In today’s digital world, the necessity to secure valuable data and information is more important than ever. As more businesses and individuals rely on technological advancements, the risks associated with vulnerabilities within systems and applications increase. To address these risks, it’s crucial to be aware of publicly disclosed security vulnerabilities that may affect your systems or software. This knowledge allows organizations and individuals to be proactive in protecting their digital assets and ensuring overall security.
One way to stay informed about these security vulnerabilities is through vulnerability databases. These databases serve as comprehensive resources that catalog publicly disclosed cybersecurity vulnerabilities in a standardized format, making it easier for individuals and professionals to search, use, and incorporate the information into their security measures. With a wide range of databases available, it’s essential to identify the most powerful and reputable ones to assist you in staying up-to-date with the latest vulnerabilities and securing your systems against potential threats.
In this article, we explore six powerful vulnerability databases that provide valuable information on publicly disclosed security vulnerabilities. These databases cater to a wide range of users, from security experts to general IT professionals, ensuring comprehensive coverage of the most relevant and up-to-date security vulnerabilities.
But, before we directly land on the list of powerful vulnerability databases, let’s learn abut these additional things. It’s not mandatory for everybody to read. However, it is for those who want comprehensive information about the Vulnerability Management and Vulnerability Database.
In this comprehensive blog post, we will cover the following topics:
- What are security vulnerabilities and how they are tracked
- Understanding CVE IDs, CVSS scoring system, and vectors
- Introduction to CVE Numbering Authorities (CNAs)
- Where to search publicly disclosed vulnerabilities
- List of powerful vulnerability databases
What are Security Vulnerabilities? And How Security Vulnerabilities Are Being Tracked?
Security vulnerabilities are flaws or weaknesses in software code or system configurations that can be exploited by attackers to gain unauthorized access to a system or network. Once inside, attackers can leverage authorizations and privileges to compromise systems and assets. Vulnerabilities can be found in IT, network, cloud, web, and mobile application systems.
Some examples of vulnerabilities include:
- Buffer overflows
- SQL injection flaws
- Cross-site scripting bugs
- Default or weak passwords
- Race conditions
Vulnerabilities are tracked and documented in databases so that affected vendors, manufacturers, and users are aware of the issue and can take action to remediate or mitigate the vulnerability.
Common practices for vulnerability tracking include:
- Reporting: Security researchers and users submit newly discovered vulnerabilities to vendors, CERTs, or public vulnerability databases.
- Assignment of CVE ID: Once a vulnerability report is verified, it is assigned a CVE ID (Common Vulnerabilities and Exposures) for unique identification.
- Publication: Details of vulnerability are publicly documented in databases like National Vulnerability Database (NVD).
- Severity analysis: The vulnerability severity is scored using the Common Vulnerability Scoring System (CVSS).
- Remediation tracking: The fix status of the vulnerability is updated over time.
Thorough vulnerability tracking and robust databases allow the security community to assess the risk posed by flaws and prioritize remediation efforts.
The Vulnerability Management team plays a crustal role in identifying, analyzing, assessing, reporting, and mitigating security vulnerabilities before they can be exploited by attackers. So collected or reported vulnerabilities are recorded or stored in several databases by assigning them a CVE ID. This is how the concept of the Vulnerability Database begins. Before we go further, let’s understand a few more concepts like CVE ID, CVSS Scoring System, And Vectors of CVSS.
Understand CVE ID, CVSS Scoring System, And Vectors of CVSS
When dealing with publicly disclosed security vulnerabilities, it is essential to understand the Common Vulnerabilities and Exposures (CVE) identification, the Common Vulnerability Scoring System (CVSS), and the CVSS vectors. This understanding helps you evaluate the severity of vulnerabilities and prioritize your response.
CVE ID
CVE stands for Common Vulnerabilities and Exposures. It is a unique ID assigned to identify each publicly known security vulnerability.
The CVE ID consists of the following format:
CVE-YYYY-NNNNN
Where:
- CVE – Constant identifier showing this is a CVE ID
- YYYY – The year the CVE ID was assigned
- NNNNN – A unique 5-digit number to identify the specific vulnerability
For example, CVE-2019-19781 was assigned in 2019 and has a unique 5-digit ID of 19781.
Once a vulnerability has been publicly documented and verified, it is added to the CVE master list, formally known as Vulnerability Database. The CVE ID helps to eliminate confusion by allowing all parties to refer to vulnerabilities in a standardized manner.
CVSS Scoring System
The Common Vulnerability Scoring System (CVSS) is an open framework used to quantify the severity of IT vulnerabilities. CVSS assigns a numeric score ranging from 0 to 10 to vulnerabilities, with 10 being the most severe.
The CVSS score represents the ease and impact of exploitation. The metrics used to calculate the score are divided into three metric groups:
Base – Represents the intrinsic characteristics of a vulnerability that do not change over time or user environments. This consists of:
- Attack Vector (AV) – How the vulnerability can be exploited e.g. network, adjacent, local, physical.
- Attack Complexity (AC) – The complexity of the attack required to exploit the vulnerability.
- Privileges Required (PR) – The level of privileges required for an attacker to exploit the flaw.
- User Interaction (UI) – If user interaction is required to exploit the vulnerability.
- Scope (S) – If a vulnerability in one component impacts resources beyond its security scope.
- Confidentiality (C), Integrity (I), Availability (A) Impact – The impact of CIA security principles if a vulnerability is exploited.
Temporal – Represents the characteristics of a vulnerability that may change over time but not user environments. This consists of:
- Exploit Code Maturity (E) – Reflects the maturity of available exploit code.
- Remediation Level (RL) – Represents the degree to which a vulnerability can be mitigated through fixes, patches, upgrades, etc.
- Report Confidence (RC) – Reflects the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.
Environmental – Represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment. This consists of:
- Collateral Damage Potential (CDP) – The potential for loss of data assets, productivity or revenue if a vulnerability is exploited.
- Target Distribution (TD) – The number of vulnerable systems that exist in the wild.
- Security Requirements (CR, IR, AR) – The security requirements for confidentiality, integrity and availability in the user environment.
Using these metrics, CVSS applies a complex calculation to determine the final vulnerability severity score.
Vectors of CVSS
CVSS vectors are a standardized text representation of the metrics used to score a vulnerability.
The vector string contains each metric acronym, followed by the assigned value. For example:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This vector shows:
- CVSS version 3.1
- Attack vector is Network (N)
- Attack complexity is Low (L)
- No privileges required (N)
- No user interaction (N)
- The scope is Unchanged (U)
- High impact scores for confidentiality, integrity, availability (H)
The vector highlights the key metrics used to calculate the overall CVSS score for a vulnerability. It provides an easy way for humans to understand the rating factors at a glance.
A Short Introduction to CVE Numbering Authority (CNA)
The next question comes in who assigns the CVE IDs to the vulnerabilities and adds them to the database? The answer is CVE Numbering Authority (CNA). CNAs are organizations that have been authorized by the CVE Program to assign CVE identifiers to vulnerabilities affecting products within their agreed-upon scope. These organizations play a crucial role in ensuring that newly discovered vulnerabilities are assigned unique identifiers and properly documented for the public.
A CNA is responsible for establishing the scope of their authority, determining if a vulnerability falls within this scope, and assigning a unique CVE identifier to the vulnerability before its first public announcement. The CNA’s domain of authority can be specific to its own products or cover a broader range of products and vulnerabilities under its scope. Cooperation between CNAs ensures consistency and accuracy in the enumeration and documentation of vulnerabilities.
The CNA Rules provide guidelines for the assignment and management of CVE identifiers by CNAs. These rules outline the responsibilities and requirements for CNAs, including scope definition, vulnerability discovery and reporting, and proper documentation of vulnerabilities in the CVE List.
There are distinct levels in the CNA hierarchy: Root, Top-Level Root, CNA of Last Resort (CNA-LR), and Sub-CNAs. The most common and basic level of CNA is the Sub-CNA, which assigns CVE identifiers to vulnerabilities specifically within their domain of responsibility. CNAs work together with other CNAs, higher-level CNAs, and the CVE Program to maintain an efficient and streamlined CVE assignment process.
The role of CNAs includes:
- Receiving vulnerability reports from researchers, vendors, etc.
- Verifying reports and ensuring they represent distinct vulnerabilities warranting a CVE ID.
- Assigning a CVE ID from their unique block.
- Notifying the vulnerability submitter about the assigned CVE ID.
- Publishing CVE details to databases like NVD, their own security advisories, etc.
- Updating CVE information and notifying affected parties as more details become available.
CNAs are a vital part of the CVE ecosystem. They enable coordinated, reliable assignment of IDs across the rapidly evolving threat landscape. Currently, there are 307 CNAs (305 CNAs and 2 CNA-LRs) from 36 countries participating in the CVE Program.
Where do You Search for Publicly Disclosed Security Vulnerabilities?
There are several reputable databases that can be utilized to search for publicly disclosed security vulnerabilities. One of the most notable is the CVE List, a comprehensive catalog of publicly disclosed cybersecurity vulnerabilities managed by the CVE Numbering Authorities (CNAs). The CVE List is free to search, use, and incorporate into products and services. Organizations and security professionals rely on these resources to find details of known weaknesses impacting the products or technologies present in their environment.
Some places where publicly disclosed vulnerabilities can be searched include:
- National Vulnerability Database (NVD) – Extensive CVE vulnerability database maintained by NIST, based on CVE List feed. Integrates with CVSS and CPE.
- MITRE CVE List – Comprehensive list of CVE Records provided by MITRE.
- US-CERT Vulnerability Notes Database – Contains disclosure records published by CISA.
- Vulnerability search on vendor/manufacturer websites – Companies like Microsoft, Adobe, Cisco etc. provide vulnerability search capabilities on their own websites. Useful for product-specific flaws.
- Vulnerability databases – Resources like VulnDB, Vulners, Secunia Research Community etc. provide CVE vulnerability data. Some integrate exploit and patch info.
- Bug bounty platforms – Bugcrowd, HackerOne, etc. include limited vulnerability details disclosed through their bug bounty programs.
- GIT repositories – Many security tools and projects provide vulnerability data in GIT repositories that can be searched.
- Exploit databases – Sites like Exploit-DB contain proof-of-concept exploits that can reveal related vulnerabilities.
- Search engines – Google hacking for specific keywords can reveal security advisories and vulnerability reports.
This list provides a starting point on where security practitioners can search for vulnerability data pertinent to the systems and software relevant to their organization.
List of Powerful Vulnerability Databases
Now,, it’s time to take a deeper look into some of the most comprehensive and widely used public vulnerability databases that can be leveraged to streamline vulnerability management programs.
cve.org
CVE (Common Vulnerabilities and Exposures) is an international, community-driven security vulnerability database, which is maintained by the MITRE Corporation and funded by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security.
The website cve.org serves as a public platform that allows users to freely search, use, and incorporate information into their products and services. Each CVE Identifier, or CVE ID, includes a description of the vulnerability or exposure, and reference information from vulnerability reports and advisories. It’s important to note that the CVE system does not include risk, impact, fix, or other technical information, and it does not provide vulnerability management or vulnerability assessment capabilities. Rather, it is a key component that these types of capabilities can leverage.
Mitre
Mitre.org is a well-known organization that manages numerous cybersecurity initiatives, including the CVE Program. Established in 1999, the CVE Program aims to identify, define, and catalog publicly disclosed security vulnerabilities in a standardized manner. This helps security professionals, organizations, and developers effectively address and manage vulnerabilities across their systems.
Mitre.org is responsible for the distribution and maintenance of the Common Vulnerabilities and Exposures (CVE) database. The CVE database contains a comprehensive list of vulnerabilities identified by both experts and the cybersecurity community. Mitre.org ensures that every vulnerability listed in the CVE database receives a unique identifier, which makes it easier for practitioners to reference and search specific vulnerabilities.
One of the strengths of Mitre.org’s CVE Program is its ability to integrate with other cybersecurity services and tools. This helps organizations streamline their vulnerability management processes and make informed security decisions based on accurate and up-to-date information.
For users wishing to download the CVE database, Mitre.org provides it in JSON format. To access the database, users can visit the CVE website’s download page and download the desired data file. The availability of the CVE database in JSON format enables researchers and security professionals to easily parse the information and integrate it with their analytical tools and systems.
In conclusion, Mitre.org plays a vital role in managing the CVE Program and maintaining the CVE database. Its commitment to standardizing vulnerability information and providing seamless integration capabilities makes it a valuable resource for cybersecurity professionals and organizations.
National Vulnerability Database
The National Vulnerability Database (NVD) is a U.S. government repository of standards-based vulnerability management data. This data includes security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. Operated by the National Institute of Standards and Technology (NIST), the NVD uses the Common Vulnerabilities and Exposures (CVE) system for its vulnerability identifiers.
While the CVE system provides a baseline for identifying vulnerabilities, the NVD goes a step further by providing more detailed vulnerability information including severity scores, impact metrics, and enhanced data to support vulnerability management.
For each vulnerability listed in the database, the NVD includes the vulnerability’s description, published and modified dates, references, and the vulnerability’s severity score as measured by the Common Vulnerability Scoring System (CVSS). The NVD’s website provides users with the ability to search this database for information on specific vulnerabilities.
The NVD is a critical resource for organizations that want to protect their systems from known vulnerabilities. It allows security researchers, system administrators, and others to understand the nature of potential threats to their systems and to prioritize their actions based on the severity and potential impact of the vulnerabilities.
VulnDB
VulnDB is a vulnerability database that provides comprehensive information on known security vulnerabilities in software products. It is one of the most important sources for people responsible for handling vulnerabilities, vulnerability management, exploit analysis, cyber threat intelligence, and incident response handling.
VulnDB was originally created in 2002 by a group of security researchers who wanted to provide a central repository for information on security vulnerabilities. The database was originally called Open Source Vulnerability Database (OSVDB), and it was maintained by the Open Security Foundation (OSF). In 2016, the OSF closed down, and VulnDB was acquired by Flashpoint.
It was built with the goal of providing the most timely and accurate vulnerability intelligence available. The database includes information on each vulnerability’s technical details, mitigation strategies, exploit information, and links to original advisories, as well as a wealth of other relevant information that can be used by cybersecurity professionals to protect their systems.
It covers an extensive range of security vulnerabilities, including many not found in the CVE (Common Vulnerabilities and Exposures) database. This makes VulnDB the largest and most comprehensive vulnerability database in the industry. Its creators had a clear vision: to help organizations better understand their security risks and prioritize their response strategies accordingly.
One of the key features of VulnDB is its ability to serve an easy-to-use SaaS Portal and a RESTful API, allowing for seamless integration with GRC (Governance, Risk Management, and Compliance) tools, ticketing systems, and other third-party services. This flexibility empowers organizations to efficiently access and use the valuable vulnerability data provided by VulnDB.
VulnDB’s offerings go beyond just providing vulnerability information. The database is frequently updated and enriched with additional details, such as verified fixes, suggested solutions, and relevant chatter from social media platforms like Twitter. This valuable extra context allows security professionals to better understand the potential impact of a vulnerability and implement the most suitable remediation strategies.
Security Database
Security Database is a prominent platform that was established to provide comprehensive information on publicly disclosed security vulnerabilities. As the largest vulnerability database in Europe, it has made a significant impact on the cybersecurity landscape, offering a wealth of resources for security professionals to draw upon. With an unwavering focus on presenting accurate and relevant data, Security Database maintains a confident, knowledgeable, neutral, and clear tone.
This extensive database not only offers a vast repository of vulnerability information but also provides users with numerous additional services. One notable feature is its ability to serve as an Application Programming Interface (API), which enables the seamless integration of its data with various third-party tools and software. This capacity allows users to access up-to-date vulnerability information in real time, ensuring they remain informed and protected from potential threats.
In addition to its primary function as a vulnerability database, Security Database offers various supplementary resources, including security research papers, exploit databases, and details on upcoming security-related events. These offerings contribute to the platform’s value as a one-stop solution for cybersecurity experts, enabling them to stay current on critical industry developments.
Vuldb
VulDB is the world’s leading vulnerability database, with over 235,000 entries. It was founded in 1998 and is now owned by pyxyp inc. VulDB provides comprehensive information on security vulnerabilities, including their technical details, exploit availability, and impact. It is a valuable resource for vulnerability management, exploit analysis, cyber threat intelligence, and incident response.
The moderation team at Vuldb actively monitors numerous sources 24/7 for information about new or existing vulnerabilities. Once a new vulnerability is identified, the team gathers additional data from various sources and creates a detailed Vuldb entry, which is then made available to customers through the website and API.
One of the key features of Vuldb is its ability to seamlessly integrate with third-party services, such as GRC tools and ticketing systems. This is achieved through its RESTful API, which enables easy access to vulnerability information, allowing organizations to quickly identify and respond to potential security risks.
Which Vulnerability Database is Perfect for You?
Every service offers distinct features. The CVE project and Mitre are authorized bodies whose primary responsibility is to assign CVE IDs to identified vulnerabilities. NVD’s task is to evaluate these CVE-assigned vulnerabilities and provide Severity and CVSS scores along with vector details. Other CNA authorities like VulnDB, Security Database, and VulDB offer more precise research information such as descriptions, technical details, affected software, hardware, and services, including version information. They also provide exploitation POC details and fix/mitigation information. The choice of a vulnerability database depends on the level of information you require.
Below is a basic comparison table for these entities based on key parameters. Keep in mind that this table provides a high-level overview, and the actual specifics may vary depending on different use cases, user requirements, and other factors. Some of these databases may offer more specific features, tools, or data through a subscription or specific partnership agreement.
| CVE.org | National Vulnerability Database | MITRE.org | VulnDB | Security Database | VulDB | |
|---|---|---|---|---|---|---|
| Operated By | MITRE Corp | NIST | MITRE Corp | Risk Based Security | Varies | Scip AG |
| Information Provided | Vulnerability identifiers | Vulnerability details, metrics, and checklists | Research, projects, and CVE system | Detailed vulnerability info, mitigation strategies, exploit info | Generally provides vulnerability info (specifics can vary) | Detailed vulnerability info, references, affected software versions |
| Free Access | Yes | Yes | Yes | Limited free access, subscription for more data | Varies | Limited free access, subscription for more data |
| Scope | Global | Primarily U.S. focused | Global | Global | Varies | Global |
| Update Frequency | Regularly | Regularly | Regularly | Regularly | Varies | Regularly |
| API Support | No | Yes | No | Yes (with subscription) | Varies | Yes (with subscription) |
Conclusion
Public vulnerability databases are invaluable resources that allow organizations to search for and analyze known security flaws impacting the myriad technologies they rely upon.
In this post, we looked at various facets of tracking vulnerabilities using CVE IDs, CVSS scoring and CNAs. We also covered the leading vulnerability data repositories like NVD, VulnDB, Vuldb, and more that security teams can leverage to power risk management programs.
Here are some key takeaways:
- CVE IDs offer standardized naming for vulnerabilities. CVSS scores quantify severity. CNAs coordinate CVE assignments.
- National Vulnerability Database provides extensive CVE listings with CVSS scoring.
- MITRE CVE List contains the authoritative source of CVE data.
- Vulnerability intelligence databases like VulnDB, VulDB, and others enhance CVE data with critical context.
- Options like Security Database and CERT.org provide downloadable vulnerability data dumps.
- Vendor databases and Git repositories also offer valuable vulnerability data.
With cyber threats increasing, organizations must proactively monitor disclosure channels to detect new vulnerabilities in their environment and prioritize remediation. Public vulnerability databases combined with internal threat intelligence provide the comprehensive visibility needed to continuously improve organizational risk posture.
Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
List of 307 CVE Numbering Authority (CNA)
| Partner | Scope | Program Role | Organization Type | Country* |
|---|---|---|---|---|
| 42Gears Mobility Systems Pvt Ltd | 42Gears branded products and technologies only | CNA | Vendor | India |
| Absolute Software | Absolute issues only | CNA | Vendor | USA |
| Acronis International GmbH | All Acronis products, including Acronis Cyber Protect, Acronis Cyber Protect Home Office, Acronis DeviceLock DLP, and Acronis Snap Deploy | CNA | Vendor | Switzerland |
| Adobe Systems Incorporated | Adobe issues only | CNA | Vendor | USA |
| Advanced Micro Devices Inc. | AMD branded products and technologies only | CNA | Vendor | USA |
| Airbus | All Airbus products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Airbus that are not in another CNA’s scope | CNA | Vendor, Researcher | Netherlands |
| Alias Robotics S.L. | All Alias Robotics products, as well as vulnerabilities in third-party robots and robot components (software and hardware), as well as machine tool and machine tool components, discovered by Alias Robotics that are not in another CNA’s scope | CNA | Vendor, Researcher | Spain |
| Alibaba, Inc. | Projects listed on its Alibaba GitHub website only | CNA | Vendor, Open Source | China |
| AMI | Vulnerabilities that affect AMI firmware and software products | CNA | Open Source, Vendor | USA |
| Ampere Computing | Ampere issues only | CNA | Vendor | USA |
| Android (associated with Google Inc. or Open Handset Alliance) | Android issues, as well as vulnerabilities in third-party software discovered by Android that are not in another CNA’s scope | CNA | Vendor, Open Source, Researcher | USA |
| Apache Software Foundation | All Apache Software Foundation issues only | CNA | Vendor, Open Source | USA |
| AppCheck Ltd. | Vulnerabilities discovered by AppCheck that are not within another CNA’s scope | CNA | Researcher | UK |
| Apple Inc. | Apple issues only | CNA | Vendor | USA |
| Arista Networks, Inc. | All Arista products only | CNA | Vendor | USA |
| Arm Limited | Arm-branded products and technologies and Arm-managed open source projects | CNA | Open Source, Vendor | UK |
| Artica PFMS | Pandora FMS, Integria IMS, and eHorus issues only | CNA | Vendor | Spain |
| Asea Brown Boveri Ltd. (ABB) | ABB issues only | CNA | Vendor | Switzerland |
| ASUSTOR, Inc. | ASUSTOR issues only | CNA | Vendor | Taiwan |
| Atlassian | All Atlassian products, as well as Atlassian-maintained projects hosted on https://bitbucket.org/ and https://github.com/atlassian/ | CNA | Vendor, Open Source | Australia |
| Austin Hackers Anonymous | Vulnerabilities in the AHA! website and other AHA! controlled assets, as well as vulnerabilities identified in assets owned, operated, or maintained by another organization unless covered by the scope of another CNA | CNA | Researcher | USA |
| Autodesk | All currently supported Autodesk Applications and Cloud Services | CNA | Vendor | USA |
| Automotive Security Research Group (ASRG) | All automotive and related infrastructure vulnerabilities that are not in another CNA’s scope | CNA | Researcher | USA |
| Avaya, Inc. | All Avaya Generally Available (GA) products that are not in another CNA’s scope. A CVE ID will not be issued for End of Manufacturing Support (EoMS) products/versions | CNA | Vendor | USA |
| Axis Communications AB | Supported Axis products and solutions only | CNA | Vendor | Sweden |
| B. Braun SE | B. Braun’s commercially available products only | CNA | Vendor | Germany |
| Baicells Technologies Co., Ltd. | All Baicells products | CNA | Vendor | China |
| Baidu, Inc. | Projects listed on Baidu’s PaddlePaddle GitHub website only | CNA | Vendor, Open Source | China |
| Baxter Healthcare | Baxter’s commercially available products only | CNA | Vendor | USA |
| Becton, Dickinson and Company (BD) | BD software-enabled medical devices only | CNA | Vendor | USA |
| Biohacking Village | Vulnerabilities discovered by researchers in collaboration with Biohacking Village, with approval of Biohacking Village’s sponsors, that are not in another CNA’s scope | CNA | Researcher | USA |
| Bitdefender | All Bitdefender products, as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope | CNA | Vendor, Researcher | Romania |
| Black Lantern Security | Vulnerabilities in vendor products discovered by BLSOPS, or related parties, while performing vulnerability research or security assessments, unless covered by another CNA’s scope | CNA | Researcher | USA |
| BlackBerry | BlackBerry and Good product issues only | CNA | Vendor | Canada |
| Brocade Communications Systems, LLC | Brocade products only | CNA | Vendor | USA |
| Bugcrowd Inc. | Vulnerabilities discovered by researchers in collaboration with Bugcrowd, with approval of Bugcrowd’s clients, and not in the scope of another CNA | CNA | Bug Bounty Provider, Vendor, Open Source | USA |
| CA Technologies – A Broadcom Company | CA Technologies issues only | CNA | Vendor | USA |
| Canon Inc. | Vulnerabilities in products and services designed and developed by Canon Inc. | CNA | Vendor | Japan |
| Canonical Ltd. | All Canonical issues (including Ubuntu Linux) only | CNA | Vendor, Open Source | UK |
| Carrier Global Corporation | Carrier Global products only | CNA | Hosted Service, Vendor | USA |
| Censys | All Censys products, and vulnerabilities discovered by Censys that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| CERT/CC | Vulnerability assignment related to its vulnerability coordination role | CNA | CERT | USA |
| CERT@VDE | Products of the vendors: Beckhoff, Bender, Endress+Hauser, Etherwan Systems, HIMA, Festo, Koramis, ifm, Miele, Pepperl+Fuchs, Phoenix Contact, PILZ, Sysmik, Weidmueller, and WAGO. Also, industrial and infrastructure control systems (and its components) of European Union (EU) based vendors as long as there is no CNA with a more specific scope for the vulnerability | CNA | CERT | Germany |
| Check Point Software Ltd. | Check Point Security Gateways product line only, and any vulnerabilities discovered by Check Point that are not in another CNA’s scope | CNA | Vendor, Researcher | Israel |
| Chrome | Chrome and Chrome OS issues, and projects that are not in another CNA’s scope | CNA | Vendor, Open Source, Researcher | USA |
| Cisco Systems, Inc. | All Cisco products, and any third-party research targets that are not in another CNA’s scope. Cisco will not issue a CVE ID for issues reported on products that are past the Last Day of Support milestone, as defined on Cisco’s End-of-Life Policy, which is available at https://www.cisco.com/c/en/us/products/eos-eol-policy.html | CNA | Hosted Service, Open Source, Researcher, Vendor | USA |
| Citrix Systems, Inc. | Citrix issues only | CNA | Vendor | USA |
| Cloudflare, Inc. | All Cloudflare products, projects hosted at https://github.com/cloudflare/, and any vulnerabilities discovered by Cloudflare that are not in another CNA’s scope | CNA | Vendor | USA |
| Crafter CMS | Crafter CMS issues only | CNA | Vendor, Open Source | USA |
| Crestron Electronics, Inc. | Crestron products | CNA | Vendor | USA |
| Crowdstrike Holdings, Inc. | Crowdstrike Sensor issues, excluding unsupported versions, and issues in third-party products or services identified by Crowdstrike research unless covered in the scope of another CNA | CNA | Vendor | USA |
| Cybellum Technologies LTD | All Cybellum products, as well as vulnerabilities in third-party software discovered by Cybellum that are not in another CNA’s scope | CNA | Vendor | Israel |
| Cyber Security Works Pvt. Ltd. | Vulnerabilities in third-party software discovered by CSW that are not in another CNA’s scope | CNA | Researcher | India |
| CyberArk Labs | Vulnerabilities discovered by CyberArk Labs that are not in another CNA’s scope | CNA | Vendor, Researcher | Israel |
| CyberDanube | All CyberDanube products, as well as vulnerabilities in third-party hardware/software discovered by CyberDanube or partners actively engaged in vulnerability research coordination, which are not within the scope of another CNA | CNA | Researcher, Vendor | Austria |
| Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) | Industrial control systems and medical devices | Top-Level Root, CNA-LR | CERT | USA |
| Dahua Technologies | Dahua consumer Internet of Things (IoT) products, excludes End-of-Life products | CNA | Vendor | China |
| Dassault Systèmes | All websites of the corporate group and of any subsidiaries, including but not limited to www.3ds.com and www.solidworks.com; all Software as a Service solutions, such as 3DEXPERIENCE or ScienceCloud, but also any online hosting linked to our brands; and all Dassault Systèmes licensed software products | CNA | Vendor | France |
| Debian GNU/Linux | Debian issues only | CNA | Vendor, Open Source | USA |
| DeepSurface Security, Inc. | All DeepSurface products, as well as vulnerabilities in third-party software discovered by DeepSurface that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| Dell | Dell, Dell EMC, and VCE issues only | CNA | Vendor | USA |
| Devolutions Inc. | Remote Desktop Manager and Devolutions Server products | CNA | Vendor, Open Source | Canada |
| Docker Inc. | All Docker products, including Docker Desktop and Docker Hub, as well as Docker maintained open-source projects | CNA | Vendor, Open Source | USA |
| Document Foundation, The | Projects within The Document Foundation only, e.g., LibreOffice, LibreOffice Online; The Document Foundation discourages reporting denial of service bugs as security issues | CNA | Vendor, Open Source | Germany |
| dotCMS LLC | All dotCMS product services including the vulnerabilities reported in our open-source core located at https://github.com/dotCMS/core | CNA | Hosted Service | USA |
| Dragos, Inc. | Dragos products and third-party products it researches related to operational technology (OT)/industrial control systems (ICS) not covered by another CNA | CNA | Vendor, Researcher | USA |
| Drupal.org | All projects hosted under drupal.org only | CNA | Vendor, Open Source | USA |
| Dual Vipers LLC | Dual Vipers projects and products (both open and closed source), as well as vulnerabilities in third-party software discovered by Dual Vipers that are not in another CNA’s scope | CNA | Hosted Service, Open Source, Researcher, Vendor | USA |
| Dutch Institute for Vulnerability Disclosure (DIVD) | Vulnerabilities in software discovered by DIVD, and vulnerabilities reported to DIVD for coordinated disclosure, which are not in another CNA’s scope | CNA | Researcher | Netherlands |
| Eaton | Eaton issues only | CNA | Vendor | Ireland |
| Eclipse Foundation | Eclipse IDE and the Eclipse Foundation’s eclipse.org, polarysys.org, and locationtech.org open source projects only | CNA | Vendor, Open Source | Canada |
| Elastic | Elasticsearch, Kibana, Beats, Logstash, X-Pack, and Elastic Cloud Enterprise products only | CNA | Vendor | Netherlands |
| Electronic Arts, Inc. | EA issues only | CNA | Vendor | USA |
| Environmental Systems Research Institute, Inc. | All Esri products only | CNA | Vendor | USA |
| ESET, spol. s r.o. | All ESET products only and vulnerabilities discovered by ESET that are not covered by another CNA’s scope | CNA | Vendor, Researcher | Slovak Republic |
| Exodus Intelligence | Vulnerabilities discovered by Exodus Intelligence as well as acquisitions from independent researchers via its Research Sponsorship Program (RSP) | CNA | Bug Bounty Provider, Researcher | USA |
| F-Secure | All F-Secure products and security vulnerabilities discovered by F-Secure in third-party software not in another CNA’s scope | CNA | Vendor, Researcher | Finland |
| F5, Inc. | All F5 products and services, commercial and open source, which have not yet reached End of Technical Support (EoTS). All legacy acquisition products and brands including, but not limited to, NGINX, Shape Security, Volterra, and Threat Stack. F5 does not issue CVEs for products which are no longer supported | CNA | Vendor, Open Source | USA |
| Fedora Project | Vulnerabilities in open-source projects affecting the Fedora Project, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported releases by the Fedora Project | CNA | Vendor, Open Source | USA |
| Fidelis Cybersecurity, Inc. | Fidelis issues only | CNA | Vendor | USA |
| Flexera Software LLC | All Flexera products, and vulnerabilities discovered by Secunia Research that are not in another CNA’s scope | CNA | Vendor, Open Source, Researcher | USA |
| floragunn GmbH | All issues related to Search Guard only | CNA | Vendor, Open Source | Germany |
| Fluid Attacks | Vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNA’s scope | CNA | Researcher | Colombia |
| Forcepoint | Forcepoint products only | CNA | Vendor | USA |
| ForgeRock, Inc. | ForgeRock issues only | CNA | Vendor, Open Source | USA |
| Fortinet, Inc. | Fortinet issues only | CNA | Vendor | USA |
| FPT Software Co., Ltd. | All products and services developed and operated by FPT Software, as well as vulnerabilities in third-party software discovered by FPT Software that are not in another CNA’s scope | CNA | Vendor, Researcher | Vietnam |
| Frappe Technologies Pvt. Ltd. | Vulnerabilities relating to Frappe Framework, ERPNext product, erpnext.com, and frappecloud.com hosting services, as well as other vulnerabilities discovered by Frappe Technologies that are not under the scope of any other CNA | CNA | Bug Bounty Provider | India |
| FreeBSD | Primarily FreeBSD issues only | CNA | Vendor, Open Source | USA |
| FULL INTERNET | All FULL products, as well as vulnerabilities in third-party software discovered by FULL that are not in another CNA’s scope | CNA | Bug Bounty Provider, Hosted Service, Vendor, Researcher | Brazil |
| Gallagher Group Ltd. | All Gallagher security products only | CNA | Vendor | New Zealand |
| GE Healthcare | GE Healthcare products | CNA | Vendor | USA |
| General Electric (Gas Power) | GE (Gas Power) issues only | CNA | Vendor | USA |
| Genetec Inc. | Genetec products and solutions only | CNA | Hosted Service, Vendor | Canada |
| Gitea Limited | Gitea issues only | CNA | Open Source, Vendor | China |
| GitHub, Inc. | GitHub currently only covers CVEs requested by software maintainers using the GitHub Security Advisories feature | CNA | Vendor | USA |
| GitHub, Inc. (Products Only) | GitHub Enterprise Server issues only | CNA | Vendor | USA |
| GitLab Inc. | The GitLab application, any project hosted on GitLab.com in a public repository, and any vulnerabilities discovered by GitLab that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| Glyph & Cog, LLC | Xpdf open source project, including the xpdf viewer and associated command line tools | CNA | Open Source, Vendor | USA |
| Go Project | Vulnerabilities in software published by the Go Project (including the Go standard library, Go toolchain, and the golang.org modules) and publicly disclosed vulnerabilities in publicly importable packages in the Go ecosystem, unless covered by another CNA’s scope | CNA | Vendor, Open Source | USA |
| Google Devices | Google Devices – Pixel, Nest, and Chromecast | CNA | Vendor | USA |
| Google LLC | Root Scope: Alphabet organizationsCNA Scope: Google products that are not covered by Android and Chrome, as well as vulnerabilities in third-party software discovered by Google that are not in another CNA’s scope | Root, CNA | Vendor, Open Source, Researcher | USA |
| Google Open Source Software | Vulnerabilities in open source software published and maintained by Google | CNA | Vendor, Open Source | USA |
| Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) | Vulnerabilities discovered by GovTech CSG only that are not in another CNA’s scope | CNA | Researcher | Singapore |
| Grafana Labs | All Grafana Labs open source and commercial products | CNA | Vendor, Open Source | USA |
| Green Rocket Security Inc. | Green Rocket Security products including EOL unless covered by another CNA’s scope | CNA | Vendor | USA |
| GS McNamara LLC | GS McNamara LLC products and services, including the Floodspark portfolio, and any vulnerabilities discovered in components or projects that we are researching or coordinating that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| HackerOne | Provides CVE IDs for its customers as part of its bug bounty and vulnerability coordination platform | CNA | Bug Bounty Provider | USA |
| Halborn | All blockchain and Web3 products that rely on smart contracts written in Rust, Go, and Solidity, as well as blockchain associated Web2 and Web3 infrastructure not covered by another CNA | CNA | Researcher | USA |
| Hallo Welt! GmbH | BlueSpice vulnerabilities only | CNA | Vendor | Germany |
| Hangzhou Hikvision Digital Technology Co., Ltd. | All Hikvision Internet of Things (IoT) products including cameras and digital video recorders (DVRs) | CNA | Vendor | China |
| Hanwha Vision Co., Ltd. | Hanwha Vision (formerly Samsung Techwin and Hanwha Techwin) products and solutions only, including end-of-life (EOL) | CNA | Vendor | South Korea |
| HashiCorp Inc. | All HashiCorp products and projects unless covered by another CNA’s scope | CNA | Vendor | USA |
| HCL Software | All HCL products only | CNA | Vendor | India |
| Hewlett Packard Enterprise (HPE) | HPE issues only | CNA | Vendor | USA |
| Hillstone Networks Inc. | Vulnerabilities in our products listed at https://www.hillstonenet.com/hillstone-networks-product-portfolio and the products we sell only in China listed at https://www.hillstonenet.com.cn/product_service/, not including our websites | CNA | Vendor | China |
| Hitachi Energy | Hitachi Energy products only | CNA | Vendor | Switzerland |
| Hitachi Vantara | All Hitachi Vantara products and technologies | CNA | Vendor | USA |
| Hitachi, Ltd. | Hitachi products excluding Hitachi Energy and Hitachi Vantara products | CNA | Vendor | Japan |
| Honeywell International Inc. | All Honeywell products | CNA | Vendor | USA |
| Honor Device Co., Ltd. | Vulnerabilities in Honor products and services unless covered by the scope of another CNA | CNA | Vendor | China |
| HP Inc. | HP Inc. issues only | CNA | Vendor | USA |
| Huawei Technologies | Huawei issues only | CNA | Vendor | China |
| huntr.dev | Vulnerabilities in third-party code reported to huntr.dev that are not in another CNA’s scope | CNA | Bug Bounty Provider | UK |
| HYPR Corp | All HYPR products only | CNA | Vendor | USA |
| IBM Corporation | All IBM products, as well as vulnerabilities in third-party software discovered by IBM X-Force Red that are not in another CNA’s scope | CNA | Vendor, Open Source, Researcher | USA |
| ID Business Solutions | IDBS products as listed on https://www.idbs.com/products/ | CNA | Vendor | UK |
| IDEMIA | All IDEMIA products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by IDEMIA that are not in another CNA’s scope | CNA | Researcher, Vendor | France |
| Illumio | Illumio issues only | CNA | Vendor | USA |
| Indian Computer Emergency Response Team (CERT-In) | Vulnerability coordination for vulnerabilities in all products reported to CERT-In in accordance with our vulnerability coordination role as a CERT. Vulnerability assignments for vulnerabilities impacting all products designed, developed, and manufactured in India | CNA | CERT | India |
| Intel Corporation | Intel branded products and technologies and Intel managed open source projects | CNA | Vendor, Open Source | USA |
| Internet Systems Consortium (ISC) | All ISC.org projects | CNA | Vendor, Open Source | USA |
| IoT83 Ltd | Vulnerabilities in IoT83 product(s), services, and components only. Third-party, open-source components used in IoT83 product(s), services, and components are not in scope | CNA | Vendor | USA |
| Israel National Cyber Directorate (INCD) | Vulnerability assignment related to its vulnerability coordination role | CNA | CERT | Israel |
| Jenkins Project | Jenkins and Jenkins plugins distributed by the Jenkins Project (listed on plugins.jenkins.io) only | CNA | Open Source | USA |
| JetBrains s.r.o. | JetBrains products only | CNA | Vendor, Open Source | Czech Republic |
| JFrog | All JFrog products (supported products and end-of-life/end-of-service products); vulnerabilities in third-party software discovered by JFrog that are not in another CNA’s scope; and vulnerabilities in third-party software discovered by external researchers and disclosed to JFrog (includes any embedded devices and their associated mobile applications) that are not in another CNA’s scope | CNA | Vendor, Researcher | Israel |
| Johnson Controls | Johnson Controls products only | CNA | Vendor | USA |
| Joomla! Project | Core Joomla! CMS, the Joomla Framework, and Joomla! Extensions issues only | CNA | Vendor, Open Source | USA |
| JPCERT/CC | Root Scope: Japan organizationsCNA Scope: Vulnerability assignment related to its vulnerability coordination role | Root, CNA | CERT | Japan |
| Juniper Networks, Inc. | Juniper issues only | CNA | Vendor, Open Source | USA |
| Kaspersky | Kaspersky B2C and B2B products, as well as vulnerabilities discovered in third-party software not in another CNA’s scope | CNA | Vendor, Researcher | Russia |
| KNIME AG | All vulnerabilities on software products that our company provides, including KNIME Analytics Platform, KNIME Server, and KNIME Hub | CNA | Vendor | Switzerland |
| KrakenD, S.L. | KrakenD EE, KrakenD CE, and Lura issues only | CNA | Vendor, Open Source | Spain |
| KrCERT/CC | Vulnerability assignment related to its vulnerability coordination role | CNA | CERT | South Korea |
| Kubernetes | Kubernetes issues only | CNA | Vendor, Open Source | USA |
| Larry Cashdollar | Third-party products he researches that are not in another CNA’s scope | CNA | Researcher | USA |
| Lenovo Group Ltd. | Lenovo general-purpose computers, software for general-purpose operating systems, mobile devices, enterprise storage, and networking products only | CNA | Vendor | USA |
| LG Electronics | LG Electronics products only | CNA | Vendor | South Korea |
| Liferay, Inc. | All Liferay supported products and end-of-life/end-of-service products | CNA | Vendor | USA |
| LINE Corporation | Current versions of LINE Messenger Application for iOS, Android, Mac, and Windows, plus LINE Open Source projects hosted on https://github.com/line | CNA | Vendor, Open Source | Japan |
| Logitech | All current products/software/apps made by Logitech, Ultimate Ears, Jaybird, Streamlabs, Logitech G, Logicool, Blue, and Astro Gaming | CNA | Vendor | Switzerland |
| M-Files Corporation | M-Files and Hubshare products | CNA | Vendor | Finland |
| MarkLogic Corporation | MarkLogic issues only | CNA | Vendor | USA |
| Mattermost, Inc. | All Mattermost issues, and vulnerabilities discovered by Mattermost that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| Mautic | Mautic core and officially supported plugins | CNA | Vendor, Open Source | USA |
| MediaTek, Inc. | MediaTek product issues only | CNA | Vendor | Taiwan |
| Medtronic | All products of Medtronic or a Medtronic company including supported products and end-of-life/end-of-service products, as well as vulnerabilities in third-party software discovered in Medtronic products that are not in another CNA’s scope | CNA | Vendor | USA |
| Mend | Vulnerabilities in Mend (formerly WhiteSource) products and vulnerabilities in third-party software discovered by Mend that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| Meta Platforms, Inc. | Meta-supported open source projects, mobile apps, and other software, as well as vulnerabilities in third-party software discovered by Meta that are not in another CNA’s scope; see: https://www.facebook.com/whitehat and https://github.com/facebook/ | CNA | Vendor, Open Source, Researcher | USA |
| Microsoft Corporation | Microsoft issues only | CNA | Vendor | USA |
| MIM Software Inc. | MIM software products, platforms, and services as well as vulnerabilities reported to MIM Software in third-party components or libraries used by MIM Software products, platforms, and services not covered by another CNA | CNA | Vendor | USA |
| Mirantis | All Mirantis products (supported products and end-of-life/end-of-service products) and open source offerings, as well as vulnerabilities in third-party software discovered by Mirantis that are not in another CNA’s scope | CNA | Vendor, Open Source, Researcher | USA |
| MITRE Corporation | All vulnerabilities, and Open Source software product vulnerabilities, not already covered by a CNA listed on this website | Top-Level Root, CNA-LR, Secretariat | N/A | USA |
| Mitsubishi Electric Corporation | Mitsubishi Electric issues only | CNA | Vendor | Japan |
| MongoDB, Inc. | MongoDB products only, not including end-of-life components or products | CNA | Vendor, Open Source | USA |
| Moxa Inc. | Moxa products only | CNA | Vendor | Taiwan |
| Mozilla Corporation | Mozilla issues only | CNA | Vendor, Open Source | USA |
| National Cyber Security Centre Finland (NCSC-FI) | Vulnerabilities in software discovered by NCSC-FI, and vulnerabilities reported to NCSC-FI for coordinated disclosure, which are not in another CNA’s scope | CNA | CERT | Finland |
| National Cyber Security Centre Netherlands (NCSC-NL) | Vulnerabilities in software discovered by NCSC-NL, and vulnerabilities reported to NCSC-NL for coordinated disclosure, which are not in another CNA’s scope | CNA | CERT | Netherlands |
| National Cyber Security Centre SK-CERT | Vulnerabilities in software discovered by National Cyber Security Centre SK-CERT, and vulnerabilities reported to National Cyber Security Centre SK-CERT for coordinated disclosure, which are not in another CNA’s scope | CNA | CERT | Slovak Republic |
| National Instruments | NI products only (including National Instruments) | CNA | Vendor | USA |
| Naver Corporation | Naver products only, except Line products | CNA | Vendor | South Korea |
| NEC Corporation | NEC issues only | CNA | Vendor | Japan |
| NetApp, Inc. | All NetApp products as well as projects hosted on https://github.com/netapp | CNA | Vendor | USA |
| Netflix, Inc. | Current versions of Netflix Mobile Streaming Application for iOS, Android, and Windows Mobile, plus all Netflix Open Source projects hosted on https://github.com/Netflix/ and https://github.com/spinnaker/ | CNA | Vendor, Open Source | USA |
| NetRise | Vulnerabilities in third-party Extended Internet of Things (XIoT) devices and firmware NetRise researches that are not covered by another CNA | CNA | Researcher | USA |
| Netskope | All Netskope products and services | CNA | Vendor | USA |
| NLnet Labs | All NLnet Labs projects | CNA | Vendor, Open Source | Netherlands |
| Node.js | All actively developed versions of software developed under the Node.js project on https://github.com/nodejs/ | CNA | Vendor, Open Source | USA |
| NortonLifeLock Inc. | All NortonLifeLock product issues only | CNA | Vendor | USA |
| Nozomi Networks Inc. | All Nozomi Networks products, as well as vulnerabilities in third-party software discovered by Nozomi Networks that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| NVIDIA Corporation | NVIDIA issues only | CNA | Vendor | USA |
| Objective Development Software GmbH | Objective Development issues only | CNA | Vendor | Austria |
| Octopus Deploy | All Octopus Deploy products, as well as Octopus Deploy maintained projects hosted on https://github.com/OctopusDeploy | CNA | Vendor, Open Source | Australia |
| Odoo | Odoo issues only | CNA | Vendor | Belgium |
| Okta | Okta issues only | CNA | Vendor | USA |
| ONEKEY GmbH | All ONEKEY products and vulnerabilities in third-party software discovered by ONEKEY that are not in another CNA’s scope | CNA | Vendor, Researcher | Germany |
| Open Design Alliance | Open Design Alliance products only | CNA | Vendor | USA |
| Open-Xchange | Products and services provided by Open-Xchange, PowerDNS, and Dovecot | CNA | Open Source, Vendor | Germany |
| OpenAnolis | OpenAnolis issues only | CNA | Vendor, Open Source | China |
| OpenCloudOS Community | OpenCloud OS issues only, not including EOL products, unless covered by another CNA’s scope | CNA | Open Source | China |
| openEuler | openEuler issues only | CNA | Vendor, Open Source | China |
| openGauss Community | openGauss issues only | CNA | Open Source | China |
| OpenHarmony | openHarmony issues only | CNA | Open Source | China |
| OpenSSL Software Foundation | OpenSSL software projects only | CNA | Vendor, Open Source | USA |
| OpenText (formerly Micro Focus) | All OpenText products (including Carbonite, Zix, Micro Focus, others) | CNA | Vendor | USA |
| OpenVPN Inc. | All products and projects in which OpenVPN is directly involved commercially and for OpenVPN community projects, including Private Tunnel | CNA | Vendor, Open Source | USA |
| Opera | Opera issues only | CNA | Vendor, Open Source | Norway |
| OPPO Mobile Telecommunication Corp., Ltd. | OPPO devices only | CNA | Vendor | China |
| Oracle | Oracle supported version product issues only; CVE IDs will not be assigned for unsupported products or versions (Oracle will confirm support status and notify researcher) | CNA | Hosted Service, Open Source, Vendor | USA |
| OTRS AG | Vulnerabilities for OTRS and ((OTRS)) Community Edition and modules only | CNA | Vendor | Germany |
| Palantir Technologies | Palantir products and technologies only | CNA | Vendor | USA |
| Palo Alto Networks, Inc. | All Palo Alto Networks products, and vulnerabilities discovered by Palo Alto Networks that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| Panasonic Holdings Corporation | All products and services developed and/or sold by Panasonic Group companies | CNA | Vendor | Japan |
| Patchstack | Vulnerabilities in third-party PHP products discovered by Patchstack and Patchstack Red Team | CNA | Bug Bounty Provider, Hosted Service, Open Source, Researcher, Vendor | Estonia |
| Payara | All Payara Platform product distributions (Payara Server, Micro, Embedded) for both Enterprise (commercial) and Community (OSS) distributions | CNA | Open Source, Vendor | UK |
| Pegasystems Inc. | Pegasystems products only | CNA | Vendor | USA |
| Philips | Philips issues only | CNA | Vendor | Netherlands |
| PHP Group | Vulnerabilities in PHP code (code in https://github.com/php/php-src) only | CNA | Vendor, Open Source | USA |
| Ping Identity Corporation | All Ping Identity products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Ping Identity that are not in another CNA’s scope | CNA | Hosted Service, Researcher, Bug Bounty Provider | USA |
| Profelis IT Consultancy | Products and services developed by Profelis IT Consultancy including enterprise directory solution SambaBox and password reset product PassBox | CNA | Vendor | Türkiye |
| Proofpoint Inc. | All Proofpoint products | CNA | Hosted Service, Vendor | USA |
| Puppet | All Puppet products, as well as all projects on https://github.com/puppetlabs/ | CNA | Vendor, Open Source | USA |
| QNAP Systems, Inc. | QNAP issues only | CNA | Vendor | Taiwan |
| Qualcomm, Inc. | Qualcomm and Snapdragon issues only | CNA | Vendor | USA |
| Qualys, Inc. | All Qualys products and vulnerabilities discovered by Qualys that are not covered by another CNA’s scope | CNA | Vendor, Researcher | USA |
| Rapid7, Inc. | All Rapid7 products, and vulnerabilities discovered by Rapid7 that are not in another CNA’s scope | CNA | Vendor, Open Source, Researcher | USA |
| Red Hat, Inc. | Root Scope: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them betterCNA Scope: Vulnerabilities in open-source projects affecting Red Hat offerings, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported Red Hat offerings | Root, CNA | Vendor, Open Source | USA |
| Replicated, Inc. | Replicated products and services only | CNA | Vendor | USA |
| Rhino Mobility | Rhino Mobility issues only | CNA | Vendor | USA |
| Ribose Limited | All Ribose products and services, including open-source projects, supported products, and end-of-life/end-of-service products | CNA | Hosted Service, Open Source, Vendor | UK |
| Robert Bosch GmbH | Bosch products only | CNA | Vendor | Germany |
| Rockwell Automation | All Rockwell Automation products | CNA | Vendor | USA |
| SailPoint Technologies | SailPoint issues only | CNA | Vendor | USA |
| Salesforce, Inc. | Salesforce products only | CNA | Vendor | USA |
| Samsung Mobile | Samsung Mobile Galaxy products, personal computers, and related services only | CNA | Vendor | South Korea |
| Samsung TV & Appliance | Samsung TV & Appliance products, Samsung-owned open-source projects listed on https://github.com/Samsung/, as well as vulnerabilities in third-party software discovered by Samsung that are not in another CNA’s scope. Vulnerabilities affecting end-of-life/end-of-service products are in scope. The following categories of Samsung Products are in scope: Internet-connected home appliances, B2C product (smart TV, smart monitor, soundbar, and projector), and B2B products (digital signage, interactive display, and kiosk) | CNA | Open Source, Researcher, Vendor | South Korea |
| SAP SE | All SAP products | CNA | Vendor | Germany |
| Schneider Electric | All Schneider Electric products, including Proface, APC, and Eurotherm | CNA | Vendor | France |
| Schweitzer Engineering Laboratories, Inc. | All Schweitzer Engineering Laboratories products | CNA | Vendor | USA |
| Seagate Technology | Any Seagate or LaCie software or hardware, open or closed source, supported and end of life, as well as any vulnerabilities in third-party software discovered by Seagate that are not in another CNA’s scope | CNA | Vendor, Open Source, Researcher | USA |
| Secomea A/S | Supported Secomea products only | CNA | Vendor | Denmark |
| Securifera, Inc. | Vulnerabilities in vendor products discovered by Securifera, or related parties, while performing vulnerability research or security assessments | CNA | Researcher | USA |
| Security Risk Advisors (SRA) | Vulnerabilities discovered by SRA that are not within the scope of another CNA | CNA | Researcher | USA |
| senhasegura | Vulnerabilities in senhasegura products, and other vulnerabilities discovered by senhasegura that are not in another CNA’s scope | CNA | Vendor, Researcher | Brazil |
| ServiceNow | All ServiceNow products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by ServiceNow that are not in another CNA’s scope | CNA | Hosted Service, Researcher, Vendor | USA |
| Shop Beat Solutions (Pty) LTD | Vulnerabilities in Shop Beat products and services and vulnerabilities discovered by Shop Beat unless covered by the scope of another CNA | CNA | Hosted Service, Vendor | South Africa |
| SICK AG | SICK AG issues only | CNA | Vendor | Germany |
| Siemens | Siemens issues only | CNA | Vendor | Germany |
| Sierra Wireless Inc. | Sierra Wireless products only | CNA | Vendor | Canada |
| Silicon Labs | Silicon Labs issues only | CNA | Vendor | USA |
| Silver Peak Systems, Inc. | Silver Peak product issues only | CNA | Vendor | USA |
| Simplinx Ltd. | Simplinx products only | CNA | Vendor | Türkiye |
| Snow Software | All Snow Software products | CNA | Vendor | Sweden |
| Snyk | Vulnerabilities in Snyk products and vulnerabilities discovered by, or reported to, Snyk that are not in another CNA’s scope | CNA | Open Source, Researcher | UK |
| SolarWinds | SolarWinds products only | CNA | Vendor | USA |
| Solidigm | Solidigm branded products and technologies | CNA | Vendor | USA |
| SonicWall, Inc. | SonicWall issues only | CNA | Vendor | USA |
| Sophos Limited | Sophos issues only | CNA | Vendor | UK |
| Spanish National Cybersecurity Institute, S.A. (INCIBE) | Root Scope: Spain organizationsCNA Scope: Vulnerability assignment related to its vulnerability coordination role for Industrial Control Systems (ICS), Information Technologies (IT), and Internet of Things (IoT) systems issues at the national level, and vulnerabilities reported to INCIBE by Spain organizations and researchers that are not in another CNA’s scope | Root, CNA | CERT | Spain |
| Splunk Inc. | Splunk products only | CNA | Vendor | USA |
| STAR Labs SG Pte. Ltd. | Vulnerabilities discovered by STAR Labs SG that are not in another CNA’s scope | CNA | Researcher | Singapore |
| StrongDM | StrongDM issues only | CNA | Vendor | USA |
| SUSE | SUSE and Rancher issues only | CNA | Vendor, Open Source | USA |
| Swift Project | The Swift Project only | CNA | Vendor, Open Source | USA |
| Switzerland National Cyber Security Centre (NCSC) | Switzerland Government Common Vulnerability Program | CNA | CERT | Switzerland |
| Symantec – A Division of Broadcom | Symantec Enterprise products as well as vulnerabilities in third-party software discovered by Symantec that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| Synaptics, Inc. | Synaptics issues only | CNA | Vendor | USA |
| Synology Inc. | Synology issues only | CNA | Vendor | Taiwan |
| Synopsys | All Synopsys SIG products, as well as vulnerabilities in third-party software discovered by Synopsys SIG that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| Talos | Third-party products it researches | CNA | Researcher | USA |
| Tcpdump Group | Tcpdump and Libpcap only | CNA | Vendor, Open Source | Canada |
| TeamViewer Germany GmbH | TeamViewer issues only | CNA | Vendor | Germany |
| Temporal Technologies Inc. | All Temporal Technologies software | CNA | Hosted Service, Open Source | USA |
| Tenable Network Security, Inc. | Tenable products and third-party products it researches not covered by another CNA | CNA | Vendor | USA |
| Thales Group | Thales branded products and technologies only | CNA | Vendor, Researcher | France |
| The HISP Centre at the University of Oslo | Security issues in DHIS2 open-source web and mobile software applications | CNA | Vendor, Open Source | Norway |
| The Missing Link Australia (TML) | TML vulnerability disclosure policy applies to any third-party vendor products to whom TML will assign the CVEs for vulnerabilities, if the product is not a part of another CNA scope | CNA | Researcher | Australia |
| The OpenBMC Project | Vulnerabilities related to the repositories maintained by the OpenBMC project | CNA | Vendor, Open Source | USA |
| The OpenNMS Group | OpenNMS issues only | CNA | Vendor, Open Source | USA |
| TianoCore.org | Software vulnerabilities related to the TianoCore Open Source | CNA | Vendor, Open Source | USA |
| TIBCO Software Inc. | TIBCO, Talarian, Spotfire, Data Synapse, Foresight, Kabira, Proginet, LogLogic, StreamBase, JasperSoft, and Mashery products/brands only | CNA | Vendor | USA |
| Tigera, Inc. | All vulnerabilities for Calico and all of Tigera’s products only | CNA | Vendor, Open Source | USA |
| Toshiba Corporation | Vulnerabilities related to products and services of Toshiba Corporation | CNA | Vendor | Japan |
| TR-CERT (Computer Emergency Response Team of the Republic of Türkiye) | Vulnerability assignment related to its vulnerability coordination role | CNA | CERT | Türkiye |
| Trellix | All Trellix Enterprise (formerly McAfee Enterprise and FireEye) products, as well as vulnerabilities in third-party software discovered by Trellix Advanced Research Center (Trellix ACR) that are not in another CNA’s scope | CNA | Vendor, Researcher | USA |
| Trend Micro, Inc. | Trend Micro supported products, end-of-life products, and all issues related to TXOne products | CNA | Vendor | Japan |
| Tribe29 GmbH | All products of Tribe29 including Checkmk and Checkmk Appliance | CNA | Vendor, Open Source | Germany |
| TWCERT/CC | Vulnerability assignment related to its vulnerability coordination role | CNA | CERT | Taiwan |
| Unisoc (Shanghai) Technologies Co., Ltd. | Unisoc issues only | CNA | Vendor | China |
| Vaadin Ltd. | All Vaadin products and supported open-source projects hosted at https://github.com/vaadin | CNA | Vendor, Open Source | Finland |
| Vivo Mobile Communication Co., Ltd. | Vivo issues only | CNA | Vendor | China |
| VMware | VMware, Spring, and Cloud Foundry issues only | CNA | Vendor, Open Source | USA |
| VulDB | Vulnerabilities discovered by, or reported to, the VulDB vulnerability database that are not in another CNA’s scope | CNA | Researcher | Switzerland |
| VulnCheck | Vulnerabilities discovered by, or reported to, VulnCheck that are not in another CNA’s scope | CNA | Bug Bounty Provider, Researcher | USA |
| Vulnscope Technologies | Provides CVE IDs for customers as part of our bug bounty and vulnerability coordination platform | CNA | Bug Bounty Provider | Chile |
| WatchGuard Technologies, Inc. | Vulnerabilities in all WatchGuard products and products of WatchGuard subsidiaries | CNA | Vendor | USA |
| Western Digital | Western Digital products including WD, SanDisk, SanDisk Professional, G-Technology, and HGST only | CNA | Vendor | USA |
| wolfSSL Inc. | Transport Layer Security (TLS) and Cryptographic issues found in wolfSSL products | CNA | Vendor, Open Source | USA |
| Wordfence | WordPress Plugins, Themes, and Core Vulnerabilities discovered by, or reported to, the Wordfence/Defiant team | CNA | Vendor, Researcher | USA |
| WPScan | WordPress core, plugins, and themes | CNA | Vendor, Open Source | France |
| Xen Project | All sub-projects under Xen Project’s umbrella (see Xen Project Teams), except those sub-projects that have their own security response process; and the Xen components inside other projects, where Xen Project is the primary developer | CNA | Vendor, Open Source | UK |
| Xiaomi Technology Co., Ltd. | Xiaomi issues only | CNA | Vendor | China |
| Xylem | Xylem products and technologies only | CNA | Vendor | USA |
| Yandex N.V. | Yandex issues only | CNA | Vendor | Russia |
| Yugabyte, Inc. | Yugabyte products only | CNA | Hosted Service, Vendor | USA |
| Zabbix | Zabbix products and Zabbix projects listed on https://git.zabbix.com/ only | CNA | Vendor | Latvia |
| Zephyr Project | Zephyr project components, and vulnerabilities that are not in another CNA’s scope | CNA | Vendor, Open Source | USA |
| Zero Day Initiative | Products and projects covered by its bug bounty programs that are not in another CNA’s scope | CNA | Bug Bounty Provider | Japan |
| ZGR | ZGR manufactured products | CNA | Vendor | Spain |
| Zoom Video Communications, Inc. | Zoom and Keybase issues only | CNA | Vendor | USA |
| Zowe | Vulnerabilities in Zowe.org open source projects | CNA | Open Source | USA |
| Zscaler, Inc. | Zscaler issues only | CNA | Vendor | USA |
| ZTE Corporation | ZTE products only | CNA | Vendor | China |
| ZUSO Advanced Research Team (ZUSO ART) | Vulnerabilities in third-party products discovered by ZUSO ART that are not in another CNA’s scope | CNA | Researcher | Taiwan |
| Zyxel Corporation | Zyxel products issues only | CNA | Vendor | Taiwan |