Request CVE IDs

CVE prioritizes the assignment of CVE Identifiers (CVE IDs) for the products, vendors, and product categories listed below, but you may request a CVE ID for any vulnerability.

New users, follow these steps to request CVE IDs:

1. Locate the correct CVE Numbering Authority (CNA) whose scope includes the product affected by the vulnerability in the CNAs table below.
2. Contact that CNA using the contact method provided.
3. If the product affected by the vulnerability is not covered by a CNA listed below , please contact the appropriate CNA of Last Resort (CNA-LR) in the CNA-LR table below.

Participating CNAs

Roots, CNAs of Last Resort, and all other CNAs, are listed below.

Root Name & Scope	Contact Method	Disclosure Policy	Security Advisories	Program Role & Type	Country
Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Industrial control systems and medical devices	CISA ICS Root contact page Submit a Report	Policy	Alerts Advisories	Top-Level Root CNA of Last Resort National & Industry CERTs	USA
MITRE Corporation All vulnerabilities, and Open Source software product vulnerabilities, not already covered by a CNA listed on this page	MITRE CVE Request web form	N/A	N/A	Top-Level Root CNA of Last Resort	USA
JPCERT/CC Japan organizations	vuls@jpcert.or.jp JPCERT/CC contact page	Policy	Advisories	Root National & Industry CERTs	Japan
Spanish National Cybersecurity Institute, S.A. (INCIBE) Spain organizations		Policy (Spanish) Policy (English)	Advisories (Spanish) Advisories (English)	Root National & Industry CERTs	Spain

CNA-LR Name & Scope	Contact Method	Disclosure Policy	Other Program Role
CISA ICS Industrial control systems and medical devices	CISA ICS Root contact page Submit a Report	Policy	Top-Level Root
MITRE All vulnerabilities, and Open Source software product vulnerabilities, not already covered by a CNA listed on this page	MITRE CVE Request web form	N/A	Top-Level Root

CNAs are listed alphabetically:

CNA Name & Scope	CNA Contact Method	Disclosure Policy	Security Advisories	CNA Role & Type	CNA’s Root	Country
Adobe Systems Incorporated Adobe issues only	psirt@adobe.com Adobe security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Advanced Micro Devices Inc. AMD branded products and technologies only	psirt@amd.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Airbus All Airbus products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Airbus that are not in another CNA’s scope	vuln@airbus.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	Netherlands
Alias Robotics S.L. All Alias Robotics products, as well as vulnerabilities in third-party robots and robot components (software and hardware) discovered by Alias Robotics that are not in another CNA’s scope	cve@aliasrobotics.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	CISA ICS	Spain
Alibaba, Inc. Projects listed on its Alibaba GitHub website only	alibaba-cna@list.alibaba-inc.com Alibaba website Alibaba GitHub website	Policy	Advisories	CNA Vendors and Projects	MITRE	China
Ampere Computing Ampere issues only	psirt@amperecomputing.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Android (associated with Google Inc. or Open Handset Alliance) Android issues, as well as vulnerabilities in third-party software discovered by Android that are not in another CNA’s scope	android-cna-team@google.com Android Security Rewards Program	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Apache Software Foundation All Apache Software Foundation issues only	security@apache.org Apache security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Apple Inc. Apple issues only	product-security@apple.com Apple security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Arista Networks, Inc. All Arista products only	psirt@arista.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Asea Brown Boveri Ltd. (ABB) ABB issues only	cybersecurity@ch.abb.com	Policy	Advisories	CNA Vendors and Projects	CISA ICS	Switzerland
Atlassian All Atlassian products, as well as Atlassian-maintained projects hosted on https://bitbucket.org/atlassian and https://github.com/atlassian/	security@atlassian.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Australia
Autodesk All currently supported Autodesk Applications and Cloud Services	psirt@autodesk.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Avaya, Inc. All Avaya products only	securityalerts@avaya.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Axis Communications AB Axis products and solutions only	product-security@axis.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Sweden
Becton, Dickinson and Company (BD) BD software-enabled medical devices only	cybersecurity@bd.com Report a Cybersecurity Issue	Policy	Advisories	CNA Vendors and Projects	CISA ICS	USA
Bitdefender All Bitdefender products, as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope	cve-requests@bitdefender.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	Romania
BlackBerry BlackBerry and Good product issues only	secure@blackberry.com Blackberry security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	Canada
Brocade Communications Systems, LLC Brocade products only	brocade.sirt@broadcom.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Canonical Ltd. All Canonical issues (including Ubuntu Linux) only	security@ubuntu.com Ubuntu security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	UK
CA Technologies - A Broadcom Company CA Technologies issues only	ca.psirt@broadcom.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
CERT/CC Vulnerability assignment related to its vulnerability coordination role	cert@cert.org CERT/CC contact page	Policy	Advisories	CNA National and Industry CERTs	MITRE	USA
CERT@VDE Products of the vendors: Beckhoff, Bender, Endress+Hauser, Etherwan Systems, HIMA, Festo, Koramis, ifm, Miele, Pepperl+Fuchs, Phoenix Contact, PILZ, Sysmik, Weidmueller, and WAGO. Also, industrial and infrastructure control systems (and its components) of European Union (EU) based vendors as long as there is no CNA with a more specific scope for the vulnerability	info@cert.vde.com	Policy	Advisories	CNA National and Industry CERTs	CISA ICS	Germany
Check Point Software Ltd. Check Point Security Gateways product line only, and any vulnerabilities discovered by Check Point that are not in another CNA’s scope	cve@checkpoint.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	Israel
Chrome Chrome and Chrome OS issues, and projects that are not in another CNA’s scope	Report Chrome vulnerabilities (email) Questions about Chrome’s CVE Records (email)	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Cisco Systems, Inc. All Cisco and Duo Security products, and any third-party research targets that are not in another CNA’s scope	psirt@cisco.com psirt@duosecurity.com	Cisco Policy Duo Policy	Cisco Advisories Duo Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Cloudflare, Inc. All Cloudflare products, projects hosted at https://github.com/cloudflare/ , and any vulnerabilities discovered by Cloudflare that are not in another CNA’s scope	cna@cloudflare.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Coalfire Labs All CoalfireONE products, as well as vulnerabilities in third-party software discovered by Coalfire Labs that are not in another CNA’s scope	support@coalfire.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Crafter CMS Crafter CMS issues only	security@craftersoftware.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Cybellum Technologies LTD All Cybellum products, as well as vulnerabilities in third-party software discovered by Cybellum that are not in another CNA’s scope	info@cybellum.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Israel
Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Industrial control systems and medical devices	Submit a Report	Policy	Advisories	Top-Level Root CNA National & Industry CERTs	N/A	USA
Cyber Security Works Pvt. Ltd. Vulnerabilities in third-party software discovered by CSW that are not in another CNA’s scope	disclose@cybersecurityworks.com	Policy	Advisories	CNA Vulnerability Researchers	MITRE	India
Dahua Technologies Dahua issues only	cybersecurity@dahuatech.com Dahua security page	Policy	Advisories	CNA Vendors and Projects	MITRE	China
Debian GNU/Linux Debian issues only	security@debian.org Debian security page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
DeepSurface Security, Inc. All DeepSurface products, as well as vulnerabilities in third-party software discovered by DeepSurface that are not in another CNA’s scope	security@deepsurface.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Dell Dell, Dell EMC, and VCE issues only	secure@dell.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Devolutions Inc. Remote Desktop Manager and Devolutions Server products	security@devolutions.net	Policy	Advisories	CNA Vendors and Projects	MITRE	Canada
Document Foundation, The Projects within The Document Foundation only, e.g., LibreOffice, LibreOffice Online; The Document Foundation discourages reporting denial of service bugs as security issues	security@documentfoundation.org	Policy	Advisories	CNA Vendors and Projects	MITRE	Germany
Drupal.org All projects hosted under drupal.org only	security@drupal.org	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Eaton Eaton issues only	psirt@eaton.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Ireland
Eclipse Foundation Eclipse IDE and the Eclipse Foundation's eclipse.org, polarysys.org, and locationtech.org open source projects only	security@eclipse.org	Policy	Advisories	CNA Vendors and Projects	MITRE	Canada
Elastic Elasticsearch, Kibana, Beats, Logstash, X-Pack, and Elastic Cloud Enterprise products only	security@elastic.co	Policy	Advisories	CNA Vendors and Projects	MITRE	Netherlands
Electronic Arts, Inc. EA issues only	secure@ea.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Environmental Systems Research Institute, Inc. All Esri products only	psirt@esri.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
ESET, spol. s r.o. All ESET products only and vulnerabilities discovered by ESET that are not covered by another CNA’s scope	ESET PSIRT ESET Research	Inbound Reports Policy Outbound Reports Policy	ESET PSIRT Advisories ESET Research Advisories WeLiveSecurity Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	Slovak Republic
F5 Networks F5 issues only	f5sirt@f5.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Facebook, Inc. Facebook-supported open source projects, mobile apps, and other software, as well as vulnerabilities in third-party software discovered by Facebook that are not in another CNA’s scope; see: https://www.facebook.com/whitehat and https://github.com/facebook/	Facebook security contact page	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Fedora Project Vulnerabilities in open-source projects affecting the Fedora Project, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported releases by the Fedora Project	Fedora Bug Report page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Fidelis Cybersecurity, Inc. Fidelis issues only	security@fidelissecurity.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Flexera Software LLC All Flexera products, and vulnerabilities discovered by Secunia Research that are not in another CNA’s scope	psirt-cna@flexerasoftware.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
floragunn GmbH All issues related to Search Guard only	security@search-guard.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Germany
Fluid Attacks Vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNA’s scope	help@fluidattacks.com	Policy	Advisories	CNA Vulnerability Researchers	MITRE	Colombia
Forcepoint Forcepoint products only	psirt@forcepoint.com Forcepoint security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Fortinet, Inc. Fortinet issues only	PSIRT contact form	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
FPT Software Co., Ltd. All products and services developed and operated by FPT Software, as well as vulnerabilities in third-party software discovered by FPT Software that are not in another CNA’s scope	security@fsoft.com.vn	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	Vietnam
FreeBSD Primarily FreeBSD issues only	secteam@freebsd.org	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
F-Secure All F-Secure products and security vulnerabilities discovered by F-Secure in third-party software not in another CNA’s scope	cve@f-secure.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	Finland
Gallagher Group Ltd. All Gallagher security products only	disclosures@gallagher.com	Policy	Advisories	CNA Vendors and Projects	CISA ICS	New Zealand
GitHub, Inc. GitHub currently only covers CVEs requested by software maintainers using the GitHub Security Advisories feature	security-advisories@github.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
GitHub, Inc. (Products Only) GitHub Enterprise Server issues only	product-cna@github.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
GitLab Inc. The GitLab application, any project hosted on GitLab.com in a public repository, and any vulnerabilities discovered by GitLab that are not in another CNA’s scope	cve@gitlab.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Google LLC Google products that are not covered by Android and Chrome, as well as vulnerabilities in third-party software discovered by Google that are not in another CNA’s scope	security@google.com Report a vulnerability	Policy	Cloud Advisories Application Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
GS McNamara LLC GS McNamara LLC products and services, including the Floodspark portfolio, and any vulnerabilities discovered in components or projects that we are researching or coordinating that are not in another CNA’s scope	psirt@gsmcnamara.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
HackerOne Provides CVE IDs for its customers as part of its bug bounty and vulnerability coordination platform	support@hackerone.com HackerOne contact page	Policy	Advisories	CNA Bug Bounty Programs	MITRE	USA
Hangzhou Hikvision Digital Technology Co., Ltd. All Hikvision Internet of Things (IoT) products including cameras and digital video recorders (DVRs)	hsrc@hikvision.com	Policy	Advisories	CNA Vendors and Projects	MITRE	China
HCL Software All HCL products only	psirt@hcl.com	Policy	Advisories	CNA Vendors and Projects	MITRE	India
Hewlett Packard Enterprise (HPE) HPE issues only	security-alert@hpe.com Report vulnerabilities to HPE	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Hillstone Networks, Inc. All Hillstone products only	sec@hillstonenet.com	Policy	Advisories	CNA Vendors and Projects	MITRE	China
Hitachi ABB Power Grids Hitachi ABB Power Grids products	cybersecurity@hitachi-powergrids.com	Policy	Advisories	CNA Vendors and Projects	CISA ICS	Switzerland
HP Inc. HP Inc. issues only	hp-security-alert@hp.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Huawei Technologies Huawei issues only	psirt@huawei.com Huawei security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	China
huntr.dev Vulnerabilities in third-party code reported to huntr.dev that are not in another CNA’s scope	security@huntr.dev	Policy	Advisories	CNA Bug Bounty Programs	MITRE	UK
IBM Corporation All IBM products, as well as vulnerabilities in third-party software discovered by IBM X-Force Red that are not in another CNA’s scope	psirt@us.ibm.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Intel Corporation Intel branded products and technologies and Intel managed open source projects	secure@intel.com Intel security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Internet Systems Consortium (ISC) All ISC.org projects	security-officer@isc.org ISC report a bug page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Israel National Cyber Directorate Vulnerability assignment related to its vulnerability coordination role	cna@cyber.gov.il	Policy	Advisories	CNA National & Industry CERTs	MITRE	Israel
Jenkins Project Jenkins and Jenkins plugins distributed by the Jenkins Project (listed on plugins.jenkins.io) only	jenkinsci-cert@googlegroups.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Johnson Controls Johnson Controls products only	productsecurity@jci.com	Policy	Advisories	CNA Vendors and Projects	CISA ICS	USA
Joomla! Project Core Joomla! CMS, the Joomla Framework, and Joomla! Extensions issues only	security@joomla.org	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
JPCERT/CC Vulnerability assignment related to its vulnerability coordination role	vuls@jpcert.or.jp JPCERT/CC contact page	Policy	Advisories	Root CNA National & Industry CERTs	MITRE	Japan
Juniper Networks, Inc. Juniper issues only	sirt@juniper.net Juniper security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Kaspersky Kaspersky B2C and B2B products, as well as vulnerabilities discovered in third-party software not in another CNA’s scope	cna@kaspersky.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	Russia
KrCERT/CC Vulnerability assignment related to its vulnerability coordination role	vuln@krcert.or.kr	None	Advisories	CNA National and Industry CERTs	MITRE	South Korea
Kubernetes Kubernetes issues only	security@kubernetes.io	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Larry Cashdollar Third-party products he researches	larry0@me.com	Policy	Advisories	CNA Vulnerability Researchers	MITRE	USA
Lenovo Group Ltd. Lenovo general-purpose computers, software for general-purpose operating systems, mobile devices, enterprise storage, and networking products only	psirt@lenovo.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
LINE Corporation Current versions of LINE Messenger Application for iOS, Android, Mac, and Windows, plus LINE Open Source projects hosted on https://github.com/line .	dl_cve@linecorp.com	Policy	Advisories	CNA Vendors and Projects	JPCERT/CC	Japan
Logitech All current products/software/apps made by Logitech , Ultimate Ears , Jaybird , Streamlabs , Logitech G , Logicool , Blue , and Astro Gaming	cve-coordination@logitech.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Switzerland
MarkLogic Corporation MarkLogic issues only	security@marklogic.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Mattermost, Inc. All Mattermost issues, and vulnerabilities discovered by Mattermost that are not in another CNA’s scope	responsibledisclosure@ mattermost.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Mautic Mautic core and officially supported plugins	Mautic Security Team security@mautic.org	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
McAfee Enterprise All McAfee Enterprise products, as well as vulnerabilities in third-party software discovered by McAfee Advanced Threat Research (McAfee ATR) that are not in another CNA’s scope	security_report@mcafee.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Micro Focus International All Attachmate, Borland, Gwava, Micro Focus, NetIQ, Novell, and Serena products, as well as all former HP Enterprise software suites	security@microfocus.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Microsoft Corporation Microsoft issues only	secure@microsoft.com Microsoft security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Mitsubishi Electric Corporation Mitsubishi Electric issues only	Mitsubishielectric.Psirt@ yd.MitsubishiElectric.co.jp	Policy	Advisories	CNA Vendors and Projects	JPCERT/CC	Japan
MongoDB, Inc. MongoDB products only	cna@mongodb.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Mozilla Corporation Mozilla issues only	security@mozilla.org	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Naver Corporation Naver products only, except Line products	cve@navercorp.com	Policy	Advisories	CNA Vendors and Projects	MITRE	South Korea
NEC Corporation NEC issues only	psirt-info@cyber.jp.nec.com	Policy	Advisories	CNA Vendors and Projects	JPCERT/CC	Japan
NetApp, Inc. All NetApp products as well as projects hosted on https://github.com/netapp	security-alert@netapp.com NetApp security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Netflix, Inc. Current versions of Netflix Mobile Streaming Application for iOS, Android, and Windows Mobile, plus all Netflix Open Source projects hosted on https://github.com/Netflix and https://github.com/spinnaker	security-report@netflix.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
NetMotion Software NetMotion issues only	securityresponse@absolute.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
NLnet Labs All NLnet Labs projects	sep@nlnetlabs.nl	Policy	RPKI Advisories NSD Advisories Unbound Advisories	CNA Vendors and Projects	MITRE	Netherlands
Node.js All actively developed versions of software developed under the Node.js project on https://github.com/nodejs	cve-request@iojs.org	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
NortonLifeLock Inc. All NortonLifeLock product issues only	security@nortonlifelock.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Nozomi Networks Inc. All Nozomi Networks products, as well as vulnerabilities in third-party software discovered by Nozomi Networks that are not in another CNA’s scope	prodsec@nozominetworks.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
NVIDIA Corporation NVIDIA issues only	psirt@nvidia.com NVIDIA security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Objective Development Software GmbH Objective Development issues only	Objective Development security page	Policy	Advisories	CNA Vendors and Projects	MITRE	Austria
Octopus Deploy All Octopus Deploy products, as well as Octopus Deploy maintained projects hosted on https://github.com/OctopusDeploy	security@octopus.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Australia
Odoo Odoo issues only	security@odoo.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Belgium
openEuler openEuler issues only	security-openeuler@openeuler.org	Policy	Advisories	CNA Vendors and Projects	MITRE	China
OpenSSL Software Foundation OpenSSL software projects only	openssl-security@openssl.org	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
OpenVPN Inc. All products and projects in which OpenVPN is directly involved commercially and for OpenVPN community projects, including Private Tunnel	security@openvpn.net	Policy	Business VPN Advisories Community Advisories	CNA Vendors and Projects	MITRE	USA
Opera Opera issues only	Opera security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	Norway
OPPO Mobile Telecommunication Corp., Ltd. OPPO devices only	security@oppo.com	Policy	Advisories	CNA Vendors and Projects	MITRE	China
Oracle Oracle supported version product issues only; CVE IDs will not be assigned for unsupported products or versions (Oracle will confirm support status and notify researcher)	secalert_us@oracle.com Oracle security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
OTRS AG Vulnerabilities for OTRS and ((OTRS)) Community Edition and modules only	security@otrs.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Germany
Palo Alto Networks, Inc. All Palo Alto Networks products, and vulnerabilities discovered by Palo Alto Networks that are not in another CNA’s scope	psirt@paloaltonetworks.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Patchstack Vulnerabilities in third-party PHP products discovered by Patchstack and Patchstack Red Team	audit@patchstack.com	Policy	Database Advisories	CNA Vendors and Projects Bug Bounty Programs	MITRE	Estonia
Pegasystems Inc. Pegasystems products only	security@pega.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
PHP Group Vulnerabilities in PHP code (code in https://github.com/php/php-src ) only	security@php.net	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Pivotal Software, Inc. Pivotal, Spring, and Cloud Foundry issues only	security@pivotal.io	Pivotal Policy Cloud Foundry Policy	Pivotal Advisories Spring Advisories Cloud Foundry Advisories	CNA Vendors and Projects	MITRE	USA
Puppet All Puppet products, as well as all projects on https://github.com/puppetlabs	security@puppet.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
QNAP Systems, Inc. QNAP issues only	security@qnap.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Taiwan
Qualcomm, Inc. Qualcomm and Snapdragon issues only	product-security@ qualcomm.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Rapid7, Inc. All Rapid7 products, and vulnerabilities discovered by Rapid7 that are not in another CNA’s scope	cve@rapid7.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Red Hat, Inc. Vulnerabilities in open-source projects affecting Red Hat offerings, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported Red Hat offerings	secalert@redhat.com Red Hat security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Replicated, Inc. Replicated products and services only	security@replicated.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Robert Bosch GmbH Bosch products only	psirt@bosch.com	Policy	Advisories	CNA Vendors and Projects	CISA ICS	Germany
Salesforce, Inc. Salesforce products only	security@salesforce.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Samsung Mobile Samsung Mobile Galaxy products, personal computers, and related services only	mobile.security@samsung.com	Policy	Advisories	CNA Vendors and Projects	MITRE	South Korea
SAP SE All SAP products	cna@sap.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Germany
Secomea A/S Supported Secomea products only	vulnerabilityreporting@ secomea.com	Policy	Advisories	CNA Vendors and Projects	CISA ICS	Denmark
Schneider Electric All Schneider Electric products, including Proface, APC, and Eurotherm	cybersecurity@se.com Schneider Electric security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	France
SICK AG SICK AG issues only	psirt@sick.de	Policy	Advisories	CNA Vendors and Projects	MITRE	Germany
Siemens Siemens issues only	productcert@siemens.com Siemens security contact page	Policy	Advisories	CNA Vendors and Projects	CISA ICS	Germany
Sierra Wireless Inc. Sierra Wireless products only	security@sierrawireless.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Canada
Silver Peak Systems, Inc. Silver Peak product issues only	sirt@silver-peak.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Simplinx Ltd. Simplinx products only	security@simplinx.com	Policy	Advisories	CNA Vendors and Projects	CISA ICS	Turkey
Snyk Vulnerabilities in third-party products discovered by Snyk only	report@snyk.io	Policy	Advisories	CNA Vulnerability Researchers	MITRE	UK
SolarWinds SolarWinds products only	psirt@solarwinds.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
SonicWall, Inc. SonicWall issues only	PSIRT@sonicwall.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Sophos Limited Sophos issues only	security-alert@sophos.com	Policy	Advisories	CNA Vendors and Projects	MITRE	UK
Spanish National Cybersecurity Institute, S.A. (INCIBE) Vulnerability assignment related to its vulnerability coordination role for Industrial Control Systems (ICS), Information Technologies (IT), and Internet of Things (IoT) systems issues at the national level, and vulnerabilities reported to INCIBE by Spain organizations and researchers that are not in another CNA’s scope		Policy (Spanish) Policy (English)	Advisories (Spanish) Advisories (English)	CNA National and Industry CERTs	MITRE	Spain
Splunk Inc. Splunk products only	prodsec@splunk.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
SUSE SUSE and Rancher issues only	security@suse.de	Policy	Advisories Advisories (by CVE ID)	CNA Vendors and Projects	MITRE	USA
Swift Project The Swift Project only	cve@forums.swift.org	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Symantec - A Division of Broadcom Symantec Enterprise products as well as vulnerabilities in third-party software discovered by Symantec that are not in another CNA’s scope	symantec.psirt@broadcom.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Synaptics, Inc. Synaptics issues only	psirt@synaptics.com	Policy	Touchpad Family Advisories Biomentrics Advisories Far-Field Voice DSPs Advisories	CNA Vendors and Projects	MITRE	USA
Synology Inc. Synology issues only	security@synology.com Synology security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	Taiwan
Synopsys All Synopsys SIG products, as well as vulnerabilities in third-party software discovered by Synopsys SIG that are not in another CNA’s scope	disclosure@synopsys.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Talos Third-party products it researches	talos-cna@cisco.com Talos security page	Policy	Advisories	CNA Vulnerability Researchers	MITRE	USA
Tcpdump Group Tcpdump and Libpcap only	security@tcpdump.org	Policy	Advisories	CNA Vendors and Projects	MITRE	Canada
Tenable Network Security, Inc. Tenable products and third-party products it researches not covered by another CNA	vulnreport@tenable.com Tenable security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Teradici Corporation Teradici issues only	security@teradici.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Canada
360 Security Technology, Inc. 360 Total Security, 360 Safeguard, 360 Mobile Safe, and 360 Safe Router products, and vulnerabilities in third-party products discovered by 360 that are not covered by another CNA	security@360.cn	Policy	Advisories	CNA Vendors and Projects Vulnerability Researcher	MITRE	China
TianoCore.org Software vulnerabilities related to the TianoCore Open Source	infosec@edk2.groups.io	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
TIBCO Software Inc. TIBCO, Talarian, Spotfire, Data Synapse, Foresight, Kabira, Proginet, LogLogic, StreamBase, JasperSoft, and Mashery products/brands only	security@tibco.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Tigera, Inc. All vulnerabilities for Calico and all of Tigera’s products only	psirt@tigera.io	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Toshiba Corporation Vulnerabilities related to products and services of Toshiba Corporation	hdq-toshiba-psirt@ml.toshiba.co.jp	Policy	Advisories	CNA Vendors and Projects	JPCERT/CC	Japan
TR-CERT (Computer Emergency Response Team of the Republic of Turkey) Vulnerability assignment related to its vulnerability coordination role	cve@usom.gov.tr	Policy	Advisories	CNA National and Industry CERTs	MITRE	Turkey
Trend Micro, Inc. Trend Micro supported products and end-of-life products issues only	security@trendmicro.com Trend Micro security contact page	Policy	Advisories	CNA Vendors and Projects	MITRE	Japan
TWCERT/CC Vulnerability assignment related to its vulnerability coordination role	cve@cert.org.tw	Policy (Chinese) Policy (English)	Advisories (Chinese) Advisories (English)	CNA National and Industry CERTs	MITRE	Taiwan
Vaadin Ltd. All Vaadin products and supported open-source projects hosted at https://github.com/vaadin	security@vaadin.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Finland
VDOO Connected Trust Ltd. All VDOO products (supported products and end-of-life/end-of-service products); Vulnerabilities in third-party software discovered by VDOO that are not in another CNA’s scope; Vulnerabilities in third-party software discovered by external researchers and disclosed to VDOO (includes any embedded devices and their associated mobile applications) that are not in another CNA’s scope	vuln@vdoo.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	Israel
Vivo Mobile Communication Co., Ltd. Vivo issues only	security@vivo.com	Policy	Advisories	CNA Vendors and Projects	MITRE	China
VMware VMware issues only	security@vmware.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
WhiteSource Vulnerabilities in WhiteSource products and vulnerabilities in third-party software discovered by WhiteSource that are not in another CNA’s scope	vulnerabilitylab@ whitesourcesoftware.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
Wordfence WordPress Plugins, Themes, and Core Vulnerabilities discovered by, or reported to, the Wordfence/Defiant team	security@wordfence.com	Policy	Advisories	CNA Vendors and Projects Vulnerability Researchers	MITRE	USA
WPScan WordPress core, plugins, and themes	contact@wpscan.com WPScan Submit Vulnerability	Policy	Word Press Advisories Word Press Plug In Advisories Word Press Theme Advisories	CNA Vendors and Projects	MITRE	France
Xen Project All sub-projects under Xen Project’s umbrella (see Xen Project Teams ), except those sub-projects that have their own security response process; and the Xen components inside other projects, where Xen Project is the primary developer	security@xen.org	Policy	Advisories	CNA Vendors and Projects	MITRE	UK
Xiaomi Technology Co., Ltd. Xiaomi issues only	security@xiaomi.com	Policy	Advisories	CNA Vendors and Projects	MITRE	China
Xylem Xylem products and technologies only	product.security@xyleminc.com	Policy	Advisories	CNA Vendors and Projects	CISA ICS	USA
Yandex N.V. Yandex issues only	browser-security@yandex-team.ru	Policy	Advisories	CNA Vendors and Projects	MITRE	Russia
Zabbix Zabbix products and Zabbix projects listed on https://git.zabbix.com/ only	security@zabbix.com	Policy	Advisories	CNA Vendors and Projects	MITRE	Latvia
Zephyr Project Zephyr project components, and vulnerabilities that are not in another CNA’s scope	vulnerabilities@zephyrproject.org	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Zero Day Initiative Products and projects covered by its bug bounty programs that are not in another CNA’s scope	zdi-disclosures@trendmicro.com ZDI contact page	Policy	Advisories	CNA Bug Bounty Programs	MITRE	Japan
Zoom Video Communications, Inc. Zoom and Keybase issues only	security@zoom.us	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
Zscaler, Inc. Zscaler issues only	cve@zscaler.com	Policy	Advisories	CNA Vendors and Projects	MITRE	USA
ZTE Corporation ZTE products only	psirt@zte.com.cn	Policy	Advisories	CNA Vendors and Projects	MITRE	China
Zyxel Corporation Zyxel products issues only	security@zyxel.com.tw	Policy	Advisories	CNA Vendors and Projects	MITRE	Taiwan

Key to CNA Roles, Types, and Countries

Roles

• CNA - organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing.
• CNA of Last Resort (CNA-LR) - organization authorized to assign CVE IDs and to create and publish CVE Records for vulnerabilities not covered by the scope of another CNA.
• Root - organization authorized within the CVE Program that is responsible, within a specific Scope, for the recruitment, training, and governance of one or more entities that are a CVE CNA, CNA-LR, an ADP, or another Root.
• Top-Level Root - a Root that does not report to another Root, and is thus responsible to the CVE Board.

Types

• Bug Bounty Programs - assigns CVE IDs to products and projects that utilize the Bug Bounty service’s product offerings.
• Hosted Services - assigns CVE IDs for vulnerabilities found in their own services.
• National and Industry CERTs - performs incident response and vulnerability disclosure services for nations or industries. They may assign CVE IDs as part of their role and scope.
• Vendors and Projects - assigns CVE IDs for vulnerabilities found in their own products and projects.
• Vulnerability Researchers (Independents) - assigns CVE IDs to products and projects upon which the individual performs vulnerability analysis. Note that independent vulnerability researchers are approved by the CVE Board.
• Vulnerability Researchers (Organizations) - assigns CVE IDs to products and projects upon which they perform vulnerability analysis.

Countries

• Countries - self-identified by the CNA.

MITRE CNA of Last Resort PGP Key

Please use our CVE Request web form to request CVE IDs directly from the MITRE CNA of Last Resort (CNA-LR). Upon completion of the form, you will receive a confirmation email message that includes a reference number. Any additional communications related to that request will be done through email using the same subject line as the confirmation email.

View our web form help .

Key ID:		903E4008
Fingerprint:	F59F 1525 57C5 3CE4 BEAE B86E F357 D0E9 903E 4008
Key size:	4096
Public key:	Click to download

NOTE: PGP key updated March 2020

For questions, or assistance about how to use the information on this page, please contact us.