Skip to main content

In today’s digital world, the necessity to secure valuable data and information is more important than ever. As more businesses and individuals rely on technological advancements, the risks associated with vulnerabilities within systems and applications increase. To address these risks, it’s crucial to be aware of publicly disclosed security vulnerabilities that may affect your systems or software. This knowledge allows organizations and individuals to be proactive in protecting their digital assets and ensuring overall security.

One way to stay informed about these security vulnerabilities is through vulnerability databases. These databases serve as comprehensive resources that catalog publicly disclosed cybersecurity vulnerabilities in a standardized format, making it easier for individuals and professionals to search, use, and incorporate the information into their security measures. With a wide range of databases available, it’s essential to identify the most powerful and reputable ones to assist you in staying up-to-date with the latest vulnerabilities and securing your systems against potential threats.

In this article, we explore six powerful vulnerability databases that provide valuable information on publicly disclosed security vulnerabilities. These databases cater to a wide range of users, from security experts to general IT professionals, ensuring comprehensive coverage of the most relevant and up-to-date security vulnerabilities.

But, before we directly land on the list of powerful vulnerability databases, let’s learn abut these additional things. It’s not mandatory for everybody to read. However, it is for those who want comprehensive information about the Vulnerability Management and Vulnerability Database.

In this comprehensive blog post, we will cover the following topics:

  • What are security vulnerabilities and how they are tracked
  • Understanding CVE IDs, CVSS scoring system, and vectors
  • Introduction to CVE Numbering Authorities (CNAs)
  • Where to search publicly disclosed vulnerabilities
  • List of powerful vulnerability databases

What are Security Vulnerabilities? And How Security Vulnerabilities Are Being Tracked?

Security vulnerabilities are flaws or weaknesses in software code or system configurations that can be exploited by attackers to gain unauthorized access to a system or network. Once inside, attackers can leverage authorizations and privileges to compromise systems and assets. Vulnerabilities can be found in IT, network, cloud, web, and mobile application systems.

Some examples of vulnerabilities include:

  • Buffer overflows
  • SQL injection flaws
  • Cross-site scripting bugs
  • Default or weak passwords
  • Race conditions

Vulnerabilities are tracked and documented in databases so that affected vendors, manufacturers, and users are aware of the issue and can take action to remediate or mitigate the vulnerability.

Common practices for vulnerability tracking include:

  • Reporting: Security researchers and users submit newly discovered vulnerabilities to vendors, CERTs, or public vulnerability databases.
  • Assignment of CVE ID: Once a vulnerability report is verified, it is assigned a CVE ID (Common Vulnerabilities and Exposures) for unique identification.
  • Publication: Details of vulnerability are publicly documented in databases like National Vulnerability Database (NVD).
  • Severity analysis: The vulnerability severity is scored using the Common Vulnerability Scoring System (CVSS).
  • Remediation tracking: The fix status of the vulnerability is updated over time.

Thorough vulnerability tracking and robust databases allow the security community to assess the risk posed by flaws and prioritize remediation efforts.

The Vulnerability Management team plays a crustal role in identifying, analyzing, assessing, reporting, and mitigating security vulnerabilities before they can be exploited by attackers. So collected or reported vulnerabilities are recorded or stored in several databases by assigning them a CVE ID. This is how the concept of the Vulnerability Database begins. Before we go further, let’s understand a few more concepts like CVE ID, CVSS Scoring System, And Vectors of CVSS.

Understand CVE ID, CVSS Scoring System, And Vectors of CVSS

When dealing with publicly disclosed security vulnerabilities, it is essential to understand the Common Vulnerabilities and Exposures (CVE) identification, the Common Vulnerability Scoring System (CVSS), and the CVSS vectors. This understanding helps you evaluate the severity of vulnerabilities and prioritize your response.

CVE ID

CVE stands for Common Vulnerabilities and Exposures. It is a unique ID assigned to identify each publicly known security vulnerability.

The CVE ID consists of the following format:

CVE-YYYY-NNNNN

Where:

  • CVE – Constant identifier showing this is a CVE ID
  • YYYY – The year the CVE ID was assigned
  • NNNNN – A unique 5-digit number to identify the specific vulnerability

For example, CVE-2019-19781 was assigned in 2019 and has a unique 5-digit ID of 19781.

Once a vulnerability has been publicly documented and verified, it is added to the CVE master list, formally known as Vulnerability Database. The CVE ID helps to eliminate confusion by allowing all parties to refer to vulnerabilities in a standardized manner.

CVSS Scoring System

The Common Vulnerability Scoring System (CVSS) is an open framework used to quantify the severity of IT vulnerabilities. CVSS assigns a numeric score ranging from 0 to 10 to vulnerabilities, with 10 being the most severe.

The CVSS score represents the ease and impact of exploitation. The metrics used to calculate the score are divided into three metric groups:

Base – Represents the intrinsic characteristics of a vulnerability that do not change over time or user environments. This consists of:

  • Attack Vector (AV) – How the vulnerability can be exploited e.g. network, adjacent, local, physical.
  • Attack Complexity (AC) – The complexity of the attack required to exploit the vulnerability.
  • Privileges Required (PR) – The level of privileges required for an attacker to exploit the flaw.
  • User Interaction (UI) – If user interaction is required to exploit the vulnerability.
  • Scope (S) – If a vulnerability in one component impacts resources beyond its security scope.
  • Confidentiality (C), Integrity (I), Availability (A) Impact – The impact of CIA security principles if a vulnerability is exploited.

Temporal – Represents the characteristics of a vulnerability that may change over time but not user environments. This consists of:

  • Exploit Code Maturity (E) – Reflects the maturity of available exploit code.
  • Remediation Level (RL) – Represents the degree to which a vulnerability can be mitigated through fixes, patches, upgrades, etc.
  • Report Confidence (RC) – Reflects the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.

Environmental – Represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment. This consists of:

  • Collateral Damage Potential (CDP) – The potential for loss of data assets, productivity or revenue if a vulnerability is exploited.
  • Target Distribution (TD) – The number of vulnerable systems that exist in the wild.
  • Security Requirements (CR, IR, AR) – The security requirements for confidentiality, integrity and availability in the user environment.

Using these metrics, CVSS applies a complex calculation to determine the final vulnerability severity score.

Vectors of CVSS

CVSS vectors are a standardized text representation of the metrics used to score a vulnerability.

The vector string contains each metric acronym, followed by the assigned value. For example:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

This vector shows:

  • CVSS version 3.1
  • Attack vector is Network (N)
  • Attack complexity is Low (L)
  • No privileges required (N)
  • No user interaction (N)
  • The scope is Unchanged (U)
  • High impact scores for confidentiality, integrity, availability (H)

The vector highlights the key metrics used to calculate the overall CVSS score for a vulnerability. It provides an easy way for humans to understand the rating factors at a glance.

A Short Introduction to CVE Numbering Authority (CNA)

The next question comes in who assigns the CVE IDs to the vulnerabilities and adds them to the database? The answer is CVE Numbering Authority (CNA). CNAs are organizations that have been authorized by the CVE Program to assign CVE identifiers to vulnerabilities affecting products within their agreed-upon scope. These organizations play a crucial role in ensuring that newly discovered vulnerabilities are assigned unique identifiers and properly documented for the public.

CNA is responsible for establishing the scope of their authority, determining if a vulnerability falls within this scope, and assigning a unique CVE identifier to the vulnerability before its first public announcement. The CNA’s domain of authority can be specific to its own products or cover a broader range of products and vulnerabilities under its scope. Cooperation between CNAs ensures consistency and accuracy in the enumeration and documentation of vulnerabilities.

The CNA Rules provide guidelines for the assignment and management of CVE identifiers by CNAs. These rules outline the responsibilities and requirements for CNAs, including scope definition, vulnerability discovery and reporting, and proper documentation of vulnerabilities in the CVE List.

There are distinct levels in the CNA hierarchy: Root, Top-Level Root, CNA of Last Resort (CNA-LR), and Sub-CNAs. The most common and basic level of CNA is the Sub-CNA, which assigns CVE identifiers to vulnerabilities specifically within their domain of responsibility. CNAs work together with other CNAs, higher-level CNAs, and the CVE Program to maintain an efficient and streamlined CVE assignment process.

The role of CNAs includes:

  • Receiving vulnerability reports from researchers, vendors, etc.
  • Verifying reports and ensuring they represent distinct vulnerabilities warranting a CVE ID.
  • Assigning a CVE ID from their unique block.
  • Notifying the vulnerability submitter about the assigned CVE ID.
  • Publishing CVE details to databases like NVD, their own security advisories, etc.
  • Updating CVE information and notifying affected parties as more details become available.

CNAs are a vital part of the CVE ecosystem. They enable coordinated, reliable assignment of IDs across the rapidly evolving threat landscape. Currently, there are 307 CNAs (305 CNAs and 2 CNA-LRs) from 36 countries participating in the CVE Program.

CNA Partners By Country

 

CNA Partners By Country (Source: cve.org)

 

Where do You Search for Publicly Disclosed Security Vulnerabilities?

There are several reputable databases that can be utilized to search for publicly disclosed security vulnerabilities. One of the most notable is the CVE List, a comprehensive catalog of publicly disclosed cybersecurity vulnerabilities managed by the CVE Numbering Authorities (CNAs). The CVE List is free to search, use, and incorporate into products and services. Organizations and security professionals rely on these resources to find details of known weaknesses impacting the products or technologies present in their environment.

Some places where publicly disclosed vulnerabilities can be searched include:

  • National Vulnerability Database (NVD) – Extensive CVE vulnerability database maintained by NIST, based on CVE List feed. Integrates with CVSS and CPE.
  • MITRE CVE List – Comprehensive list of CVE Records provided by MITRE.
  • US-CERT Vulnerability Notes Database – Contains disclosure records published by CISA.
  • Vulnerability search on vendor/manufacturer websites – Companies like Microsoft, Adobe, Cisco etc. provide vulnerability search capabilities on their own websites. Useful for product-specific flaws.
  • Vulnerability databases – Resources like VulnDB, Vulners, Secunia Research Community etc. provide CVE vulnerability data. Some integrate exploit and patch info.
  • Bug bounty platforms – Bugcrowd, HackerOne, etc. include limited vulnerability details disclosed through their bug bounty programs.
  • GIT repositories – Many security tools and projects provide vulnerability data in GIT repositories that can be searched.
  • Exploit databases – Sites like Exploit-DB contain proof-of-concept exploits that can reveal related vulnerabilities.
  • Search engines – Google hacking for specific keywords can reveal security advisories and vulnerability reports.

This list provides a starting point on where security practitioners can search for vulnerability data pertinent to the systems and software relevant to their organization.

List of Powerful Vulnerability Databases

Now,, it’s time to take a deeper look into some of the most comprehensive and widely used public vulnerability databases that can be leveraged to streamline vulnerability management programs.

cve.org

cve.org

CVE (Common Vulnerabilities and Exposures) is an international, community-driven security vulnerability database, which is maintained by the MITRE Corporation and funded by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security.

The website cve.org serves as a public platform that allows users to freely search, use, and incorporate information into their products and services. Each CVE Identifier, or CVE ID, includes a description of the vulnerability or exposure, and reference information from vulnerability reports and advisories. It’s important to note that the CVE system does not include risk, impact, fix, or other technical information, and it does not provide vulnerability management or vulnerability assessment capabilities. Rather, it is a key component that these types of capabilities can leverage.

Mitre

cve.mitre.org

Mitre.org is a well-known organization that manages numerous cybersecurity initiatives, including the CVE Program. Established in 1999, the CVE Program aims to identify, define, and catalog publicly disclosed security vulnerabilities in a standardized manner. This helps security professionals, organizations, and developers effectively address and manage vulnerabilities across their systems.

Mitre.org is responsible for the distribution and maintenance of the Common Vulnerabilities and Exposures (CVE) database. The CVE database contains a comprehensive list of vulnerabilities identified by both experts and the cybersecurity community. Mitre.org ensures that every vulnerability listed in the CVE database receives a unique identifier, which makes it easier for practitioners to reference and search specific vulnerabilities.

One of the strengths of Mitre.org’s CVE Program is its ability to integrate with other cybersecurity services and tools. This helps organizations streamline their vulnerability management processes and make informed security decisions based on accurate and up-to-date information.

For users wishing to download the CVE database, Mitre.org provides it in JSON format. To access the database, users can visit the CVE website’s download page and download the desired data file. The availability of the CVE database in JSON format enables researchers and security professionals to easily parse the information and integrate it with their analytical tools and systems.

In conclusion, Mitre.org plays a vital role in managing the CVE Program and maintaining the CVE database. Its commitment to standardizing vulnerability information and providing seamless integration capabilities makes it a valuable resource for cybersecurity professionals and organizations.

National Vulnerability Database

National Vulnerability Database

The National Vulnerability Database (NVD) is a U.S. government repository of standards-based vulnerability management data. This data includes security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. Operated by the National Institute of Standards and Technology (NIST), the NVD uses the Common Vulnerabilities and Exposures (CVE) system for its vulnerability identifiers.

While the CVE system provides a baseline for identifying vulnerabilities, the NVD goes a step further by providing more detailed vulnerability information including severity scores, impact metrics, and enhanced data to support vulnerability management.

For each vulnerability listed in the database, the NVD includes the vulnerability’s description, published and modified dates, references, and the vulnerability’s severity score as measured by the Common Vulnerability Scoring System (CVSS). The NVD’s website provides users with the ability to search this database for information on specific vulnerabilities.

The NVD is a critical resource for organizations that want to protect their systems from known vulnerabilities. It allows security researchers, system administrators, and others to understand the nature of potential threats to their systems and to prioritize their actions based on the severity and potential impact of the vulnerabilities.

VulnDB

VulnDB

VulnDB is a vulnerability database that provides comprehensive information on known security vulnerabilities in software products. It is one of the most important sources for people responsible for handling vulnerabilities, vulnerability management, exploit analysis, cyber threat intelligence, and incident response handling.

VulnDB was originally created in 2002 by a group of security researchers who wanted to provide a central repository for information on security vulnerabilities. The database was originally called Open Source Vulnerability Database (OSVDB), and it was maintained by the Open Security Foundation (OSF). In 2016, the OSF closed down, and VulnDB was acquired by Flashpoint.

It was built with the goal of providing the most timely and accurate vulnerability intelligence available. The database includes information on each vulnerability’s technical details, mitigation strategies, exploit information, and links to original advisories, as well as a wealth of other relevant information that can be used by cybersecurity professionals to protect their systems.

It covers an extensive range of security vulnerabilities, including many not found in the CVE (Common Vulnerabilities and Exposures) database. This makes VulnDB the largest and most comprehensive vulnerability database in the industry. Its creators had a clear vision: to help organizations better understand their security risks and prioritize their response strategies accordingly.

One of the key features of VulnDB is its ability to serve an easy-to-use SaaS Portal and a RESTful API, allowing for seamless integration with GRC (Governance, Risk Management, and Compliance) tools, ticketing systems, and other third-party services. This flexibility empowers organizations to efficiently access and use the valuable vulnerability data provided by VulnDB.

VulnDB’s offerings go beyond just providing vulnerability information. The database is frequently updated and enriched with additional details, such as verified fixes, suggested solutions, and relevant chatter from social media platforms like Twitter. This valuable extra context allows security professionals to better understand the potential impact of a vulnerability and implement the most suitable remediation strategies.

Security Database

Security Database

Security Database is a prominent platform that was established to provide comprehensive information on publicly disclosed security vulnerabilities. As the largest vulnerability database in Europe, it has made a significant impact on the cybersecurity landscape, offering a wealth of resources for security professionals to draw upon. With an unwavering focus on presenting accurate and relevant data, Security Database maintains a confident, knowledgeable, neutral, and clear tone.

This extensive database not only offers a vast repository of vulnerability information but also provides users with numerous additional services. One notable feature is its ability to serve as an Application Programming Interface (API), which enables the seamless integration of its data with various third-party tools and software. This capacity allows users to access up-to-date vulnerability information in real time, ensuring they remain informed and protected from potential threats.

In addition to its primary function as a vulnerability database, Security Database offers various supplementary resources, including security research papers, exploit databases, and details on upcoming security-related events. These offerings contribute to the platform’s value as a one-stop solution for cybersecurity experts, enabling them to stay current on critical industry developments.

Vuldb

Vuldb

VulDB is the world’s leading vulnerability database, with over 235,000 entries. It was founded in 1998 and is now owned by pyxyp inc. VulDB provides comprehensive information on security vulnerabilities, including their technical details, exploit availability, and impact. It is a valuable resource for vulnerability management, exploit analysis, cyber threat intelligence, and incident response.

The moderation team at Vuldb actively monitors numerous sources 24/7 for information about new or existing vulnerabilities. Once a new vulnerability is identified, the team gathers additional data from various sources and creates a detailed Vuldb entry, which is then made available to customers through the website and API.

One of the key features of Vuldb is its ability to seamlessly integrate with third-party services, such as GRC tools and ticketing systems. This is achieved through its RESTful API, which enables easy access to vulnerability information, allowing organizations to quickly identify and respond to potential security risks.

Which Vulnerability Database is Perfect for You?

Every service offers distinct features. The CVE project and Mitre are authorized bodies whose primary responsibility is to assign CVE IDs to identified vulnerabilities. NVD’s task is to evaluate these CVE-assigned vulnerabilities and provide Severity and CVSS scores along with vector details. Other CNA authorities like VulnDB, Security Database, and VulDB offer more precise research information such as descriptions, technical details, affected software, hardware, and services, including version information. They also provide exploitation POC details and fix/mitigation information. The choice of a vulnerability database depends on the level of information you require.

Below is a basic comparison table for these entities based on key parameters. Keep in mind that this table provides a high-level overview, and the actual specifics may vary depending on different use cases, user requirements, and other factors. Some of these databases may offer more specific features, tools, or data through a subscription or specific partnership agreement.

CVE.org National Vulnerability Database MITRE.org VulnDB Security Database VulDB
Operated By MITRE Corp NIST MITRE Corp Risk Based Security Varies Scip AG
Information Provided Vulnerability identifiers Vulnerability details, metrics, and checklists Research, projects, and CVE system Detailed vulnerability info, mitigation strategies, exploit info Generally provides vulnerability info (specifics can vary) Detailed vulnerability info, references, affected software versions
Free Access Yes Yes Yes Limited free access, subscription for more data Varies Limited free access, subscription for more data
Scope Global Primarily U.S. focused Global Global Varies Global
Update Frequency Regularly Regularly Regularly Regularly Varies Regularly
API Support No Yes No Yes (with subscription) Varies Yes (with subscription)

Conclusion

Public vulnerability databases are invaluable resources that allow organizations to search for and analyze known security flaws impacting the myriad technologies they rely upon.

In this post, we looked at various facets of tracking vulnerabilities using CVE IDs, CVSS scoring and CNAs. We also covered the leading vulnerability data repositories like NVD, VulnDB, Vuldb, and more that security teams can leverage to power risk management programs.

Here are some key takeaways:

  • CVE IDs offer standardized naming for vulnerabilities. CVSS scores quantify severity. CNAs coordinate CVE assignments.
  • National Vulnerability Database provides extensive CVE listings with CVSS scoring.
  • MITRE CVE List contains the authoritative source of CVE data.
  • Vulnerability intelligence databases like VulnDB, VulDB, and others enhance CVE data with critical context.
  • Options like Security Database and CERT.org provide downloadable vulnerability data dumps.
  • Vendor databases and Git repositories also offer valuable vulnerability data.

 

List of 307 CVE Numbering Authority (CNA)

Partner Scope Program Role Organization Type Country*
42Gears Mobility Systems Pvt Ltd 42Gears branded products and technologies only CNA Vendor India
Absolute Software Absolute issues only CNA Vendor USA
Acronis International GmbH All Acronis products, including Acronis Cyber Protect, Acronis Cyber Protect Home Office, Acronis DeviceLock DLP, and Acronis Snap Deploy CNA Vendor Switzerland
Adobe Systems Incorporated Adobe issues only CNA Vendor USA
Advanced Micro Devices Inc. AMD branded products and technologies only CNA Vendor USA
Airbus All Airbus products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Airbus that are not in another CNA’s scope CNA Vendor, Researcher Netherlands
Alias Robotics S.L. All Alias Robotics products, as well as vulnerabilities in third-party robots and robot components (software and hardware), as well as machine tool and machine tool components, discovered by Alias Robotics that are not in another CNA’s scope CNA Vendor, Researcher Spain
Alibaba, Inc. Projects listed on its Alibaba GitHub website only CNA Vendor, Open Source China
AMI Vulnerabilities that affect AMI firmware and software products CNA Open Source, Vendor USA
Ampere Computing Ampere issues only CNA Vendor USA
Android (associated with Google Inc. or Open Handset Alliance) Android issues, as well as vulnerabilities in third-party software discovered by Android that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
Apache Software Foundation All Apache Software Foundation issues only CNA Vendor, Open Source USA
AppCheck Ltd. Vulnerabilities discovered by AppCheck that are not within another CNA’s scope CNA Researcher UK
Apple Inc. Apple issues only CNA Vendor USA
Arista Networks, Inc. All Arista products only CNA Vendor USA
Arm Limited Arm-branded products and technologies and Arm-managed open source projects CNA Open Source, Vendor UK
Artica PFMS Pandora FMS, Integria IMS, and eHorus issues only CNA Vendor Spain
Asea Brown Boveri Ltd. (ABB) ABB issues only CNA Vendor Switzerland
ASUSTOR, Inc. ASUSTOR issues only CNA Vendor Taiwan
Atlassian All Atlassian products, as well as Atlassian-maintained projects hosted on https://bitbucket.org/ and https://github.com/atlassian/ CNA Vendor, Open Source Australia
Austin Hackers Anonymous Vulnerabilities in the AHA! website and other AHA! controlled assets, as well as vulnerabilities identified in assets owned, operated, or maintained by another organization unless covered by the scope of another CNA CNA Researcher USA
Autodesk All currently supported Autodesk Applications and Cloud Services CNA Vendor USA
Automotive Security Research Group (ASRG) All automotive and related infrastructure vulnerabilities that are not in another CNA’s scope CNA Researcher USA
Avaya, Inc. All Avaya Generally Available (GA) products that are not in another CNA’s scope. A CVE ID will not be issued for End of Manufacturing Support (EoMS) products/versions CNA Vendor USA
Axis Communications AB Supported Axis products and solutions only CNA Vendor Sweden
B. Braun SE B. Braun’s commercially available products only CNA Vendor Germany
Baicells Technologies Co., Ltd. All Baicells products CNA Vendor China
Baidu, Inc. Projects listed on Baidu’s PaddlePaddle GitHub website only CNA Vendor, Open Source China
Baxter Healthcare Baxter’s commercially available products only CNA Vendor USA
Becton, Dickinson and Company (BD) BD software-enabled medical devices only CNA Vendor USA
Biohacking Village Vulnerabilities discovered by researchers in collaboration with Biohacking Village, with approval of Biohacking Village’s sponsors, that are not in another CNA’s scope CNA Researcher USA
Bitdefender All Bitdefender products, as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope CNA Vendor, Researcher Romania
Black Lantern Security Vulnerabilities in vendor products discovered by BLSOPS, or related parties, while performing vulnerability research or security assessments, unless covered by another CNA’s scope CNA Researcher USA
BlackBerry BlackBerry and Good product issues only CNA Vendor Canada
Brocade Communications Systems, LLC Brocade products only CNA Vendor USA
Bugcrowd Inc. Vulnerabilities discovered by researchers in collaboration with Bugcrowd, with approval of Bugcrowd’s clients, and not in the scope of another CNA CNA Bug Bounty Provider, Vendor, Open Source USA
CA Technologies – A Broadcom Company CA Technologies issues only CNA Vendor USA
Canon Inc. Vulnerabilities in products and services designed and developed by Canon Inc. CNA Vendor Japan
Canonical Ltd. All Canonical issues (including Ubuntu Linux) only CNA Vendor, Open Source UK
Carrier Global Corporation Carrier Global products only CNA Hosted Service, Vendor USA
Censys All Censys products, and vulnerabilities discovered by Censys that are not in another CNA’s scope CNA Vendor, Researcher USA
CERT/CC Vulnerability assignment related to its vulnerability coordination role CNA CERT USA
CERT@VDE Products of the vendors: Beckhoff, Bender, Endress+Hauser, Etherwan Systems, HIMA, Festo, Koramis, ifm, Miele, Pepperl+Fuchs, Phoenix Contact, PILZ, Sysmik, Weidmueller, and WAGO. Also, industrial and infrastructure control systems (and its components) of European Union (EU) based vendors as long as there is no CNA with a more specific scope for the vulnerability CNA CERT Germany
Check Point Software Ltd. Check Point Security Gateways product line only, and any vulnerabilities discovered by Check Point that are not in another CNA’s scope CNA Vendor, Researcher Israel
Chrome Chrome and Chrome OS issues, and projects that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
Cisco Systems, Inc. All Cisco products, and any third-party research targets that are not in another CNA’s scope. Cisco will not issue a CVE ID for issues reported on products that are past the Last Day of Support milestone, as defined on Cisco’s End-of-Life Policy, which is available at https://www.cisco.com/c/en/us/products/eos-eol-policy.html CNA Hosted Service, Open Source, Researcher, Vendor USA
Citrix Systems, Inc. Citrix issues only CNA Vendor USA
Cloudflare, Inc. All Cloudflare products, projects hosted at https://github.com/cloudflare/, and any vulnerabilities discovered by Cloudflare that are not in another CNA’s scope CNA Vendor USA
Crafter CMS Crafter CMS issues only CNA Vendor, Open Source USA
Crestron Electronics, Inc. Crestron products CNA Vendor USA
Crowdstrike Holdings, Inc. Crowdstrike Sensor issues, excluding unsupported versions, and issues in third-party products or services identified by Crowdstrike research unless covered in the scope of another CNA CNA Vendor USA
Cybellum Technologies LTD All Cybellum products, as well as vulnerabilities in third-party software discovered by Cybellum that are not in another CNA’s scope CNA Vendor Israel
Cyber Security Works Pvt. Ltd. Vulnerabilities in third-party software discovered by CSW that are not in another CNA’s scope CNA Researcher India
CyberArk Labs Vulnerabilities discovered by CyberArk Labs that are not in another CNA’s scope CNA Vendor, Researcher Israel
CyberDanube All CyberDanube products, as well as vulnerabilities in third-party hardware/software discovered by CyberDanube or partners actively engaged in vulnerability research coordination, which are not within the scope of another CNA CNA Researcher, Vendor Austria
Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Industrial control systems and medical devices Top-Level Root, CNA-LR CERT USA
Dahua Technologies Dahua consumer Internet of Things (IoT) products, excludes End-of-Life products CNA Vendor China
Dassault Systèmes All websites of the corporate group and of any subsidiaries, including but not limited to www.3ds.com and www.solidworks.com; all Software as a Service solutions, such as 3DEXPERIENCE or ScienceCloud, but also any online hosting linked to our brands; and all Dassault Systèmes licensed software products CNA Vendor France
Debian GNU/Linux Debian issues only CNA Vendor, Open Source USA
DeepSurface Security, Inc. All DeepSurface products, as well as vulnerabilities in third-party software discovered by DeepSurface that are not in another CNA’s scope CNA Vendor, Researcher USA
Dell Dell, Dell EMC, and VCE issues only CNA Vendor USA
Devolutions Inc. Remote Desktop Manager and Devolutions Server products CNA Vendor, Open Source Canada
Docker Inc. All Docker products, including Docker Desktop and Docker Hub, as well as Docker maintained open-source projects CNA Vendor, Open Source USA
Document Foundation, The Projects within The Document Foundation only, e.g., LibreOffice, LibreOffice Online; The Document Foundation discourages reporting denial of service bugs as security issues CNA Vendor, Open Source Germany
dotCMS LLC All dotCMS product services including the vulnerabilities reported in our open-source core located at https://github.com/dotCMS/core CNA Hosted Service USA
Dragos, Inc. Dragos products and third-party products it researches related to operational technology (OT)/industrial control systems (ICS) not covered by another CNA CNA Vendor, Researcher USA
Drupal.org All projects hosted under drupal.org only CNA Vendor, Open Source USA
Dual Vipers LLC Dual Vipers projects and products (both open and closed source), as well as vulnerabilities in third-party software discovered by Dual Vipers that are not in another CNA’s scope CNA Hosted Service, Open Source, Researcher, Vendor USA
Dutch Institute for Vulnerability Disclosure (DIVD) Vulnerabilities in software discovered by DIVD, and vulnerabilities reported to DIVD for coordinated disclosure, which are not in another CNA’s scope CNA Researcher Netherlands
Eaton Eaton issues only CNA Vendor Ireland
Eclipse Foundation Eclipse IDE and the Eclipse Foundation’s eclipse.orgpolarysys.org, and locationtech.org open source projects only CNA Vendor, Open Source Canada
Elastic Elasticsearch, Kibana, Beats, Logstash, X-Pack, and Elastic Cloud Enterprise products only CNA Vendor Netherlands
Electronic Arts, Inc. EA issues only CNA Vendor USA
Environmental Systems Research Institute, Inc. All Esri products only CNA Vendor USA
ESET, spol. s r.o. All ESET products only and vulnerabilities discovered by ESET that are not covered by another CNA’s scope CNA Vendor, Researcher Slovak Republic
Exodus Intelligence Vulnerabilities discovered by Exodus Intelligence as well as acquisitions from independent researchers via its Research Sponsorship Program (RSP) CNA Bug Bounty Provider, Researcher USA
F-Secure All F-Secure products and security vulnerabilities discovered by F-Secure in third-party software not in another CNA’s scope CNA Vendor, Researcher Finland
F5, Inc. All F5 products and services, commercial and open source, which have not yet reached End of Technical Support (EoTS). All legacy acquisition products and brands including, but not limited to, NGINX, Shape Security, Volterra, and Threat Stack. F5 does not issue CVEs for products which are no longer supported CNA Vendor, Open Source USA
Fedora Project Vulnerabilities in open-source projects affecting the Fedora Project, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported releases by the Fedora Project CNA Vendor, Open Source USA
Fidelis Cybersecurity, Inc. Fidelis issues only CNA Vendor USA
Flexera Software LLC All Flexera products, and vulnerabilities discovered by Secunia Research that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
floragunn GmbH All issues related to Search Guard only CNA Vendor, Open Source Germany
Fluid Attacks Vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNA’s scope CNA Researcher Colombia
Forcepoint Forcepoint products only CNA Vendor USA
ForgeRock, Inc. ForgeRock issues only CNA Vendor, Open Source USA
Fortinet, Inc. Fortinet issues only CNA Vendor USA
FPT Software Co., Ltd. All products and services developed and operated by FPT Software, as well as vulnerabilities in third-party software discovered by FPT Software that are not in another CNA’s scope CNA Vendor, Researcher Vietnam
Frappe Technologies Pvt. Ltd. Vulnerabilities relating to Frappe Framework, ERPNext product, erpnext.com, and frappecloud.com hosting services, as well as other vulnerabilities discovered by Frappe Technologies that are not under the scope of any other CNA CNA Bug Bounty Provider India
FreeBSD Primarily FreeBSD issues only CNA Vendor, Open Source USA
FULL INTERNET All FULL products, as well as vulnerabilities in third-party software discovered by FULL that are not in another CNA’s scope CNA Bug Bounty Provider, Hosted Service, Vendor, Researcher Brazil
Gallagher Group Ltd. All Gallagher security products only CNA Vendor New Zealand
GE Healthcare GE Healthcare products CNA Vendor USA
General Electric (Gas Power) GE (Gas Power) issues only CNA Vendor USA
Genetec Inc. Genetec products and solutions only CNA Hosted Service, Vendor Canada
Gitea Limited Gitea issues only CNA Open Source, Vendor China
GitHub, Inc. GitHub currently only covers CVEs requested by software maintainers using the GitHub Security Advisories feature CNA Vendor USA
GitHub, Inc. (Products Only) GitHub Enterprise Server issues only CNA Vendor USA
GitLab Inc. The GitLab application, any project hosted on GitLab.com in a public repository, and any vulnerabilities discovered by GitLab that are not in another CNA’s scope CNA Vendor, Researcher USA
Glyph & Cog, LLC Xpdf open source project, including the xpdf viewer and associated command line tools CNA Open Source, Vendor USA
Go Project Vulnerabilities in software published by the Go Project (including the Go standard library, Go toolchain, and the golang.org modules) and publicly disclosed vulnerabilities in publicly importable packages in the Go ecosystem, unless covered by another CNA’s scope CNA Vendor, Open Source USA
Google Devices Google Devices – Pixel, Nest, and Chromecast CNA Vendor USA
Google LLC Root Scope: Alphabet organizationsCNA Scope: Google products that are not covered by Android and Chrome, as well as vulnerabilities in third-party software discovered by Google that are not in another CNA’s scope Root, CNA Vendor, Open Source, Researcher USA
Google Open Source Software Vulnerabilities in open source software published and maintained by Google CNA Vendor, Open Source USA
Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) Vulnerabilities discovered by GovTech CSG only that are not in another CNA’s scope CNA Researcher Singapore
Grafana Labs All Grafana Labs open source and commercial products CNA Vendor, Open Source USA
Green Rocket Security Inc. Green Rocket Security products including EOL unless covered by another CNA’s scope CNA Vendor USA
GS McNamara LLC GS McNamara LLC products and services, including the Floodspark portfolio, and any vulnerabilities discovered in components or projects that we are researching or coordinating that are not in another CNA’s scope CNA Vendor, Researcher USA
HackerOne Provides CVE IDs for its customers as part of its bug bounty and vulnerability coordination platform CNA Bug Bounty Provider USA
Halborn All blockchain and Web3 products that rely on smart contracts written in Rust, Go, and Solidity, as well as blockchain associated Web2 and Web3 infrastructure not covered by another CNA CNA Researcher USA
Hallo Welt! GmbH BlueSpice vulnerabilities only CNA Vendor Germany
Hangzhou Hikvision Digital Technology Co., Ltd. All Hikvision Internet of Things (IoT) products including cameras and digital video recorders (DVRs) CNA Vendor China
Hanwha Vision Co., Ltd. Hanwha Vision (formerly Samsung Techwin and Hanwha Techwin) products and solutions only, including end-of-life (EOL) CNA Vendor South Korea
HashiCorp Inc. All HashiCorp products and projects unless covered by another CNA’s scope CNA Vendor USA
HCL Software All HCL products only CNA Vendor India
Hewlett Packard Enterprise (HPE) HPE issues only CNA Vendor USA
Hillstone Networks Inc. Vulnerabilities in our products listed at https://www.hillstonenet.com/hillstone-networks-product-portfolio and the products we sell only in China listed at https://www.hillstonenet.com.cn/product_service/, not including our websites CNA Vendor China
Hitachi Energy Hitachi Energy products only CNA Vendor Switzerland
Hitachi Vantara All Hitachi Vantara products and technologies CNA Vendor USA
Hitachi, Ltd. Hitachi products excluding Hitachi Energy and Hitachi Vantara products CNA Vendor Japan
Honeywell International Inc. All Honeywell products CNA Vendor USA
Honor Device Co., Ltd. Vulnerabilities in Honor products and services unless covered by the scope of another CNA CNA Vendor China
HP Inc. HP Inc. issues only CNA Vendor USA
Huawei Technologies Huawei issues only CNA Vendor China
huntr.dev Vulnerabilities in third-party code reported to huntr.dev that are not in another CNA’s scope CNA Bug Bounty Provider UK
HYPR Corp All HYPR products only CNA Vendor USA
IBM Corporation All IBM products, as well as vulnerabilities in third-party software discovered by IBM X-Force Red that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
ID Business Solutions IDBS products as listed on https://www.idbs.com/products/ CNA Vendor UK
IDEMIA All IDEMIA products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by IDEMIA that are not in another CNA’s scope CNA Researcher, Vendor France
Illumio Illumio issues only CNA Vendor USA
Indian Computer Emergency Response Team (CERT-In) Vulnerability coordination for vulnerabilities in all products reported to CERT-In in accordance with our vulnerability coordination role as a CERT. Vulnerability assignments for vulnerabilities impacting all products designed, developed, and manufactured in India CNA CERT India
Intel Corporation Intel branded products and technologies and Intel managed open source projects CNA Vendor, Open Source USA
Internet Systems Consortium (ISC) All ISC.org projects CNA Vendor, Open Source USA
IoT83 Ltd Vulnerabilities in IoT83 product(s), services, and components only. Third-party, open-source components used in IoT83 product(s), services, and components are not in scope CNA Vendor USA
Israel National Cyber Directorate (INCD) Vulnerability assignment related to its vulnerability coordination role CNA CERT Israel
Jenkins Project Jenkins and Jenkins plugins distributed by the Jenkins Project (listed on plugins.jenkins.io) only CNA Open Source USA
JetBrains s.r.o. JetBrains products only CNA Vendor, Open Source Czech Republic
JFrog All JFrog products (supported products and end-of-life/end-of-service products); vulnerabilities in third-party software discovered by JFrog that are not in another CNA’s scope; and vulnerabilities in third-party software discovered by external researchers and disclosed to JFrog (includes any embedded devices and their associated mobile applications) that are not in another CNA’s scope CNA Vendor, Researcher Israel
Johnson Controls Johnson Controls products only CNA Vendor USA
Joomla! Project Core Joomla! CMS, the Joomla Framework, and Joomla! Extensions issues only CNA Vendor, Open Source USA
JPCERT/CC Root Scope: Japan organizationsCNA Scope: Vulnerability assignment related to its vulnerability coordination role Root, CNA CERT Japan
Juniper Networks, Inc. Juniper issues only CNA Vendor, Open Source USA
Kaspersky Kaspersky B2C and B2B products, as well as vulnerabilities discovered in third-party software not in another CNA’s scope CNA Vendor, Researcher Russia
KNIME AG All vulnerabilities on software products that our company provides, including KNIME Analytics Platform, KNIME Server, and KNIME Hub CNA Vendor Switzerland
KrakenD, S.L. KrakenD EE, KrakenD CE, and Lura issues only CNA Vendor, Open Source Spain
KrCERT/CC Vulnerability assignment related to its vulnerability coordination role CNA CERT South Korea
Kubernetes Kubernetes issues only CNA Vendor, Open Source USA
Larry Cashdollar Third-party products he researches that are not in another CNA’s scope CNA Researcher USA
Lenovo Group Ltd. Lenovo general-purpose computers, software for general-purpose operating systems, mobile devices, enterprise storage, and networking products only CNA Vendor USA
LG Electronics LG Electronics products only CNA Vendor South Korea
Liferay, Inc. All Liferay supported products and end-of-life/end-of-service products CNA Vendor USA
LINE Corporation Current versions of LINE Messenger Application for iOS, Android, Mac, and Windows, plus LINE Open Source projects hosted on https://github.com/line CNA Vendor, Open Source Japan
Logitech All current products/software/apps made by LogitechUltimate EarsJaybirdStreamlabsLogitech GLogicoolBlue, and Astro Gaming CNA Vendor Switzerland
M-Files Corporation M-Files and Hubshare products CNA Vendor Finland
MarkLogic Corporation MarkLogic issues only CNA Vendor USA
Mattermost, Inc. All Mattermost issues, and vulnerabilities discovered by Mattermost that are not in another CNA’s scope CNA Vendor, Researcher USA
Mautic Mautic core and officially supported plugins CNA Vendor, Open Source USA
MediaTek, Inc. MediaTek product issues only CNA Vendor Taiwan
Medtronic All products of Medtronic or a Medtronic company including supported products and end-of-life/end-of-service products, as well as vulnerabilities in third-party software discovered in Medtronic products that are not in another CNA’s scope CNA Vendor USA
Mend Vulnerabilities in Mend (formerly WhiteSource) products and vulnerabilities in third-party software discovered by Mend that are not in another CNA’s scope CNA Vendor, Researcher USA
Meta Platforms, Inc. Meta-supported open source projects, mobile apps, and other software, as well as vulnerabilities in third-party software discovered by Meta that are not in another CNA’s scope; see: https://www.facebook.com/whitehat and https://github.com/facebook/ CNA Vendor, Open Source, Researcher USA
Microsoft Corporation Microsoft issues only CNA Vendor USA
MIM Software Inc. MIM software products, platforms, and services as well as vulnerabilities reported to MIM Software in third-party components or libraries used by MIM Software products, platforms, and services not covered by another CNA CNA Vendor USA
Mirantis All Mirantis products (supported products and end-of-life/end-of-service products) and open source offerings, as well as vulnerabilities in third-party software discovered by Mirantis that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
MITRE Corporation All vulnerabilities, and Open Source software product vulnerabilities, not already covered by a CNA listed on this website Top-Level Root, CNA-LR, Secretariat N/A USA
Mitsubishi Electric Corporation Mitsubishi Electric issues only CNA Vendor Japan
MongoDB, Inc. MongoDB products only, not including end-of-life components or products CNA Vendor, Open Source USA
Moxa Inc. Moxa products only CNA Vendor Taiwan
Mozilla Corporation Mozilla issues only CNA Vendor, Open Source USA
National Cyber Security Centre Finland (NCSC-FI) Vulnerabilities in software discovered by NCSC-FI, and vulnerabilities reported to NCSC-FI for coordinated disclosure, which are not in another CNA’s scope CNA CERT Finland
National Cyber Security Centre Netherlands (NCSC-NL) Vulnerabilities in software discovered by NCSC-NL, and vulnerabilities reported to NCSC-NL for coordinated disclosure, which are not in another CNA’s scope CNA CERT Netherlands
National Cyber Security Centre SK-CERT Vulnerabilities in software discovered by National Cyber Security Centre SK-CERT, and vulnerabilities reported to National Cyber Security Centre SK-CERT for coordinated disclosure, which are not in another CNA’s scope CNA CERT Slovak Republic
National Instruments NI products only (including National Instruments) CNA Vendor USA
Naver Corporation Naver products only, except Line products CNA Vendor South Korea
NEC Corporation NEC issues only CNA Vendor Japan
NetApp, Inc. All NetApp products as well as projects hosted on https://github.com/netapp CNA Vendor USA
Netflix, Inc. Current versions of Netflix Mobile Streaming Application for iOS, Android, and Windows Mobile, plus all Netflix Open Source projects hosted on https://github.com/Netflix/ and https://github.com/spinnaker/ CNA Vendor, Open Source USA
NetRise Vulnerabilities in third-party Extended Internet of Things (XIoT) devices and firmware NetRise researches that are not covered by another CNA CNA Researcher USA
Netskope All Netskope products and services CNA Vendor USA
NLnet Labs All NLnet Labs projects CNA Vendor, Open Source Netherlands
Node.js All actively developed versions of software developed under the Node.js project on https://github.com/nodejs/ CNA Vendor, Open Source USA
NortonLifeLock Inc. All NortonLifeLock product issues only CNA Vendor USA
Nozomi Networks Inc. All Nozomi Networks products, as well as vulnerabilities in third-party software discovered by Nozomi Networks that are not in another CNA’s scope CNA Vendor, Researcher USA
NVIDIA Corporation NVIDIA issues only CNA Vendor USA
Objective Development Software GmbH Objective Development issues only CNA Vendor Austria
Octopus Deploy All Octopus Deploy products, as well as Octopus Deploy maintained projects hosted on https://github.com/OctopusDeploy CNA Vendor, Open Source Australia
Odoo Odoo issues only CNA Vendor Belgium
Okta Okta issues only CNA Vendor USA
ONEKEY GmbH All ONEKEY products and vulnerabilities in third-party software discovered by ONEKEY that are not in another CNA’s scope CNA Vendor, Researcher Germany
Open Design Alliance Open Design Alliance products only CNA Vendor USA
Open-Xchange Products and services provided by Open-Xchange, PowerDNS, and Dovecot CNA Open Source, Vendor Germany
OpenAnolis OpenAnolis issues only CNA Vendor, Open Source China
OpenCloudOS Community OpenCloud OS issues only, not including EOL products, unless covered by another CNA’s scope CNA Open Source China
openEuler openEuler issues only CNA Vendor, Open Source China
openGauss Community openGauss issues only CNA Open Source China
OpenHarmony openHarmony issues only CNA Open Source China
OpenSSL Software Foundation OpenSSL software projects only CNA Vendor, Open Source USA
OpenText (formerly Micro Focus) All OpenText products (including Carbonite, Zix, Micro Focus, others) CNA Vendor USA
OpenVPN Inc. All products and projects in which OpenVPN is directly involved commercially and for OpenVPN community projects, including Private Tunnel CNA Vendor, Open Source USA
Opera Opera issues only CNA Vendor, Open Source Norway
OPPO Mobile Telecommunication Corp., Ltd. OPPO devices only CNA Vendor China
Oracle Oracle supported version product issues only; CVE IDs will not be assigned for unsupported products or versions (Oracle will confirm support status and notify researcher) CNA Hosted Service, Open Source, Vendor USA
OTRS AG Vulnerabilities for OTRS and ((OTRS)) Community Edition and modules only CNA Vendor Germany
Palantir Technologies Palantir products and technologies only CNA Vendor USA
Palo Alto Networks, Inc. All Palo Alto Networks products, and vulnerabilities discovered by Palo Alto Networks that are not in another CNA’s scope CNA Vendor, Researcher USA
Panasonic Holdings Corporation All products and services developed and/or sold by Panasonic Group companies CNA Vendor Japan
Patchstack Vulnerabilities in third-party PHP products discovered by Patchstack and Patchstack Red Team CNA Bug Bounty Provider, Hosted Service, Open Source, Researcher, Vendor Estonia
Payara All Payara Platform product distributions (Payara Server, Micro, Embedded) for both Enterprise (commercial) and Community (OSS) distributions CNA Open Source, Vendor UK
Pegasystems Inc. Pegasystems products only CNA Vendor USA
Philips Philips issues only CNA Vendor Netherlands
PHP Group Vulnerabilities in PHP code (code in https://github.com/php/php-src) only CNA Vendor, Open Source USA
Ping Identity Corporation All Ping Identity products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Ping Identity that are not in another CNA’s scope CNA Hosted Service, Researcher, Bug Bounty Provider USA
Profelis IT Consultancy Products and services developed by Profelis IT Consultancy including enterprise directory solution SambaBox and password reset product PassBox CNA Vendor Türkiye
Proofpoint Inc. All Proofpoint products CNA Hosted Service, Vendor USA
Puppet All Puppet products, as well as all projects on https://github.com/puppetlabs/ CNA Vendor, Open Source USA
QNAP Systems, Inc. QNAP issues only CNA Vendor Taiwan
Qualcomm, Inc. Qualcomm and Snapdragon issues only CNA Vendor USA
Qualys, Inc. All Qualys products and vulnerabilities discovered by Qualys that are not covered by another CNA’s scope CNA Vendor, Researcher USA
Rapid7, Inc. All Rapid7 products, and vulnerabilities discovered by Rapid7 that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
Red Hat, Inc. Root Scope: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them betterCNA Scope: Vulnerabilities in open-source projects affecting Red Hat offerings, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported Red Hat offerings Root, CNA Vendor, Open Source USA
Replicated, Inc. Replicated products and services only CNA Vendor USA
Rhino Mobility Rhino Mobility issues only CNA Vendor USA
Ribose Limited All Ribose products and services, including open-source projects, supported products, and end-of-life/end-of-service products CNA Hosted Service, Open Source, Vendor UK
Robert Bosch GmbH Bosch products only CNA Vendor Germany
Rockwell Automation All Rockwell Automation products CNA Vendor USA
SailPoint Technologies SailPoint issues only CNA Vendor USA
Salesforce, Inc. Salesforce products only CNA Vendor USA
Samsung Mobile Samsung Mobile Galaxy products, personal computers, and related services only CNA Vendor South Korea
Samsung TV & Appliance Samsung TV & Appliance products, Samsung-owned open-source projects listed on https://github.com/Samsung/, as well as vulnerabilities in third-party software discovered by Samsung that are not in another CNA’s scope. Vulnerabilities affecting end-of-life/end-of-service products are in scope. The following categories of Samsung Products are in scope: Internet-connected home appliances, B2C product (smart TV, smart monitor, soundbar, and projector), and B2B products (digital signage, interactive display, and kiosk) CNA Open Source, Researcher, Vendor South Korea
SAP SE All SAP products CNA Vendor Germany
Schneider Electric All Schneider Electric products, including Proface, APC, and Eurotherm CNA Vendor France
Schweitzer Engineering Laboratories, Inc. All Schweitzer Engineering Laboratories products CNA Vendor USA
Seagate Technology Any Seagate or LaCie software or hardware, open or closed source, supported and end of life, as well as any vulnerabilities in third-party software discovered by Seagate that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
Secomea A/S Supported Secomea products only CNA Vendor Denmark
Securifera, Inc. Vulnerabilities in vendor products discovered by Securifera, or related parties, while performing vulnerability research or security assessments CNA Researcher USA
Security Risk Advisors (SRA) Vulnerabilities discovered by SRA that are not within the scope of another CNA CNA Researcher USA
senhasegura Vulnerabilities in senhasegura products, and other vulnerabilities discovered by senhasegura that are not in another CNA’s scope CNA Vendor, Researcher Brazil
ServiceNow All ServiceNow products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by ServiceNow that are not in another CNA’s scope CNA Hosted Service, Researcher, Vendor USA
Shop Beat Solutions (Pty) LTD Vulnerabilities in Shop Beat products and services and vulnerabilities discovered by Shop Beat unless covered by the scope of another CNA CNA Hosted Service, Vendor South Africa
SICK AG SICK AG issues only CNA Vendor Germany
Siemens Siemens issues only CNA Vendor Germany
Sierra Wireless Inc. Sierra Wireless products only CNA Vendor Canada
Silicon Labs Silicon Labs issues only CNA Vendor USA
Silver Peak Systems, Inc. Silver Peak product issues only CNA Vendor USA
Simplinx Ltd. Simplinx products only CNA Vendor Türkiye
Snow Software All Snow Software products CNA Vendor Sweden
Snyk Vulnerabilities in Snyk products and vulnerabilities discovered by, or reported to, Snyk that are not in another CNA’s scope CNA Open Source, Researcher UK
SolarWinds SolarWinds products only CNA Vendor USA
Solidigm Solidigm branded products and technologies CNA Vendor USA
SonicWall, Inc. SonicWall issues only CNA Vendor USA
Sophos Limited Sophos issues only CNA Vendor UK
Spanish National Cybersecurity Institute, S.A. (INCIBE) Root Scope: Spain organizationsCNA Scope: Vulnerability assignment related to its vulnerability coordination role for Industrial Control Systems (ICS), Information Technologies (IT), and Internet of Things (IoT) systems issues at the national level, and vulnerabilities reported to INCIBE by Spain organizations and researchers that are not in another CNA’s scope Root, CNA CERT Spain
Splunk Inc. Splunk products only CNA Vendor USA
STAR Labs SG Pte. Ltd. Vulnerabilities discovered by STAR Labs SG that are not in another CNA’s scope CNA Researcher Singapore
StrongDM StrongDM issues only CNA Vendor USA
SUSE SUSE and Rancher issues only CNA Vendor, Open Source USA
Swift Project The Swift Project only CNA Vendor, Open Source USA
Switzerland National Cyber Security Centre (NCSC) Switzerland Government Common Vulnerability Program CNA CERT Switzerland
Symantec – A Division of Broadcom Symantec Enterprise products as well as vulnerabilities in third-party software discovered by Symantec that are not in another CNA’s scope CNA Vendor, Researcher USA
Synaptics, Inc. Synaptics issues only CNA Vendor USA
Synology Inc. Synology issues only CNA Vendor Taiwan
Synopsys All Synopsys SIG products, as well as vulnerabilities in third-party software discovered by Synopsys SIG that are not in another CNA’s scope CNA Vendor, Researcher USA
Talos Third-party products it researches CNA Researcher USA
Tcpdump Group Tcpdump and Libpcap only CNA Vendor, Open Source Canada
TeamViewer Germany GmbH TeamViewer issues only CNA Vendor Germany
Temporal Technologies Inc. All Temporal Technologies software CNA Hosted Service, Open Source USA
Tenable Network Security, Inc. Tenable products and third-party products it researches not covered by another CNA CNA Vendor USA
Thales Group Thales branded products and technologies only CNA Vendor, Researcher France
The HISP Centre at the University of Oslo Security issues in DHIS2 open-source web and mobile software applications CNA Vendor, Open Source Norway
The Missing Link Australia (TML) TML vulnerability disclosure policy applies to any third-party vendor products to whom TML will assign the CVEs for vulnerabilities, if the product is not a part of another CNA scope CNA Researcher Australia
The OpenBMC Project Vulnerabilities related to the repositories maintained by the OpenBMC project CNA Vendor, Open Source USA
The OpenNMS Group OpenNMS issues only CNA Vendor, Open Source USA
TianoCore.org Software vulnerabilities related to the TianoCore Open Source CNA Vendor, Open Source USA
TIBCO Software Inc. TIBCO, Talarian, Spotfire, Data Synapse, Foresight, Kabira, Proginet, LogLogic, StreamBase, JasperSoft, and Mashery products/brands only CNA Vendor USA
Tigera, Inc. All vulnerabilities for Calico and all of Tigera’s products only CNA Vendor, Open Source USA
Toshiba Corporation Vulnerabilities related to products and services of Toshiba Corporation CNA Vendor Japan
TR-CERT (Computer Emergency Response Team of the Republic of Türkiye) Vulnerability assignment related to its vulnerability coordination role CNA CERT Türkiye
Trellix All Trellix Enterprise (formerly McAfee Enterprise and FireEye) products, as well as vulnerabilities in third-party software discovered by Trellix Advanced Research Center (Trellix ACR) that are not in another CNA’s scope CNA Vendor, Researcher USA
Trend Micro, Inc. Trend Micro supported productsend-of-life products, and all issues related to TXOne products CNA Vendor Japan
Tribe29 GmbH All products of Tribe29 including Checkmk and Checkmk Appliance CNA Vendor, Open Source Germany
TWCERT/CC Vulnerability assignment related to its vulnerability coordination role CNA CERT Taiwan
Unisoc (Shanghai) Technologies Co., Ltd. Unisoc issues only CNA Vendor China
Vaadin Ltd. All Vaadin products and supported open-source projects hosted at https://github.com/vaadin CNA Vendor, Open Source Finland
Vivo Mobile Communication Co., Ltd. Vivo issues only CNA Vendor China
VMware VMware, Spring, and Cloud Foundry issues only CNA Vendor, Open Source USA
VulDB Vulnerabilities discovered by, or reported to, the VulDB vulnerability database that are not in another CNA’s scope CNA Researcher Switzerland
VulnCheck Vulnerabilities discovered by, or reported to, VulnCheck that are not in another CNA’s scope CNA Bug Bounty Provider, Researcher USA
Vulnscope Technologies Provides CVE IDs for customers as part of our bug bounty and vulnerability coordination platform CNA Bug Bounty Provider Chile
WatchGuard Technologies, Inc. Vulnerabilities in all WatchGuard products and products of WatchGuard subsidiaries CNA Vendor USA
Western Digital Western Digital products including WD, SanDisk, SanDisk Professional, G-Technology, and HGST only CNA Vendor USA
wolfSSL Inc. Transport Layer Security (TLS) and Cryptographic issues found in wolfSSL products CNA Vendor, Open Source USA
Wordfence WordPress Plugins, Themes, and Core Vulnerabilities discovered by, or reported to, the Wordfence/Defiant team CNA Vendor, Researcher USA
WPScan WordPress core, plugins, and themes CNA Vendor, Open Source France
Xen Project All sub-projects under Xen Project’s umbrella (see Xen Project Teams), except those sub-projects that have their own security response process; and the Xen components inside other projects, where Xen Project is the primary developer CNA Vendor, Open Source UK
Xiaomi Technology Co., Ltd. Xiaomi issues only CNA Vendor China
Xylem Xylem products and technologies only CNA Vendor USA
Yandex N.V. Yandex issues only CNA Vendor Russia
Yugabyte, Inc. Yugabyte products only CNA Hosted Service, Vendor USA
Zabbix Zabbix products and Zabbix projects listed on https://git.zabbix.com/ only CNA Vendor Latvia
Zephyr Project Zephyr project components, and vulnerabilities that are not in another CNA’s scope CNA Vendor, Open Source USA
Zero Day Initiative Products and projects covered by its bug bounty programs that are not in another CNA’s scope CNA Bug Bounty Provider Japan
ZGR ZGR manufactured products CNA Vendor Spain
Zoom Video Communications, Inc. Zoom and Keybase issues only CNA Vendor USA
Zowe Vulnerabilities in Zowe.org open source projects CNA Open Source USA
Zscaler, Inc. Zscaler issues only CNA Vendor USA
ZTE Corporation ZTE products only CNA Vendor China
ZUSO Advanced Research Team (ZUSO ART) Vulnerabilities in third-party products discovered by ZUSO ART that are not in another CNA’s scope CNA Researcher Taiwan
Zyxel Corporation Zyxel products issues only CNA Vendor Taiwan

Leave a Reply