A CVE Numbering Authority (CNA) is an organization authorized by the CVE program to assign CVE identifiers to vulnerabilities within a defined scope and to publish the corresponding CVE records. Rather than a single central body numbering every vulnerability in the world, the CVE program distributes that responsibility across many organizations, each covering the products or areas it knows best. Software vendors, open source projects, security research firms, bug bounty platforms, national computer emergency response teams, and coordinating bodies can all become CNAs. When a vulnerability is found in a product covered by a CNA's scope, that CNA reserves and assigns the CVE identifier and writes the initial record, which is the moment a flaw gains a stable, globally recognized name that advisories, scanners, and databases can reference.
Why CNAs matter for supply chain security
The identifier is the anchor for everything downstream. Once a vulnerability has a CVE ID, security advisories, vulnerability databases, scanners, and remediation tooling can all refer to the same flaw unambiguously. Who assigns that ID, and how quickly, directly affects how fast the wider ecosystem can coordinate a response. A vendor that is a CNA for its own products can assign an identifier and publish a record in step with its patch, so defenders get a citable reference the moment a fix is available.
The distributed model also shapes data quality and consistency. Because scope is divided among many organizations with different practices, the completeness and precision of CVE records can vary by CNA. For open source supply chain security in particular, it matters whether the CNA covering a package expresses affected versions clearly, since that data feeds the databases your scanners rely on. Understanding the CNA layer is part of understanding the broader vulnerability disclosure ecosystem that supply chain tooling is built on.
How CNAs work
The CVE program is organized in a hierarchy. At the top sits the program's overall coordination, supported by a small number of Root and Top-Level Root organizations that recruit, onboard, train, and oversee CNAs. Below them, individual CNAs operate within an agreed scope, which might be "all products from this vendor," "this open source foundation's projects," or "vulnerabilities reported to this coordination center that no other CNA covers."
Each CNA is allocated blocks of CVE identifiers it can assign without asking anyone else. When a qualifying vulnerability comes in, typically through the CNA's disclosure process, the CNA reserves an ID, works with the reporter under coordinated disclosure, and publishes a CVE record containing the identifier, a description, and references. A CNA of Last Resort handles vulnerabilities that fall outside every other CNA's scope, so nothing legitimate is left without a path to an identifier. Once published, the base record enters the CVE data set, where separate enrichment processes and other databases can add severity scores and affected-range detail.
Key points at a glance
| Aspect | Detail |
|---|---|
| Role | Assigns CVE IDs and publishes records in scope |
| Who can be one | Vendors, open source projects, researchers, CERTs |
| Scope | Defined products or areas per CNA |
| ID blocks | Pre-allocated so assignment is autonomous |
| Hierarchy | Roots and Top-Level Roots oversee CNAs |
| Last resort | A CNA of Last Resort covers uncovered flaws |
How Safeguard uses CVE data from CNAs
Safeguard consumes the CVE records that CNAs publish as one of several authoritative inputs, then adds the ecosystem precision that base records often lack. Because CNA-published records vary in how clearly they state affected package versions, our software composition analysis correlates each CVE with ecosystem-native advisory data so matches against your lockfiles are precise rather than approximate.
SBOM Studio keeps an accurate inventory of your resolved dependencies and their identifiers, so as soon as a CNA publishes a new CVE affecting a package you use, Safeguard can tell you whether it reaches your code. Griffin AI then combines the CVE description and references with reachability and fix data to draft a remediation and open it as a reviewable pull request. Treating CNA-issued CVEs as the shared identifier layer, while enriching them with package-aware detail, is how Safeguard keeps findings both authoritative and actionable.
Frequently Asked Questions
Who can become a CVE Numbering Authority? A wide range of organizations can, including software and hardware vendors, open source projects and foundations, security research firms, bug bounty and coordination platforms, and national or sector-specific response teams. An organization applies through the CVE program, agrees to a defined scope, and is onboarded and overseen by a Root or Top-Level Root before it can assign identifiers.
What is the difference between a CNA and the NVD? A CNA assigns CVE identifiers and publishes the base records within its scope. The NVD is a separate database that enriches already-published CVE records with severity scores and affected-configuration data. In short, CNAs create and describe the identifier, while the NVD analyzes and scores it afterward.
What is a CNA of Last Resort? It is a CNA whose job is to assign identifiers for vulnerabilities that do not fall within any other CNA's defined scope. It ensures there is always a path to a CVE ID even when no vendor or project-specific authority covers the affected software, so legitimate vulnerabilities are not left unnamed.
Does having a CVE ID mean a vulnerability is severe? No. A CVE identifier only establishes that a distinct vulnerability has been recognized and named. Severity is a separate judgment, expressed through scoring systems applied during enrichment and refined by exploitation and reachability context. Some CVEs are critical and widely exploited, while others are low impact or not reachable in a given deployment.
Ready to know the moment a newly published CVE affects code you actually ship? Create a free account at app.safeguard.sh/register and start scanning, then keep learning with the free Safeguard Academy.