6 Powerful Vulnerability Databases to Search Publicly Disclosed Security Vulnerabilities

In today’s digital world, the necessity to secure valuable data and information is more important than ever. As more businesses and individuals rely on technological advancements, the risks associated with vulnerabilities within systems and applications increase. To address these risks, it’s crucial to be aware of publicly disclosed security vulnerabilities that may affect your systems or software. This knowledge allows organizations and individuals to be proactive in protecting their digital assets and ensuring overall security.

One way to stay informed about these security vulnerabilities is through vulnerability databases. These databases serve as comprehensive resources that catalog publicly disclosed cybersecurity vulnerabilities in a standardized format, making it easier for individuals and professionals to search, use, and incorporate the information into their security measures. With a wide range of databases available, it’s essential to identify the most powerful and reputable ones to assist you in staying up-to-date with the latest vulnerabilities and securing your systems against potential threats.

In this article, we explore six powerful vulnerability databases that provide valuable information on publicly disclosed security vulnerabilities. These databases cater to a wide range of users, from security experts to general IT professionals, ensuring comprehensive coverage of the most relevant and up-to-date security vulnerabilities.

But, before we directly land on the list of powerful vulnerability databases, let’s learn abut these additional things. It’s not mandatory for everybody to read. However, it is for those who want comprehensive information about the Vulnerability Management and Vulnerability Database.

In this comprehensive blog post, we will cover the following topics:

• What are security vulnerabilities and how they are tracked
• Understanding CVE IDs, CVSS scoring system, and vectors
• Introduction to CVE Numbering Authorities (CNAs)
• Where to search publicly disclosed vulnerabilities
• List of powerful vulnerability databases

What are Security Vulnerabilities? And How Security Vulnerabilities Are Being Tracked?

Security vulnerabilities are flaws or weaknesses in software code or system configurations that can be exploited by attackers to gain unauthorized access to a system or network. Once inside, attackers can leverage authorizations and privileges to compromise systems and assets. Vulnerabilities can be found in IT, network, cloud, web, and mobile application systems.

Some examples of vulnerabilities include:

• Buffer overflows
• SQL injection flaws
• Cross-site scripting bugs
• Default or weak passwords
• Race conditions

Vulnerabilities are tracked and documented in databases so that affected vendors, manufacturers, and users are aware of the issue and can take action to remediate or mitigate the vulnerability.

Common practices for vulnerability tracking include:

• Reporting: Security researchers and users submit newly discovered vulnerabilities to vendors, CERTs, or public vulnerability databases.
• Assignment of CVE ID: Once a vulnerability report is verified, it is assigned a CVE ID (Common Vulnerabilities and Exposures) for unique identification.
• Publication: Details of vulnerability are publicly documented in databases like National Vulnerability Database (NVD).
• Severity analysis: The vulnerability severity is scored using the Common Vulnerability Scoring System (CVSS).
• Remediation tracking: The fix status of the vulnerability is updated over time.

Thorough vulnerability tracking and robust databases allow the security community to assess the risk posed by flaws and prioritize remediation efforts.

The Vulnerability Management team plays a crustal role in identifying, analyzing, assessing, reporting, and mitigating security vulnerabilities before they can be exploited by attackers. So collected or reported vulnerabilities are recorded or stored in several databases by assigning them a CVE ID. This is how the concept of the Vulnerability Database begins. Before we go further, let’s understand a few more concepts like CVE ID, CVSS Scoring System, And Vectors of CVSS.

Understand CVE ID, CVSS Scoring System, And Vectors of CVSS

When dealing with publicly disclosed security vulnerabilities, it is essential to understand the Common Vulnerabilities and Exposures (CVE) identification, the Common Vulnerability Scoring System (CVSS), and the CVSS vectors. This understanding helps you evaluate the severity of vulnerabilities and prioritize your response.

CVE ID

CVE stands for Common Vulnerabilities and Exposures. It is a unique ID assigned to identify each publicly known security vulnerability.

The CVE ID consists of the following format:

CVE-YYYY-NNNNN

Where:

• CVE – Constant identifier showing this is a CVE ID
• YYYY – The year the CVE ID was assigned
• NNNNN – A unique 5-digit number to identify the specific vulnerability

For example, CVE-2019-19781 was assigned in 2019 and has a unique 5-digit ID of 19781.

Once a vulnerability has been publicly documented and verified, it is added to the CVE master list, formally known as Vulnerability Database. The CVE ID helps to eliminate confusion by allowing all parties to refer to vulnerabilities in a standardized manner.

CVSS Scoring System

The Common Vulnerability Scoring System (CVSS) is an open framework used to quantify the severity of IT vulnerabilities. CVSS assigns a numeric score ranging from 0 to 10 to vulnerabilities, with 10 being the most severe.

The CVSS score represents the ease and impact of exploitation. The metrics used to calculate the score are divided into three metric groups:

Base – Represents the intrinsic characteristics of a vulnerability that do not change over time or user environments. This consists of:

• Attack Vector (AV) – How the vulnerability can be exploited e.g. network, adjacent, local, physical.
• Attack Complexity (AC) – The complexity of the attack required to exploit the vulnerability.
• Privileges Required (PR) – The level of privileges required for an attacker to exploit the flaw.
• User Interaction (UI) – If user interaction is required to exploit the vulnerability.
• Scope (S) – If a vulnerability in one component impacts resources beyond its security scope.
• Confidentiality (C), Integrity (I), Availability (A) Impact – The impact of CIA security principles if a vulnerability is exploited.

Temporal – Represents the characteristics of a vulnerability that may change over time but not user environments. This consists of:

• Exploit Code Maturity (E) – Reflects the maturity of available exploit code.
• Remediation Level (RL) – Represents the degree to which a vulnerability can be mitigated through fixes, patches, upgrades, etc.
• Report Confidence (RC) – Reflects the degree of confidence in the existence of the vulnerability and the credibility of the known technical details.

Environmental – Represents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment. This consists of:

• Collateral Damage Potential (CDP) – The potential for loss of data assets, productivity or revenue if a vulnerability is exploited.
• Target Distribution (TD) – The number of vulnerable systems that exist in the wild.
• Security Requirements (CR, IR, AR) – The security requirements for confidentiality, integrity and availability in the user environment.

Using these metrics, CVSS applies a complex calculation to determine the final vulnerability severity score.

Vectors of CVSS

CVSS vectors are a standardized text representation of the metrics used to score a vulnerability.

The vector string contains each metric acronym, followed by the assigned value. For example:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

This vector shows:

• CVSS version 3.1
• Attack vector is Network (N)
• Attack complexity is Low (L)
• No privileges required (N)
• No user interaction (N)
• The scope is Unchanged (U)
• High impact scores for confidentiality, integrity, availability (H)

The vector highlights the key metrics used to calculate the overall CVSS score for a vulnerability. It provides an easy way for humans to understand the rating factors at a glance.

A Short Introduction to CVE Numbering Authority (CNA)

The next question comes in who assigns the CVE IDs to the vulnerabilities and adds them to the database? The answer is CVE Numbering Authority (CNA). CNAs are organizations that have been authorized by the CVE Program to assign CVE identifiers to vulnerabilities affecting products within their agreed-upon scope. These organizations play a crucial role in ensuring that newly discovered vulnerabilities are assigned unique identifiers and properly documented for the public.

A CNA is responsible for establishing the scope of their authority, determining if a vulnerability falls within this scope, and assigning a unique CVE identifier to the vulnerability before its first public announcement. The CNA’s domain of authority can be specific to its own products or cover a broader range of products and vulnerabilities under its scope. Cooperation between CNAs ensures consistency and accuracy in the enumeration and documentation of vulnerabilities.

The CNA Rules provide guidelines for the assignment and management of CVE identifiers by CNAs. These rules outline the responsibilities and requirements for CNAs, including scope definition, vulnerability discovery and reporting, and proper documentation of vulnerabilities in the CVE List.

There are distinct levels in the CNA hierarchy: Root, Top-Level Root, CNA of Last Resort (CNA-LR), and Sub-CNAs. The most common and basic level of CNA is the Sub-CNA, which assigns CVE identifiers to vulnerabilities specifically within their domain of responsibility. CNAs work together with other CNAs, higher-level CNAs, and the CVE Program to maintain an efficient and streamlined CVE assignment process.

The role of CNAs includes:

• Receiving vulnerability reports from researchers, vendors, etc.
• Verifying reports and ensuring they represent distinct vulnerabilities warranting a CVE ID.
• Assigning a CVE ID from their unique block.
• Notifying the vulnerability submitter about the assigned CVE ID.
• Publishing CVE details to databases like NVD, their own security advisories, etc.
• Updating CVE information and notifying affected parties as more details become available.

CNAs are a vital part of the CVE ecosystem. They enable coordinated, reliable assignment of IDs across the rapidly evolving threat landscape. Currently, there are 307 CNAs (305 CNAs and 2 CNA-LRs) from 36 countries participating in the CVE Program.

 

 

Where do You Search for Publicly Disclosed Security Vulnerabilities?

There are several reputable databases that can be utilized to search for publicly disclosed security vulnerabilities. One of the most notable is the CVE List, a comprehensive catalog of publicly disclosed cybersecurity vulnerabilities managed by the CVE Numbering Authorities (CNAs). The CVE List is free to search, use, and incorporate into products and services. Organizations and security professionals rely on these resources to find details of known weaknesses impacting the products or technologies present in their environment.

Some places where publicly disclosed vulnerabilities can be searched include:

• National Vulnerability Database (NVD) – Extensive CVE vulnerability database maintained by NIST, based on CVE List feed. Integrates with CVSS and CPE.
• MITRE CVE List – Comprehensive list of CVE Records provided by MITRE.
• US-CERT Vulnerability Notes Database – Contains disclosure records published by CISA.
• Vulnerability search on vendor/manufacturer websites – Companies like Microsoft, Adobe, Cisco etc. provide vulnerability search capabilities on their own websites. Useful for product-specific flaws.
• Vulnerability databases – Resources like VulnDB, Vulners, Secunia Research Community etc. provide CVE vulnerability data. Some integrate exploit and patch info.
• Bug bounty platforms – Bugcrowd, HackerOne, etc. include limited vulnerability details disclosed through their bug bounty programs.
• GIT repositories – Many security tools and projects provide vulnerability data in GIT repositories that can be searched.
• Exploit databases – Sites like Exploit-DB contain proof-of-concept exploits that can reveal related vulnerabilities.
• Search engines – Google hacking for specific keywords can reveal security advisories and vulnerability reports.
• This list provides a starting point on where security practitioners can search for vulnerability data pertinent to the systems and software relevant to their organization.
  

  List of Powerful Vulnerability Databases

  Now,, it’s time to take a deeper look into some of the most comprehensive and widely used public vulnerability databases that can be leveraged to streamline vulnerability management programs.

  cve.org

  

  CVE (Common Vulnerabilities and Exposures) is an international, community-driven security vulnerability database, which is maintained by the MITRE Corporation and funded by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security.

  The website cve.org serves as a public platform that allows users to freely search, use, and incorporate information into their products and services. Each CVE Identifier, or CVE ID, includes a description of the vulnerability or exposure, and reference information from vulnerability reports and advisories. It’s important to note that the CVE system does not include risk, impact, fix, or other technical information, and it does not provide vulnerability management or vulnerability assessment capabilities. Rather, it is a key component that these types of capabilities can leverage.

  Mitre

  

  Mitre.org is a well-known organization that manages numerous cybersecurity initiatives, including the CVE Program. Established in 1999, the CVE Program aims to identify, define, and catalog publicly disclosed security vulnerabilities in a standardized manner. This helps security professionals, organizations, and developers effectively address and manage vulnerabilities across their systems.

  Mitre.org is responsible for the distribution and maintenance of the Common Vulnerabilities and Exposures (CVE) database. The CVE database contains a comprehensive list of vulnerabilities identified by both experts and the cybersecurity community. Mitre.org ensures that every vulnerability listed in the CVE database receives a unique identifier, which makes it easier for practitioners to reference and search specific vulnerabilities.

  One of the strengths of Mitre.org’s CVE Program is its ability to integrate with other cybersecurity services and tools. This helps organizations streamline their vulnerability management processes and make informed security decisions based on accurate and up-to-date information.

  For users wishing to download the CVE database, Mitre.org provides it in JSON format. To access the database, users can visit the CVE website’s download page and download the desired data file. The availability of the CVE database in JSON format enables researchers and security professionals to easily parse the information and integrate it with their analytical tools and systems.

  In conclusion, Mitre.org plays a vital role in managing the CVE Program and maintaining the CVE database. Its commitment to standardizing vulnerability information and providing seamless integration capabilities makes it a valuable resource for cybersecurity professionals and organizations.

  National Vulnerability Database

  

  The National Vulnerability Database (NVD) is a U.S. government repository of standards-based vulnerability management data. This data includes security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. Operated by the National Institute of Standards and Technology (NIST), the NVD uses the Common Vulnerabilities and Exposures (CVE) system for its vulnerability identifiers.

  While the CVE system provides a baseline for identifying vulnerabilities, the NVD goes a step further by providing more detailed vulnerability information including severity scores, impact metrics, and enhanced data to support vulnerability management.

  For each vulnerability listed in the database, the NVD includes the vulnerability’s description, published and modified dates, references, and the vulnerability’s severity score as measured by the Common Vulnerability Scoring System (CVSS). The NVD’s website provides users with the ability to search this database for information on specific vulnerabilities.

  The NVD is a critical resource for organizations that want to protect their systems from known vulnerabilities. It allows security researchers, system administrators, and others to understand the nature of potential threats to their systems and to prioritize their actions based on the severity and potential impact of the vulnerabilities.

  VulnDB

  

  VulnDB is a vulnerability database that provides comprehensive information on known security vulnerabilities in software products. It is one of the most important sources for people responsible for handling vulnerabilities, vulnerability management, exploit analysis, cyber threat intelligence, and incident response handling.

  VulnDB was originally created in 2002 by a group of security researchers who wanted to provide a central repository for information on security vulnerabilities. The database was originally called Open Source Vulnerability Database (OSVDB), and it was maintained by the Open Security Foundation (OSF). In 2016, the OSF closed down, and VulnDB was acquired by Flashpoint.

  It was built with the goal of providing the most timely and accurate vulnerability intelligence available. The database includes information on each vulnerability’s technical details, mitigation strategies, exploit information, and links to original advisories, as well as a wealth of other relevant information that can be used by cybersecurity professionals to protect their systems.

  It covers an extensive range of security vulnerabilities, including many not found in the CVE (Common Vulnerabilities and Exposures) database. This makes VulnDB the largest and most comprehensive vulnerability database in the industry. Its creators had a clear vision: to help organizations better understand their security risks and prioritize their response strategies accordingly.

  One of the key features of VulnDB is its ability to serve an easy-to-use SaaS Portal and a RESTful API, allowing for seamless integration with GRC (Governance, Risk Management, and Compliance) tools, ticketing systems, and other third-party services. This flexibility empowers organizations to efficiently access and use the valuable vulnerability data provided by VulnDB.

  See Also  FluBot Malware Outbreak: What Users Can Do to Curb This ‘Package Delivery’ Text Message Scam

  VulnDB’s offerings go beyond just providing vulnerability information. The database is frequently updated and enriched with additional details, such as verified fixes, suggested solutions, and relevant chatter from social media platforms like Twitter. This valuable extra context allows security professionals to better understand the potential impact of a vulnerability and implement the most suitable remediation strategies.

  Security Database

  

  Security Database is a prominent platform that was established to provide comprehensive information on publicly disclosed security vulnerabilities. As the largest vulnerability database in Europe, it has made a significant impact on the cybersecurity landscape, offering a wealth of resources for security professionals to draw upon. With an unwavering focus on presenting accurate and relevant data, Security Database maintains a confident, knowledgeable, neutral, and clear tone.

  This extensive database not only offers a vast repository of vulnerability information but also provides users with numerous additional services. One notable feature is its ability to serve as an Application Programming Interface (API), which enables the seamless integration of its data with various third-party tools and software. This capacity allows users to access up-to-date vulnerability information in real time, ensuring they remain informed and protected from potential threats.

  In addition to its primary function as a vulnerability database, Security Database offers various supplementary resources, including security research papers, exploit databases, and details on upcoming security-related events. These offerings contribute to the platform’s value as a one-stop solution for cybersecurity experts, enabling them to stay current on critical industry developments.

  Vuldb

  

  VulDB is the world’s leading vulnerability database, with over 235,000 entries. It was founded in 1998 and is now owned by pyxyp inc. VulDB provides comprehensive information on security vulnerabilities, including their technical details, exploit availability, and impact. It is a valuable resource for vulnerability management, exploit analysis, cyber threat intelligence, and incident response.

  The moderation team at Vuldb actively monitors numerous sources 24/7 for information about new or existing vulnerabilities. Once a new vulnerability is identified, the team gathers additional data from various sources and creates a detailed Vuldb entry, which is then made available to customers through the website and API.

  One of the key features of Vuldb is its ability to seamlessly integrate with third-party services, such as GRC tools and ticketing systems. This is achieved through its RESTful API, which enables easy access to vulnerability information, allowing organizations to quickly identify and respond to potential security risks.

  Which Vulnerability Database is Perfect for You?

  Every service offers distinct features. The CVE project and Mitre are authorized bodies whose primary responsibility is to assign CVE IDs to identified vulnerabilities. NVD’s task is to evaluate these CVE-assigned vulnerabilities and provide Severity and CVSS scores along with vector details. Other CNA authorities like VulnDB, Security Database, and VulDB offer more precise research information such as descriptions, technical details, affected software, hardware, and services, including version information. They also provide exploitation POC details and fix/mitigation information. The choice of a vulnerability database depends on the level of information you require.

  Below is a basic comparison table for these entities based on key parameters. Keep in mind that this table provides a high-level overview, and the actual specifics may vary depending on different use cases, user requirements, and other factors. Some of these databases may offer more specific features, tools, or data through a subscription or specific partnership agreement.

  	CVE.org	National Vulnerability Database	MITRE.org	VulnDB	Security Database	VulDB
  Operated By	MITRE Corp	NIST	MITRE Corp	Risk Based Security	Varies	Scip AG
  Information Provided	Vulnerability identifiers	Vulnerability details, metrics, and checklists	Research, projects, and CVE system	Detailed vulnerability info, mitigation strategies, exploit info	Generally provides vulnerability info (specifics can vary)	Detailed vulnerability info, references, affected software versions
  Free Access	Yes	Yes	Yes	Limited free access, subscription for more data	Varies	Limited free access, subscription for more data
  Scope	Global	Primarily U.S. focused	Global	Global	Varies	Global
  Update Frequency	Regularly	Regularly	Regularly	Regularly	Varies	Regularly
  API Support	No	Yes	No	Yes (with subscription)	Varies	Yes (with subscription)

  Conclusion

  Public vulnerability databases are invaluable resources that allow organizations to search for and analyze known security flaws impacting the myriad technologies they rely upon.

  In this post, we looked at various facets of tracking vulnerabilities using CVE IDs, CVSS scoring and CNAs. We also covered the leading vulnerability data repositories like NVD, VulnDB, Vuldb, and more that security teams can leverage to power risk management programs.

  Here are some key takeaways:

  • CVE IDs offer standardized naming for vulnerabilities. CVSS scores quantify severity. CNAs coordinate CVE assignments.
  • National Vulnerability Database provides extensive CVE listings with CVSS scoring.
  • MITRE CVE List contains the authoritative source of CVE data.
  • Vulnerability intelligence databases like VulnDB, VulDB, and others enhance CVE data with critical context.
  • Options like Security Database and CERT.org provide downloadable vulnerability data dumps.
  • Vendor databases and Git repositories also offer valuable vulnerability data.

  With cyber threats increasing, organizations must proactively monitor disclosure channels to detect new vulnerabilities in their environment and prioritize remediation. Public vulnerability databases combined with internal threat intelligence provide the comprehensive visibility needed to continuously improve organizational risk posture.

  Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.

  List of 307 CVE Numbering Authority (CNA)

  Partner	Scope	Program Role	Organization Type	Country*
  42Gears Mobility Systems Pvt Ltd	42Gears branded products and technologies only	CNA	Vendor	India
  Absolute Software	Absolute issues only	CNA	Vendor	USA
  Acronis International GmbH	All Acronis products, including Acronis Cyber Protect, Acronis Cyber Protect Home Office, Acronis DeviceLock DLP, and Acronis Snap Deploy	CNA	Vendor	Switzerland
  Adobe Systems Incorporated	Adobe issues only	CNA	Vendor	USA
  Advanced Micro Devices Inc.	AMD branded products and technologies only	CNA	Vendor	USA
  Airbus	All Airbus products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Airbus that are not in another CNA’s scope	CNA	Vendor, Researcher	Netherlands
  Alias Robotics S.L.	All Alias Robotics products, as well as vulnerabilities in third-party robots and robot components (software and hardware), as well as machine tool and machine tool components, discovered by Alias Robotics that are not in another CNA’s scope	CNA	Vendor, Researcher	Spain
  Alibaba, Inc.	Projects listed on its Alibaba GitHub website only	CNA	Vendor, Open Source	China
  AMI	Vulnerabilities that affect AMI firmware and software products	CNA	Open Source, Vendor	USA
  Ampere Computing	Ampere issues only	CNA	Vendor	USA
  Android (associated with Google Inc. or Open Handset Alliance)	Android issues, as well as vulnerabilities in third-party software discovered by Android that are not in another CNA’s scope	CNA	Vendor, Open Source, Researcher	USA
  Apache Software Foundation	All Apache Software Foundation issues only	CNA	Vendor, Open Source	USA
  AppCheck Ltd.	Vulnerabilities discovered by AppCheck that are not within another CNA’s scope	CNA	Researcher	UK
  Apple Inc.	Apple issues only	CNA	Vendor	USA
  Arista Networks, Inc.	All Arista products only	CNA	Vendor	USA
  Arm Limited	Arm-branded products and technologies and Arm-managed open source projects	CNA	Open Source, Vendor	UK
  Artica PFMS	Pandora FMS, Integria IMS, and eHorus issues only	CNA	Vendor	Spain
  Asea Brown Boveri Ltd. (ABB)	ABB issues only	CNA	Vendor	Switzerland
  ASUSTOR, Inc.	ASUSTOR issues only	CNA	Vendor	Taiwan
  Atlassian	All Atlassian products, as well as Atlassian-maintained projects hosted on https://bitbucket.org/ and https://github.com/atlassian/	CNA	Vendor, Open Source	Australia
  Austin Hackers Anonymous	Vulnerabilities in the AHA! website and other AHA! controlled assets, as well as vulnerabilities identified in assets owned, operated, or maintained by another organization unless covered by the scope of another CNA	CNA	Researcher	USA
  Autodesk	All currently supported Autodesk Applications and Cloud Services	CNA	Vendor	USA
  Automotive Security Research Group (ASRG)	All automotive and related infrastructure vulnerabilities that are not in another CNA’s scope	CNA	Researcher	USA
  Avaya, Inc.	All Avaya Generally Available (GA) products that are not in another CNA’s scope. A CVE ID will not be issued for End of Manufacturing Support (EoMS) products/versions	CNA	Vendor	USA
  Axis Communications AB	Supported Axis products and solutions only	CNA	Vendor	Sweden
  B. Braun SE	B. Braun’s commercially available products only	CNA	Vendor	Germany
  Baicells Technologies Co., Ltd.	All Baicells products	CNA	Vendor	China
  Baidu, Inc.	Projects listed on Baidu’s PaddlePaddle GitHub website only	CNA	Vendor, Open Source	China
  Baxter Healthcare	Baxter’s commercially available products only	CNA	Vendor	USA
  Becton, Dickinson and Company (BD)	BD software-enabled medical devices only	CNA	Vendor	USA
  Biohacking Village	Vulnerabilities discovered by researchers in collaboration with Biohacking Village, with approval of Biohacking Village’s sponsors, that are not in another CNA’s scope	CNA	Researcher	USA
  Bitdefender	All Bitdefender products, as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope	CNA	Vendor, Researcher	Romania
  Black Lantern Security	Vulnerabilities in vendor products discovered by BLSOPS, or related parties, while performing vulnerability research or security assessments, unless covered by another CNA’s scope	CNA	Researcher	USA
  BlackBerry	BlackBerry and Good product issues only	CNA	Vendor	Canada
  Brocade Communications Systems, LLC	Brocade products only	CNA	Vendor	USA
  Bugcrowd Inc.	Vulnerabilities discovered by researchers in collaboration with Bugcrowd, with approval of Bugcrowd’s clients, and not in the scope of another CNA	CNA	Bug Bounty Provider, Vendor, Open Source	USA
  CA Technologies – A Broadcom Company	CA Technologies issues only	CNA	Vendor	USA
  Canon Inc.	Vulnerabilities in products and services designed and developed by Canon Inc.	CNA	Vendor	Japan
  Canonical Ltd.	All Canonical issues (including Ubuntu Linux) only	CNA	Vendor, Open Source	UK
  Carrier Global Corporation	Carrier Global products only	CNA	Hosted Service, Vendor	USA
  Censys	All Censys products, and vulnerabilities discovered by Censys that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  CERT/CC	Vulnerability assignment related to its vulnerability coordination role	CNA	CERT	USA
  CERT@VDE	Products of the vendors: Beckhoff, Bender, Endress+Hauser, Etherwan Systems, HIMA, Festo, Koramis, ifm, Miele, Pepperl+Fuchs, Phoenix Contact, PILZ, Sysmik, Weidmueller, and WAGO. Also, industrial and infrastructure control systems (and its components) of European Union (EU) based vendors as long as there is no CNA with a more specific scope for the vulnerability	CNA	CERT	Germany
  Check Point Software Ltd.	Check Point Security Gateways product line only, and any vulnerabilities discovered by Check Point that are not in another CNA’s scope	CNA	Vendor, Researcher	Israel
  Chrome	Chrome and Chrome OS issues, and projects that are not in another CNA’s scope	CNA	Vendor, Open Source, Researcher	USA
  Cisco Systems, Inc.	All Cisco products, and any third-party research targets that are not in another CNA’s scope. Cisco will not issue a CVE ID for issues reported on products that are past the Last Day of Support milestone, as defined on Cisco’s End-of-Life Policy, which is available at https://www.cisco.com/c/en/us/products/eos-eol-policy.html	CNA	Hosted Service, Open Source, Researcher, Vendor	USA
  Citrix Systems, Inc.	Citrix issues only	CNA	Vendor	USA
  Cloudflare, Inc.	All Cloudflare products, projects hosted at https://github.com/cloudflare/, and any vulnerabilities discovered by Cloudflare that are not in another CNA’s scope	CNA	Vendor	USA
  Crafter CMS	Crafter CMS issues only	CNA	Vendor, Open Source	USA
  Crestron Electronics, Inc.	Crestron products	CNA	Vendor	USA
  Crowdstrike Holdings, Inc.	Crowdstrike Sensor issues, excluding unsupported versions, and issues in third-party products or services identified by Crowdstrike research unless covered in the scope of another CNA	CNA	Vendor	USA
  Cybellum Technologies LTD	All Cybellum products, as well as vulnerabilities in third-party software discovered by Cybellum that are not in another CNA’s scope	CNA	Vendor	Israel
  Cyber Security Works Pvt. Ltd.	Vulnerabilities in third-party software discovered by CSW that are not in another CNA’s scope	CNA	Researcher	India
  CyberArk Labs	Vulnerabilities discovered by CyberArk Labs that are not in another CNA’s scope	CNA	Vendor, Researcher	Israel
  CyberDanube	All CyberDanube products, as well as vulnerabilities in third-party hardware/software discovered by CyberDanube or partners actively engaged in vulnerability research coordination, which are not within the scope of another CNA	CNA	Researcher, Vendor	Austria
  Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)	Industrial control systems and medical devices	Top-Level Root, CNA-LR	CERT	USA
  Dahua Technologies	Dahua consumer Internet of Things (IoT) products, excludes End-of-Life products	CNA	Vendor	China
  Dassault Systèmes	All websites of the corporate group and of any subsidiaries, including but not limited to www.3ds.com and www.solidworks.com; all Software as a Service solutions, such as 3DEXPERIENCE or ScienceCloud, but also any online hosting linked to our brands; and all Dassault Systèmes licensed software products	CNA	Vendor	France
  Debian GNU/Linux	Debian issues only	CNA	Vendor, Open Source	USA
  DeepSurface Security, Inc.	All DeepSurface products, as well as vulnerabilities in third-party software discovered by DeepSurface that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  Dell	Dell, Dell EMC, and VCE issues only	CNA	Vendor	USA
  Devolutions Inc.	Remote Desktop Manager and Devolutions Server products	CNA	Vendor, Open Source	Canada
  Docker Inc.	All Docker products, including Docker Desktop and Docker Hub, as well as Docker maintained open-source projects	CNA	Vendor, Open Source	USA
  Document Foundation, The	Projects within The Document Foundation only, e.g., LibreOffice, LibreOffice Online; The Document Foundation discourages reporting denial of service bugs as security issues	CNA	Vendor, Open Source	Germany
  dotCMS LLC	All dotCMS product services including the vulnerabilities reported in our open-source core located at https://github.com/dotCMS/core	CNA	Hosted Service	USA
  Dragos, Inc.	Dragos products and third-party products it researches related to operational technology (OT)/industrial control systems (ICS) not covered by another CNA	CNA	Vendor, Researcher	USA
  Drupal.org	All projects hosted under drupal.org only	CNA	Vendor, Open Source	USA
  Dual Vipers LLC	Dual Vipers projects and products (both open and closed source), as well as vulnerabilities in third-party software discovered by Dual Vipers that are not in another CNA’s scope	CNA	Hosted Service, Open Source, Researcher, Vendor	USA
  Dutch Institute for Vulnerability Disclosure (DIVD)	Vulnerabilities in software discovered by DIVD, and vulnerabilities reported to DIVD for coordinated disclosure, which are not in another CNA’s scope	CNA	Researcher	Netherlands
  Eaton	Eaton issues only	CNA	Vendor	Ireland
  Eclipse Foundation	Eclipse IDE and the Eclipse Foundation’s eclipse.org, polarysys.org, and locationtech.org open source projects only	CNA	Vendor, Open Source	Canada
  Elastic	Elasticsearch, Kibana, Beats, Logstash, X-Pack, and Elastic Cloud Enterprise products only	CNA	Vendor	Netherlands
  Electronic Arts, Inc.	EA issues only	CNA	Vendor	USA
  Environmental Systems Research Institute, Inc.	All Esri products only	CNA	Vendor	USA
  ESET, spol. s r.o.	All ESET products only and vulnerabilities discovered by ESET that are not covered by another CNA’s scope	CNA	Vendor, Researcher	Slovak Republic
  Exodus Intelligence	Vulnerabilities discovered by Exodus Intelligence as well as acquisitions from independent researchers via its Research Sponsorship Program (RSP)	CNA	Bug Bounty Provider, Researcher	USA
  F-Secure	All F-Secure products and security vulnerabilities discovered by F-Secure in third-party software not in another CNA’s scope	CNA	Vendor, Researcher	Finland
  F5, Inc.	All F5 products and services, commercial and open source, which have not yet reached End of Technical Support (EoTS). All legacy acquisition products and brands including, but not limited to, NGINX, Shape Security, Volterra, and Threat Stack. F5 does not issue CVEs for products which are no longer supported	CNA	Vendor, Open Source	USA
  Fedora Project	Vulnerabilities in open-source projects affecting the Fedora Project, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported releases by the Fedora Project	CNA	Vendor, Open Source	USA
  Fidelis Cybersecurity, Inc.	Fidelis issues only	CNA	Vendor	USA
  Flexera Software LLC	All Flexera products, and vulnerabilities discovered by Secunia Research that are not in another CNA’s scope	CNA	Vendor, Open Source, Researcher	USA
  floragunn GmbH	All issues related to Search Guard only	CNA	Vendor, Open Source	Germany
  Fluid Attacks	Vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNA’s scope	CNA	Researcher	Colombia
  Forcepoint	Forcepoint products only	CNA	Vendor	USA
  ForgeRock, Inc.	ForgeRock issues only	CNA	Vendor, Open Source	USA
  Fortinet, Inc.	Fortinet issues only	CNA	Vendor	USA
  FPT Software Co., Ltd.	All products and services developed and operated by FPT Software, as well as vulnerabilities in third-party software discovered by FPT Software that are not in another CNA’s scope	CNA	Vendor, Researcher	Vietnam
  Frappe Technologies Pvt. Ltd.	Vulnerabilities relating to Frappe Framework, ERPNext product, erpnext.com, and frappecloud.com hosting services, as well as other vulnerabilities discovered by Frappe Technologies that are not under the scope of any other CNA	CNA	Bug Bounty Provider	India
  FreeBSD	Primarily FreeBSD issues only	CNA	Vendor, Open Source	USA
  FULL INTERNET	All FULL products, as well as vulnerabilities in third-party software discovered by FULL that are not in another CNA’s scope	CNA	Bug Bounty Provider, Hosted Service, Vendor, Researcher	Brazil
  Gallagher Group Ltd.	All Gallagher security products only	CNA	Vendor	New Zealand
  GE Healthcare	GE Healthcare products	CNA	Vendor	USA
  General Electric (Gas Power)	GE (Gas Power) issues only	CNA	Vendor	USA
  Genetec Inc.	Genetec products and solutions only	CNA	Hosted Service, Vendor	Canada
  Gitea Limited	Gitea issues only	CNA	Open Source, Vendor	China
  GitHub, Inc.	GitHub currently only covers CVEs requested by software maintainers using the GitHub Security Advisories feature	CNA	Vendor	USA
  GitHub, Inc. (Products Only)	GitHub Enterprise Server issues only	CNA	Vendor	USA
  GitLab Inc.	The GitLab application, any project hosted on GitLab.com in a public repository, and any vulnerabilities discovered by GitLab that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  Glyph & Cog, LLC	Xpdf open source project, including the xpdf viewer and associated command line tools	CNA	Open Source, Vendor	USA
  Go Project	Vulnerabilities in software published by the Go Project (including the Go standard library, Go toolchain, and the golang.org modules) and publicly disclosed vulnerabilities in publicly importable packages in the Go ecosystem, unless covered by another CNA’s scope	CNA	Vendor, Open Source	USA
  Google Devices	Google Devices – Pixel, Nest, and Chromecast	CNA	Vendor	USA
  Google LLC	Root Scope: Alphabet organizationsCNA Scope: Google products that are not covered by Android and Chrome, as well as vulnerabilities in third-party software discovered by Google that are not in another CNA’s scope	Root, CNA	Vendor, Open Source, Researcher	USA
  Google Open Source Software	Vulnerabilities in open source software published and maintained by Google	CNA	Vendor, Open Source	USA
  Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)	Vulnerabilities discovered by GovTech CSG only that are not in another CNA’s scope	CNA	Researcher	Singapore
  Grafana Labs	All Grafana Labs open source and commercial products	CNA	Vendor, Open Source	USA
  Green Rocket Security Inc.	Green Rocket Security products including EOL unless covered by another CNA’s scope	CNA	Vendor	USA
  GS McNamara LLC	GS McNamara LLC products and services, including the Floodspark portfolio, and any vulnerabilities discovered in components or projects that we are researching or coordinating that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  HackerOne	Provides CVE IDs for its customers as part of its bug bounty and vulnerability coordination platform	CNA	Bug Bounty Provider	USA
  Halborn	All blockchain and Web3 products that rely on smart contracts written in Rust, Go, and Solidity, as well as blockchain associated Web2 and Web3 infrastructure not covered by another CNA	CNA	Researcher	USA
  Hallo Welt! GmbH	BlueSpice vulnerabilities only	CNA	Vendor	Germany
  Hangzhou Hikvision Digital Technology Co., Ltd.	All Hikvision Internet of Things (IoT) products including cameras and digital video recorders (DVRs)	CNA	Vendor	China
  Hanwha Vision Co., Ltd.	Hanwha Vision (formerly Samsung Techwin and Hanwha Techwin) products and solutions only, including end-of-life (EOL)	CNA	Vendor	South Korea
  HashiCorp Inc.	All HashiCorp products and projects unless covered by another CNA’s scope	CNA	Vendor	USA
  HCL Software	All HCL products only	CNA	Vendor	India
  Hewlett Packard Enterprise (HPE)	HPE issues only	CNA	Vendor	USA
  Hillstone Networks Inc.	Vulnerabilities in our products listed at https://www.hillstonenet.com/hillstone-networks-product-portfolio and the products we sell only in China listed at https://www.hillstonenet.com.cn/product_service/, not including our websites	CNA	Vendor	China
  Hitachi Energy	Hitachi Energy products only	CNA	Vendor	Switzerland
  Hitachi Vantara	All Hitachi Vantara products and technologies	CNA	Vendor	USA
  Hitachi, Ltd.	Hitachi products excluding Hitachi Energy and Hitachi Vantara products	CNA	Vendor	Japan
  Honeywell International Inc.	All Honeywell products	CNA	Vendor	USA
  Honor Device Co., Ltd.	Vulnerabilities in Honor products and services unless covered by the scope of another CNA	CNA	Vendor	China
  HP Inc.	HP Inc. issues only	CNA	Vendor	USA
  Huawei Technologies	Huawei issues only	CNA	Vendor	China
  huntr.dev	Vulnerabilities in third-party code reported to huntr.dev that are not in another CNA’s scope	CNA	Bug Bounty Provider	UK
  HYPR Corp	All HYPR products only	CNA	Vendor	USA
  IBM Corporation	All IBM products, as well as vulnerabilities in third-party software discovered by IBM X-Force Red that are not in another CNA’s scope	CNA	Vendor, Open Source, Researcher	USA
  ID Business Solutions	IDBS products as listed on https://www.idbs.com/products/	CNA	Vendor	UK
  IDEMIA	All IDEMIA products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by IDEMIA that are not in another CNA’s scope	CNA	Researcher, Vendor	France
  Illumio	Illumio issues only	CNA	Vendor	USA
  Indian Computer Emergency Response Team (CERT-In)	Vulnerability coordination for vulnerabilities in all products reported to CERT-In in accordance with our vulnerability coordination role as a CERT. Vulnerability assignments for vulnerabilities impacting all products designed, developed, and manufactured in India	CNA	CERT	India
  Intel Corporation	Intel branded products and technologies and Intel managed open source projects	CNA	Vendor, Open Source	USA
  Internet Systems Consortium (ISC)	All ISC.org projects	CNA	Vendor, Open Source	USA
  IoT83 Ltd	Vulnerabilities in IoT83 product(s), services, and components only. Third-party, open-source components used in IoT83 product(s), services, and components are not in scope	CNA	Vendor	USA
  Israel National Cyber Directorate (INCD)	Vulnerability assignment related to its vulnerability coordination role	CNA	CERT	Israel
  Jenkins Project	Jenkins and Jenkins plugins distributed by the Jenkins Project (listed on plugins.jenkins.io) only	CNA	Open Source	USA
  JetBrains s.r.o.	JetBrains products only	CNA	Vendor, Open Source	Czech Republic
  JFrog	All JFrog products (supported products and end-of-life/end-of-service products); vulnerabilities in third-party software discovered by JFrog that are not in another CNA’s scope; and vulnerabilities in third-party software discovered by external researchers and disclosed to JFrog (includes any embedded devices and their associated mobile applications) that are not in another CNA’s scope	CNA	Vendor, Researcher	Israel
  Johnson Controls	Johnson Controls products only	CNA	Vendor	USA
  Joomla! Project	Core Joomla! CMS, the Joomla Framework, and Joomla! Extensions issues only	CNA	Vendor, Open Source	USA
  JPCERT/CC	Root Scope: Japan organizationsCNA Scope: Vulnerability assignment related to its vulnerability coordination role	Root, CNA	CERT	Japan
  Juniper Networks, Inc.	Juniper issues only	CNA	Vendor, Open Source	USA
  Kaspersky	Kaspersky B2C and B2B products, as well as vulnerabilities discovered in third-party software not in another CNA’s scope	CNA	Vendor, Researcher	Russia
  KNIME AG	All vulnerabilities on software products that our company provides, including KNIME Analytics Platform, KNIME Server, and KNIME Hub	CNA	Vendor	Switzerland
  KrakenD, S.L.	KrakenD EE, KrakenD CE, and Lura issues only	CNA	Vendor, Open Source	Spain
  KrCERT/CC	Vulnerability assignment related to its vulnerability coordination role	CNA	CERT	South Korea
  Kubernetes	Kubernetes issues only	CNA	Vendor, Open Source	USA
  Larry Cashdollar	Third-party products he researches that are not in another CNA’s scope	CNA	Researcher	USA
  Lenovo Group Ltd.	Lenovo general-purpose computers, software for general-purpose operating systems, mobile devices, enterprise storage, and networking products only	CNA	Vendor	USA
  LG Electronics	LG Electronics products only	CNA	Vendor	South Korea
  Liferay, Inc.	All Liferay supported products and end-of-life/end-of-service products	CNA	Vendor	USA
  LINE Corporation	Current versions of LINE Messenger Application for iOS, Android, Mac, and Windows, plus LINE Open Source projects hosted on https://github.com/line	CNA	Vendor, Open Source	Japan
  Logitech	All current products/software/apps made by Logitech, Ultimate Ears, Jaybird, Streamlabs, Logitech G, Logicool, Blue, and Astro Gaming	CNA	Vendor	Switzerland
  M-Files Corporation	M-Files and Hubshare products	CNA	Vendor	Finland
  MarkLogic Corporation	MarkLogic issues only	CNA	Vendor	USA
  Mattermost, Inc.	All Mattermost issues, and vulnerabilities discovered by Mattermost that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  Mautic	Mautic core and officially supported plugins	CNA	Vendor, Open Source	USA
  MediaTek, Inc.	MediaTek product issues only	CNA	Vendor	Taiwan
  Medtronic	All products of Medtronic or a Medtronic company including supported products and end-of-life/end-of-service products, as well as vulnerabilities in third-party software discovered in Medtronic products that are not in another CNA’s scope	CNA	Vendor	USA
  Mend	Vulnerabilities in Mend (formerly WhiteSource) products and vulnerabilities in third-party software discovered by Mend that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  Meta Platforms, Inc.	Meta-supported open source projects, mobile apps, and other software, as well as vulnerabilities in third-party software discovered by Meta that are not in another CNA’s scope; see: https://www.facebook.com/whitehat and https://github.com/facebook/	CNA	Vendor, Open Source, Researcher	USA
  Microsoft Corporation	Microsoft issues only	CNA	Vendor	USA
  MIM Software Inc.	MIM software products, platforms, and services as well as vulnerabilities reported to MIM Software in third-party components or libraries used by MIM Software products, platforms, and services not covered by another CNA	CNA	Vendor	USA
  Mirantis	All Mirantis products (supported products and end-of-life/end-of-service products) and open source offerings, as well as vulnerabilities in third-party software discovered by Mirantis that are not in another CNA’s scope	CNA	Vendor, Open Source, Researcher	USA
  MITRE Corporation	All vulnerabilities, and Open Source software product vulnerabilities, not already covered by a CNA listed on this website	Top-Level Root, CNA-LR, Secretariat	N/A	USA
  Mitsubishi Electric Corporation	Mitsubishi Electric issues only	CNA	Vendor	Japan
  MongoDB, Inc.	MongoDB products only, not including end-of-life components or products	CNA	Vendor, Open Source	USA
  Moxa Inc.	Moxa products only	CNA	Vendor	Taiwan
  Mozilla Corporation	Mozilla issues only	CNA	Vendor, Open Source	USA
  National Cyber Security Centre Finland (NCSC-FI)	Vulnerabilities in software discovered by NCSC-FI, and vulnerabilities reported to NCSC-FI for coordinated disclosure, which are not in another CNA’s scope	CNA	CERT	Finland
  National Cyber Security Centre Netherlands (NCSC-NL)	Vulnerabilities in software discovered by NCSC-NL, and vulnerabilities reported to NCSC-NL for coordinated disclosure, which are not in another CNA’s scope	CNA	CERT	Netherlands
  National Cyber Security Centre SK-CERT	Vulnerabilities in software discovered by National Cyber Security Centre SK-CERT, and vulnerabilities reported to National Cyber Security Centre SK-CERT for coordinated disclosure, which are not in another CNA’s scope	CNA	CERT	Slovak Republic
  National Instruments	NI products only (including National Instruments)	CNA	Vendor	USA
  Naver Corporation	Naver products only, except Line products	CNA	Vendor	South Korea
  NEC Corporation	NEC issues only	CNA	Vendor	Japan
  NetApp, Inc.	All NetApp products as well as projects hosted on https://github.com/netapp	CNA	Vendor	USA
  Netflix, Inc.	Current versions of Netflix Mobile Streaming Application for iOS, Android, and Windows Mobile, plus all Netflix Open Source projects hosted on https://github.com/Netflix/ and https://github.com/spinnaker/	CNA	Vendor, Open Source	USA
  NetRise	Vulnerabilities in third-party Extended Internet of Things (XIoT) devices and firmware NetRise researches that are not covered by another CNA	CNA	Researcher	USA
  Netskope	All Netskope products and services	CNA	Vendor	USA
  NLnet Labs	All NLnet Labs projects	CNA	Vendor, Open Source	Netherlands
  Node.js	All actively developed versions of software developed under the Node.js project on https://github.com/nodejs/	CNA	Vendor, Open Source	USA
  NortonLifeLock Inc.	All NortonLifeLock product issues only	CNA	Vendor	USA
  Nozomi Networks Inc.	All Nozomi Networks products, as well as vulnerabilities in third-party software discovered by Nozomi Networks that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  NVIDIA Corporation	NVIDIA issues only	CNA	Vendor	USA
  Objective Development Software GmbH	Objective Development issues only	CNA	Vendor	Austria
  Octopus Deploy	All Octopus Deploy products, as well as Octopus Deploy maintained projects hosted on https://github.com/OctopusDeploy	CNA	Vendor, Open Source	Australia
  Odoo	Odoo issues only	CNA	Vendor	Belgium
  Okta	Okta issues only	CNA	Vendor	USA
  ONEKEY GmbH	All ONEKEY products and vulnerabilities in third-party software discovered by ONEKEY that are not in another CNA’s scope	CNA	Vendor, Researcher	Germany
  Open Design Alliance	Open Design Alliance products only	CNA	Vendor	USA
  Open-Xchange	Products and services provided by Open-Xchange, PowerDNS, and Dovecot	CNA	Open Source, Vendor	Germany
  OpenAnolis	OpenAnolis issues only	CNA	Vendor, Open Source	China
  OpenCloudOS Community	OpenCloud OS issues only, not including EOL products, unless covered by another CNA’s scope	CNA	Open Source	China
  openEuler	openEuler issues only	CNA	Vendor, Open Source	China
  openGauss Community	openGauss issues only	CNA	Open Source	China
  OpenHarmony	openHarmony issues only	CNA	Open Source	China
  OpenSSL Software Foundation	OpenSSL software projects only	CNA	Vendor, Open Source	USA
  OpenText (formerly Micro Focus)	All OpenText products (including Carbonite, Zix, Micro Focus, others)	CNA	Vendor	USA
  OpenVPN Inc.	All products and projects in which OpenVPN is directly involved commercially and for OpenVPN community projects, including Private Tunnel	CNA	Vendor, Open Source	USA
  Opera	Opera issues only	CNA	Vendor, Open Source	Norway
  OPPO Mobile Telecommunication Corp., Ltd.	OPPO devices only	CNA	Vendor	China
  Oracle	Oracle supported version product issues only; CVE IDs will not be assigned for unsupported products or versions (Oracle will confirm support status and notify researcher)	CNA	Hosted Service, Open Source, Vendor	USA
  OTRS AG	Vulnerabilities for OTRS and ((OTRS)) Community Edition and modules only	CNA	Vendor	Germany
  Palantir Technologies	Palantir products and technologies only	CNA	Vendor	USA
  Palo Alto Networks, Inc.	All Palo Alto Networks products, and vulnerabilities discovered by Palo Alto Networks that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  Panasonic Holdings Corporation	All products and services developed and/or sold by Panasonic Group companies	CNA	Vendor	Japan
  Patchstack	Vulnerabilities in third-party PHP products discovered by Patchstack and Patchstack Red Team	CNA	Bug Bounty Provider, Hosted Service, Open Source, Researcher, Vendor	Estonia
  Payara	All Payara Platform product distributions (Payara Server, Micro, Embedded) for both Enterprise (commercial) and Community (OSS) distributions	CNA	Open Source, Vendor	UK
  Pegasystems Inc.	Pegasystems products only	CNA	Vendor	USA
  Philips	Philips issues only	CNA	Vendor	Netherlands
  PHP Group	Vulnerabilities in PHP code (code in https://github.com/php/php-src) only	CNA	Vendor, Open Source	USA
  Ping Identity Corporation	All Ping Identity products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Ping Identity that are not in another CNA’s scope	CNA	Hosted Service, Researcher, Bug Bounty Provider	USA
  Profelis IT Consultancy	Products and services developed by Profelis IT Consultancy including enterprise directory solution SambaBox and password reset product PassBox	CNA	Vendor	Türkiye
  Proofpoint Inc.	All Proofpoint products	CNA	Hosted Service, Vendor	USA
  Puppet	All Puppet products, as well as all projects on https://github.com/puppetlabs/	CNA	Vendor, Open Source	USA
  QNAP Systems, Inc.	QNAP issues only	CNA	Vendor	Taiwan
  Qualcomm, Inc.	Qualcomm and Snapdragon issues only	CNA	Vendor	USA
  Qualys, Inc.	All Qualys products and vulnerabilities discovered by Qualys that are not covered by another CNA’s scope	CNA	Vendor, Researcher	USA
  Rapid7, Inc.	All Rapid7 products, and vulnerabilities discovered by Rapid7 that are not in another CNA’s scope	CNA	Vendor, Open Source, Researcher	USA
  Red Hat, Inc.	Root Scope: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them betterCNA Scope: Vulnerabilities in open-source projects affecting Red Hat offerings, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported Red Hat offerings	Root, CNA	Vendor, Open Source	USA
  Replicated, Inc.	Replicated products and services only	CNA	Vendor	USA
  Rhino Mobility	Rhino Mobility issues only	CNA	Vendor	USA
  Ribose Limited	All Ribose products and services, including open-source projects, supported products, and end-of-life/end-of-service products	CNA	Hosted Service, Open Source, Vendor	UK
  Robert Bosch GmbH	Bosch products only	CNA	Vendor	Germany
  Rockwell Automation	All Rockwell Automation products	CNA	Vendor	USA
  SailPoint Technologies	SailPoint issues only	CNA	Vendor	USA
  Salesforce, Inc.	Salesforce products only	CNA	Vendor	USA
  Samsung Mobile	Samsung Mobile Galaxy products, personal computers, and related services only	CNA	Vendor	South Korea
  Samsung TV & Appliance	Samsung TV & Appliance products, Samsung-owned open-source projects listed on https://github.com/Samsung/, as well as vulnerabilities in third-party software discovered by Samsung that are not in another CNA’s scope. Vulnerabilities affecting end-of-life/end-of-service products are in scope. The following categories of Samsung Products are in scope: Internet-connected home appliances, B2C product (smart TV, smart monitor, soundbar, and projector), and B2B products (digital signage, interactive display, and kiosk)	CNA	Open Source, Researcher, Vendor	South Korea
  SAP SE	All SAP products	CNA	Vendor	Germany
  Schneider Electric	All Schneider Electric products, including Proface, APC, and Eurotherm	CNA	Vendor	France
  Schweitzer Engineering Laboratories, Inc.	All Schweitzer Engineering Laboratories products	CNA	Vendor	USA
  Seagate Technology	Any Seagate or LaCie software or hardware, open or closed source, supported and end of life, as well as any vulnerabilities in third-party software discovered by Seagate that are not in another CNA’s scope	CNA	Vendor, Open Source, Researcher	USA
  Secomea A/S	Supported Secomea products only	CNA	Vendor	Denmark
  Securifera, Inc.	Vulnerabilities in vendor products discovered by Securifera, or related parties, while performing vulnerability research or security assessments	CNA	Researcher	USA
  Security Risk Advisors (SRA)	Vulnerabilities discovered by SRA that are not within the scope of another CNA	CNA	Researcher	USA
  senhasegura	Vulnerabilities in senhasegura products, and other vulnerabilities discovered by senhasegura that are not in another CNA’s scope	CNA	Vendor, Researcher	Brazil
  ServiceNow	All ServiceNow products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by ServiceNow that are not in another CNA’s scope	CNA	Hosted Service, Researcher, Vendor	USA
  Shop Beat Solutions (Pty) LTD	Vulnerabilities in Shop Beat products and services and vulnerabilities discovered by Shop Beat unless covered by the scope of another CNA	CNA	Hosted Service, Vendor	South Africa
  SICK AG	SICK AG issues only	CNA	Vendor	Germany
  Siemens	Siemens issues only	CNA	Vendor	Germany
  Sierra Wireless Inc.	Sierra Wireless products only	CNA	Vendor	Canada
  Silicon Labs	Silicon Labs issues only	CNA	Vendor	USA
  Silver Peak Systems, Inc.	Silver Peak product issues only	CNA	Vendor	USA
  Simplinx Ltd.	Simplinx products only	CNA	Vendor	Türkiye
  Snow Software	All Snow Software products	CNA	Vendor	Sweden
  Snyk	Vulnerabilities in Snyk products and vulnerabilities discovered by, or reported to, Snyk that are not in another CNA’s scope	CNA	Open Source, Researcher	UK
  SolarWinds	SolarWinds products only	CNA	Vendor	USA
  Solidigm	Solidigm branded products and technologies	CNA	Vendor	USA
  SonicWall, Inc.	SonicWall issues only	CNA	Vendor	USA
  Sophos Limited	Sophos issues only	CNA	Vendor	UK
  Spanish National Cybersecurity Institute, S.A. (INCIBE)	Root Scope: Spain organizationsCNA Scope: Vulnerability assignment related to its vulnerability coordination role for Industrial Control Systems (ICS), Information Technologies (IT), and Internet of Things (IoT) systems issues at the national level, and vulnerabilities reported to INCIBE by Spain organizations and researchers that are not in another CNA’s scope	Root, CNA	CERT	Spain
  Splunk Inc.	Splunk products only	CNA	Vendor	USA
  STAR Labs SG Pte. Ltd.	Vulnerabilities discovered by STAR Labs SG that are not in another CNA’s scope	CNA	Researcher	Singapore
  StrongDM	StrongDM issues only	CNA	Vendor	USA
  SUSE	SUSE and Rancher issues only	CNA	Vendor, Open Source	USA
  Swift Project	The Swift Project only	CNA	Vendor, Open Source	USA
  Switzerland National Cyber Security Centre (NCSC)	Switzerland Government Common Vulnerability Program	CNA	CERT	Switzerland
  Symantec – A Division of Broadcom	Symantec Enterprise products as well as vulnerabilities in third-party software discovered by Symantec that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  Synaptics, Inc.	Synaptics issues only	CNA	Vendor	USA
  Synology Inc.	Synology issues only	CNA	Vendor	Taiwan
  Synopsys	All Synopsys SIG products, as well as vulnerabilities in third-party software discovered by Synopsys SIG that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  Talos	Third-party products it researches	CNA	Researcher	USA
  Tcpdump Group	Tcpdump and Libpcap only	CNA	Vendor, Open Source	Canada
  TeamViewer Germany GmbH	TeamViewer issues only	CNA	Vendor	Germany
  Temporal Technologies Inc.	All Temporal Technologies software	CNA	Hosted Service, Open Source	USA
  Tenable Network Security, Inc.	Tenable products and third-party products it researches not covered by another CNA	CNA	Vendor	USA
  Thales Group	Thales branded products and technologies only	CNA	Vendor, Researcher	France
  The HISP Centre at the University of Oslo	Security issues in DHIS2 open-source web and mobile software applications	CNA	Vendor, Open Source	Norway
  The Missing Link Australia (TML)	TML vulnerability disclosure policy applies to any third-party vendor products to whom TML will assign the CVEs for vulnerabilities, if the product is not a part of another CNA scope	CNA	Researcher	Australia
  The OpenBMC Project	Vulnerabilities related to the repositories maintained by the OpenBMC project	CNA	Vendor, Open Source	USA
  The OpenNMS Group	OpenNMS issues only	CNA	Vendor, Open Source	USA
  TianoCore.org	Software vulnerabilities related to the TianoCore Open Source	CNA	Vendor, Open Source	USA
  TIBCO Software Inc.	TIBCO, Talarian, Spotfire, Data Synapse, Foresight, Kabira, Proginet, LogLogic, StreamBase, JasperSoft, and Mashery products/brands only	CNA	Vendor	USA
  Tigera, Inc.	All vulnerabilities for Calico and all of Tigera’s products only	CNA	Vendor, Open Source	USA
  Toshiba Corporation	Vulnerabilities related to products and services of Toshiba Corporation	CNA	Vendor	Japan
  TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)	Vulnerability assignment related to its vulnerability coordination role	CNA	CERT	Türkiye
  Trellix	All Trellix Enterprise (formerly McAfee Enterprise and FireEye) products, as well as vulnerabilities in third-party software discovered by Trellix Advanced Research Center (Trellix ACR) that are not in another CNA’s scope	CNA	Vendor, Researcher	USA
  Trend Micro, Inc.	Trend Micro supported products, end-of-life products, and all issues related to TXOne products	CNA	Vendor	Japan
  Tribe29 GmbH	All products of Tribe29 including Checkmk and Checkmk Appliance	CNA	Vendor, Open Source	Germany
  TWCERT/CC	Vulnerability assignment related to its vulnerability coordination role	CNA	CERT	Taiwan
  Unisoc (Shanghai) Technologies Co., Ltd.	Unisoc issues only	CNA	Vendor	China
  Vaadin Ltd.	All Vaadin products and supported open-source projects hosted at https://github.com/vaadin	CNA	Vendor, Open Source	Finland
  Vivo Mobile Communication Co., Ltd.	Vivo issues only	CNA	Vendor	China
  VMware	VMware, Spring, and Cloud Foundry issues only	CNA	Vendor, Open Source	USA
  VulDB	Vulnerabilities discovered by, or reported to, the VulDB vulnerability database that are not in another CNA’s scope	CNA	Researcher	Switzerland
  VulnCheck	Vulnerabilities discovered by, or reported to, VulnCheck that are not in another CNA’s scope	CNA	Bug Bounty Provider, Researcher	USA
  Vulnscope Technologies	Provides CVE IDs for customers as part of our bug bounty and vulnerability coordination platform	CNA	Bug Bounty Provider	Chile
  WatchGuard Technologies, Inc.	Vulnerabilities in all WatchGuard products and products of WatchGuard subsidiaries	CNA	Vendor	USA
  Western Digital	Western Digital products including WD, SanDisk, SanDisk Professional, G-Technology, and HGST only	CNA	Vendor	USA
  wolfSSL Inc.	Transport Layer Security (TLS) and Cryptographic issues found in wolfSSL products	CNA	Vendor, Open Source	USA
  Wordfence	WordPress Plugins, Themes, and Core Vulnerabilities discovered by, or reported to, the Wordfence/Defiant team	CNA	Vendor, Researcher	USA
  WPScan	WordPress core, plugins, and themes	CNA	Vendor, Open Source	France
  Xen Project	All sub-projects under Xen Project’s umbrella (see Xen Project Teams), except those sub-projects that have their own security response process; and the Xen components inside other projects, where Xen Project is the primary developer	CNA	Vendor, Open Source	UK
  Xiaomi Technology Co., Ltd.	Xiaomi issues only	CNA	Vendor	China
  Xylem	Xylem products and technologies only	CNA	Vendor	USA
  Yandex N.V.	Yandex issues only	CNA	Vendor	Russia
  Yugabyte, Inc.	Yugabyte products only	CNA	Hosted Service, Vendor	USA
  Zabbix	Zabbix products and Zabbix projects listed on https://git.zabbix.com/ only	CNA	Vendor	Latvia
  Zephyr Project	Zephyr project components, and vulnerabilities that are not in another CNA’s scope	CNA	Vendor, Open Source	USA
  Zero Day Initiative	Products and projects covered by its bug bounty programs that are not in another CNA’s scope	CNA	Bug Bounty Provider	Japan
  ZGR	ZGR manufactured products	CNA	Vendor	Spain
  Zoom Video Communications, Inc.	Zoom and Keybase issues only	CNA	Vendor	USA
  Zowe	Vulnerabilities in Zowe.org open source projects	CNA	Open Source	USA
  Zscaler, Inc.	Zscaler issues only	CNA	Vendor	USA
  ZTE Corporation	ZTE products only	CNA	Vendor	China
  ZUSO Advanced Research Team (ZUSO ART)	Vulnerabilities in third-party products discovered by ZUSO ART that are not in another CNA’s scope	CNA	Researcher	Taiwan
  Zyxel Corporation	Zyxel products issues only	CNA	Vendor	Taiwan