo Security issues in DHIS2 open-source web and mobile software applications CNA Vendor, Open Source Norway
    The Missing Link Australia (TML) TML vulnerability disclosure policy applies to any third-party vendor products to whom TML will assign the CVEs for vulnerabilities, if the product is not a part of another CNA scope CNA Researcher Australia
    The OpenBMC Project Vulnerabilities related to the repositories maintained by the OpenBMC project CNA Vendor, Open Source USA
    The OpenNMS Group OpenNMS issues only CNA Vendor, Open Source USA
    TianoCore.org Software vulnerabilities related to the TianoCore Open Source CNA Vendor, Open Source USA
    TIBCO Software Inc. TIBCO, Talarian, Spotfire, Data Synapse, Foresight, Kabira, Proginet, LogLogic, StreamBase, JasperSoft, and Mashery products/brands only CNA Vendor USA
    Tigera, Inc. All vulnerabilities for Calico and all of Tigera’s products only CNA Vendor, Open Source USA
    Toshiba Corporation Vulnerabilities related to products and services of Toshiba Corporation CNA Vendor Japan
    TR-CERT (Computer Emergency Response Team of the Republic of Türkiye) Vulnerability assignment related to its vulnerability coordination role CNA CERT Türkiye
    Trellix All Trellix Enterprise (formerly McAfee Enterprise and FireEye) products, as well as vulnerabilities in third-party software discovered by Trellix Advanced Research Center (Trellix ACR) that are not in another CNA’s scope CNA Vendor, Researcher USA
    Trend Micro, Inc. Trend Micro supported productsend-of-life products, and all issues related to TXOne products CNA Vendor Japan
    Tribe29 GmbH All products of Tribe29 including Checkmk and Checkmk Appliance CNA Vendor, Open Source Germany
    TWCERT/CC Vulnerability assignment related to its vulnerability coordination role CNA CERT Taiwan
    Unisoc (Shanghai) Technologies Co., Ltd. Unisoc issues only CNA Vendor China
    Vaadin Ltd. All Vaadin products and supported open-source projects hosted at https://github.com/vaadin CNA Vendor, Open Source Finland
    Vivo Mobile Communication Co., Ltd. Vivo issues only CNA Vendor China
    VMware VMware, Spring, and Cloud Foundry issues only CNA Vendor, Open Source USA
    VulDB Vulnerabilities discovered by, or reported to, the VulDB vulnerability database that are not in another CNA’s scope CNA Researcher Switzerland
    VulnCheck Vulnerabilities discovered by, or reported to, VulnCheck that are not in another CNA’s scope CNA Bug Bounty Provider, Researcher USA
    Vulnscope Technologies Provides CVE IDs for customers as part of our bug bounty and vulnerability coordination platform CNA Bug Bounty Provider Chile
    WatchGuard Technologies, Inc. Vulnerabilities in all WatchGuard products and products of WatchGuard subsidiaries CNA Vendor USA
    Western Digital Western Digital products including WD, SanDisk, SanDisk Professional, G-Technology, and HGST only CNA Vendor USA
    wolfSSL Inc. Transport Layer Security (TLS) and Cryptographic issues found in wolfSSL products CNA Vendor, Open Source USA
    Wordfence WordPress Plugins, Themes, and Core Vulnerabilities discovered by, or reported to, the Wordfence/Defiant team CNA Vendor, Researcher USA
    WPScan WordPress core, plugins, and themes CNA Vendor, Open Source France
    Xen Project All sub-projects under Xen Project’s umbrella (see Xen Project Teams), except those sub-projects that have their own security response process; and the Xen components inside other projects, where Xen Project is the primary developer CNA Vendor, Open Source UK
    Xiaomi Technology Co., Ltd. Xiaomi issues only CNA Vendor China
    Xylem Xylem products and technologies only CNA Vendor USA
    Yandex N.V. Yandex issues only CNA Vendor Russia
    Yugabyte, Inc. Yugabyte products only CNA Hosted Service, Vendor USA
    Zabbix Zabbix products and Zabbix projects listed on https://git.zabbix.com/ only CNA Vendor Latvia
    Zephyr Project Zephyr project components, and vulnerabilities that are not in another CNA’s scope CNA Vendor, Open Source USA
    Zero Day Initiative Products and projects covered by its bug bounty programs that are not in another CNA’s scope CNA Bug Bounty Provider Japan
    ZGR ZGR manufactured products CNA Vendor Spain
    Zoom Video Communications, Inc. Zoom and Keybase issues only CNA Vendor USA
    Zowe Vulnerabilities in Zowe.org open source projects CNA Open Source USA
    Zscaler, Inc. Zscaler issues only CNA Vendor USA
    ZTE Corporation ZTE products only CNA Vendor China
    ZUSO Advanced Research Team (ZUSO ART) Vulnerabilities in third-party products discovered by ZUSO ART that are not in another CNA’s scope CNA Researcher Taiwan
    Zyxel Corporation Zyxel products issues only CNA Vendor Taiwan

 

Leave a Reply