CVE Numbering Authority (CNA) Process Enhancements Announced
Severity: Low (Score: 24.9)
Sources: nvd.nist.gov
Summary
The CVE Numbering Authority (CNA) program has been detailed, emphasizing the vetting process for software vulnerabilities submitted for CVE IDs. Organizations wishing to become CNAs must demonstrate expertise and follow strict guidelines. The hierarchy of CNAs is established, with Program Root, Root, and Sub-CNAs, each with specific responsibilities. CNAs are required to provide accessible URLs for reported vulnerabilities. This structured approach aims to ensure consistency and reliability in vulnerability reporting and management. The National Vulnerability Database (NVD) will analyze and publish these vulnerabilities after CVE ID assignment. The onboarding process for CNAs includes rigorous training and compliance checks. Key Points: • CNA program requires organizations to demonstrate expertise in vulnerability management. • CNA hierarchy includes Program Root, Root, and Sub-CNAs with defined responsibilities. • Vulnerabilities must have accessible URLs for proper vetting and publication.