Featured
· Help Shape the Future of CVEs with the CVE Consumer Working Group
· CVE Record Dispute Policy Updated
· We Speak CVE Podcast: “Mapping the Root Causes of CVEs”
CVE Numbering Authorities (CNAs)
· 18 Additional Organizations Added as CNAs
Community
· CERT@VDE Is Now a Root in the CVE Program
Featured
Help Shape the Future of CVEs with the CVE Consumer Working Group
Guest author Jay Jacobs is a Co-Chair of the CVE Consumer Working Group.
Vulnerability data is part of the foundation of a strong security program. But if you’ve ever tried to work with CVE data at scale, you know there are opportunities to refine its completeness, accuracy, and timeliness for even greater impact.
For those of us cleaning, normalizing, and using CVE Records on a daily basis the challenges may seem obvious. But many of those important insights about what is working and what causes the most pain rarely make it back to the CVE Program.
That’s where the “Consumer Working Group (CWG)” comes in.
What Is the CWG?
The CVE Consumer Working Group (CWG) was created by the CVE Board to bring consumer voices into the heart of the CVE ecosystem.
Our mission is simple:
- Ensure that CVE data reflects the real-world needs of the people who use it.
We are building a community of consumers who are ready to share how CVE data fits (or doesn’t) into their workflows. We want to know what’s broken, what’s valuable, and what could be improved. We want to understand the joys and pains of working with CVE data from the people who live it every day.
What We’re Doing
The CWG is focused on a few key areas:
- Documenting strengths and opportunities: Where should we be focusing our attention?
- Building a library of real-world use cases: There are many types of consumers with their own goals and motivations. How are different consumers actually using CVE data in their environments?
- Evaluating the value of information elements: Which parts of the CVE Record are critical, and which elements create unnecessary work?
- Making changes: We’re not just collecting feedback; we’re shaping and making real changes from within the CVE Program.
Why You Should Join
This is your chance to influence the future of CVE because the working group is open to anyone who works with CVE data. Whether you’re part of a blue team triaging vulnerabilities, building automation around CVE ingestion, developing tools, or simply trying to make sense of the data, your experience matters.
We need your input to:
- Ensure the CVE Program reflects the priorities of consumers and real-world problems.
- Push for data improvements that reduce overall effort and increase impact.
- Build a shared understanding of what “good” looks like when it comes to vulnerability data.
How to Get Involved
The CWG meets virtually, and participation is open to anyone with a stake in CVE data. You can contribute as much or as little as you like: share a story, present your workflow, help shape a use case, or just listen in.
If you’d like to join, please fill out this simple form to request membership.
Let’s make sure CVE data supports defenders together.
Share this CVE article:
https://medium.com/@cve_program/help-shape-the-future-of-cves-with-the-cve-consumer-wg-8aea02445477
CVE Record Dispute Policy Updated
The CVE Program is excited to announce updates to the “CVE Program Policy and Procedure for Disputing a CVE Record” aimed at providing greater clarity and transparency for all parties involved. Approved by the CVE Board on July 2, 2025, the updated policy is effective immediately and includes streamlined procedures and clearer definitions to address community concerns.
In the past, many community members have described the dispute process as complex and opaque, often feeling like a “black box.” In response, the CVE Program has worked collaboratively through the Strategic Planning Working Group (SPWG) to address these pain points. This update reflects the program’s commitment to listening to feedback, fostering collaboration, and improving processes for the benefit of the broader vulnerability management community.
Key enhancements include clearer guidelines for the process of disputing CVE Records and the addition of several terms — Adjudicator, Escalation, and CVE Record Dispute — to the official CVE Program Glossary. These changes empower stakeholders to navigate the dispute process more effectively while reinforcing the program’s dedication to transparency and fairness.
View the updated CVE Record Dispute Policy here.
Share this CVE article:
https://medium.com/@cve_program/cve-record-dispute-policy-updated-3e69149d1871
We Speak CVE Podcast — “Mapping the Root Causes of CVEs”
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.
In this episode, host Shannon Sabens chats with CVE™/CWE™ Project Lead Alec Summers and CWE Top 25 task lead/CWE Root Causes Mapping Working Group lead Connor Mullaly about the importance of mapping CVE Records (vulnerabilities) to their technical root causes using Common Weakness Enumeration (CWE).
Additional topics include the benefits of RCM for CVE Numbering Authorities (CNAs) and consumers of CVE data, Common Vulnerability Scoring System (CVSS) and other vulnerability metadata and their differences with CWE, the CWE Top 25 Most Dangerous Software Weaknesses list, and the tools and guidance available to improve the RCM process (e.g., examples of mappings and best practices on the CWE website, mapping usage labels on CWE entry pages on the website, the RCM WG, and an LLM tool), and more.
The “We Speak CVE” podcast is available for free on the CVE Program Channel on YouTube, on the We Speak CVE page on Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others.
Please give the podcast a listen and let us know what you think!
Share or comment on this CVE article on Medium:
https://medium.com/@cve_program/we-speak-cve-podcast-25-years-of-cve-and-whats-next-88397d848db2
CVE Numbering Authorities (CNAs)
18 Additional Organizations Added as CNAs
Since the beginning of June, these eighteen (18) additional organizations from around the world have partnered with the program as CNAs:
- Altium – Vulnerabilities in the following Altium products only: Altium Designer, A365, Octopart, and Altium Enterprise Server. (USA)
- Arteche – Arteche issues only. (Spain)
- AxxonSoft Limited – AxxonSoft products and solutions only. (Ireland)
- Commvault Systems Inc. – Vulnerabilities in Commvault SaaS and software products only. (USA)
- Fermax Technologies SLU – Vulnerabilities discovered in the services and applications of the MeetMe and DuoxMe products that are not covered by another CNA’s scope. (Spain)
- GeoVision Inc. – Vulnerabilities in GeoVision products only. (Taiwan)
- Legion of the Bouncy Castle Inc. – Legion of the Bouncy Castle issues only. (Australia)
- Maritime Hacking Village – Vulnerabilities discovered by researchers in collaboration with Maritime Hacking Village that are not in another CNA’s scope. (USA) OpenJS Foundation – All projects listed at https://openjsf.org/projects. (USA)
- NETGEAR – Vulnerabilities in all products from NETGEAR, its subsidiaries, and third-party components used in NETGEAR products that are not in another CNA’s scope. (USA)
- OpenJS Foundation – All projects listed at https://openjsf.org/projects. (USA)
- Profisee Group, Inc. – Vulnerabilities found in software developed by Profisee only. (USA)
- The Rust Project – Repositories, packages, and websites maintained by the Rust Project. More details: https://www.rust-lang.org/policies/security#scope. (USA)
- Software.com – Software.com issues only. (USA)
- Spartans Security – Vulnerabilities in software, services, and infrastructure owned and managed by Spartans Security, and vulnerabilities researched and found by Spartans Security in third-party products that are not part of another CNA’s scope. (Australia)
- Toreon – Vulnerabilities discovered by or reported to Toreon that are not in another CNA’s scope. (Belgium)
- Teradyne Robotics – All products released by Teradyne Robotics subsidiaries, Universal Robots (UR) and Mobile Industrial Robots (MiR), including both actively supported and end-of-life/end-of-service products, as well as vulnerabilities in third-party software identified by Teradyne Robotics that are outside the scope of another CNA. (Denmark)
- TYPO3 Association – Vulnerabilities in TYPO3 open-source products only, including TYPO3 CMS core and 3rd party extensions for TYPO3, unless covered by the scope of another CNA. (Switzerland)
- TCS-CERT (Thales Cyber Solutions Customer’s CERT) – Vulnerabilities related to TCS-CERT’s customers’ environment and vulnerabilities related to research conducted by Cyber Solutions by Thales’ Intrusion and Application Security Team. (Belgium)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 469 CNAs (466 CNAs and 3 CNA-LRs) from 39 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.
The “CNA Enrichment Recognition List” for August 4, 2025, is now available with 242 CNAs listed. Published monthly on the CVE website, the list recognizes those CVE Numbering Authorities (CNAs) that are actively providing enhanced vulnerability data in their CVE Records. CNAs are added to the list if they provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) in at least 98% of their records that were published within two weeks of their most recently published record.
For more about the recognition list, see “Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records.” To learn more about vulnerability information types like CVSS and CWE, see the CVE Record User Guide. View the most current CNA Enrichment Recognition List on the CVE website Metrics page here.
CNA Enrichment Recognition List for August 4, 2025, with 242 CNAs listed:
- Acronis International GmbH
- Adobe Systems Incorporated
- Advanced Micro Devices Inc.
- Amazon
- AMI
- ARC Informatique
- Asea Brown Boveri Ltd.
- ASR Microelectronics Co., Ltd.
- ASUSTeK Computer Incorporation
- ASUSTOR Inc.
- ATISoluciones Diseño de Sistemas Electrónicos, S.L.
- Austin Hackers Anonymous
- Autodesk
- Automotive Security Research Group (ASRG)
- Avaya Inc.
- Axis Communications AB
- B. Braun SE
- Baxter Healthcare
- Beckman Coulter Life Sciences
- BeyondTrust Inc.
- Bitdefender
- Bizerba SE & Co. KG
- Black Duck Software, Inc.
- Black Lantern Security
- BlackBerry
- Brocade Communications Systems LLC, a Broadcom Company
- CA Technologies
- Canon EMEA
- Canon Inc.
- Canonical Ltd.
- Carrier Global Corporation
- Cato Networks
- Centreon
- CERT.PL
- CERT@VDE
- Check Point Software Technologies Ltd.
- Checkmarx
- Checkmk GmbH
- cirosec GmbH
- Cisco Systems, Inc.
- Citrix Systems, Inc.
- Cloudflare, Inc.
- Concrete CMS
- ConnectWise LLC
- Crafter CMS
- Crestron Electronics, Inc.
- CrowdStrike Holdings, Inc.
- Cyber Security Agency of Singapore
- Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
- Danfoss
- Dassault Systèmes
- Delinea, Inc.
- Dell EMC
- Delta Electronics, Inc.
- Digi International Inc.
- Docker Inc.
- Dragos, Inc.
- Dremio Corporation
- Dutch Institute for Vulnerability Disclosure (DIVD)
- Eaton
- Eclipse Foundation
- Edgewatch Security Intelligence
- Elastic
- EnterpriseDB Corporation
- Environmental Systems Research Institute, Inc. (Esri)
- Ericsson
- Erlang Ecosystem Foundation
- ESET, spol. s r.o.
- Extreme Networks, Inc.
- F5 Networks
- Fedora Project (Infrastructure Software)
- Financial Security Institute (FSI)
- Flexera Software LLC
- Fluid Attacks
- Forcepoint
- Forescout Technologies
- Fortinet, Inc.
- Fortra, LLC
- FPT SOFTWARE CO., LTD
- Gallagher Group Ltd
- GE Vernova
- Genetec Inc.
- GitHub (maintainer security advisories)
- GitHub Inc, (Products Only)
- GitLab Inc.
- Glyph & Cog, LLC
- GNU C Library
- Google LLC
- Grafana Labs
- Gridware Cybersecurity
- Harborist
- HashiCorp Inc.
- HCL Software
- HeroDevs
- HiddenLayer, Inc.
- Hillstone Networks Inc.
- Hitachi Energy
- Hitachi Vantara
- Hitachi, Ltd.
- Honeywell International Inc.
- HP Inc.
- HYPR Corp
- IBM Corporation
- ICS-CERT
- iManage LLC
- Indian Computer Emergency Response Team (CERT-In)
- Insyde Software
- Intel Corporation
- Internet Systems Consortium (ISC)
- Israel National Cyber Directorate
- Ivanti
- JetBrains s.r.o.
- JFROG
- Johnson Controls
- JPCERT/CC
- Juniper Networks, Inc.
- Kaspersky
- Kong Inc.
- Kubernetes
- Lenovo Group Ltd.
- Lexmark International Inc.
- LG Electronics
- Liferay, Inc.
- M-Files Corporation
- Mandiant Inc.
- Mattermost, Inc
- Mautic
- Medtronic
- Microsoft Corporation
- Milestone Systems A/S
- MIM Software Inc.
- Mitsubishi Electric Corporation
- Monash University - Cyber Security Incident Response Team
- MongoDB
- Moxa Inc.
- N-able
- National Cyber Security Centre Finland
- National Cyber Security Centre SK-CERT
- National Instruments
- NetApp, Inc.
- Netskope
- NLnet Labs
- NortonLifeLock Inc
- Nozomi Networks Inc.
- Nvidia Corporation
- OceanBase
- Odoo
- Okta
- OMRON Corporation
- ONEKEY GmbH
- Open-Xchange
- OpenAnolis
- openEuler
- OpenHarmony
- OpenJS Foundation
- OpenText (formerly Micro Focus)
- OPPO
- OTRS AG
- Palantir Technologies
- Palo Alto Networks
- Panasonic Holdings Corporation
- Pandora FMS
- Patchstack OÜ
- Pegasystems
- Pentraze Cybersecurity
- Perforce
- Phoenix Technologies, Inc.
- PHP Group
- Ping Identity Corporation
- PostgreSQL
- Profisee Group, Inc.
- Proofpoint Inc.
- Protect AI
- Pure Storage, Inc.
- Python Software Foundation
- QNAP Systems, Inc.
- Qualcomm, Inc.
- Rapid7, Inc.
- Real-Time Innovations, Inc.
- Red Hat CNA-LR
- Red Hat, Inc.
- Robert Bosch GmbH
- Rockwell Automation
- Samsung TV & Appliance
- SAP SE
- Saviynt Inc.
- SBA Research gGmbH
- Schneider Electric SE
- Schweitzer Engineering Laboratories, Inc.
- Seal Security
- SEC Consult Vulnerability Lab
- ServiceNow
- SICK AG
- Siemens
- Silicon Labs
- Snyk
- SolarWinds
- Sonatype Inc.
- Sophos
- Spanish National Cybersecurity Institute, S.A.
- Super Micro Computer, Inc.
- Suse
- Switzerland National Cyber Security Centre (NCSC)
- Synaptics
- Synology Inc.
- Talos
- Temporal Technologies Inc.
- Tenable Network Security, Inc.
- The Document Foundation
- The Missing Link Australia (TML)
- The OpenNMS Group
- The Qt Company
- TianoCore.org
- TIBCO Software Inc.
- Toreon
- TP-Link Systems Inc.
- TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
- Trellix
- Trend Micro, Inc.
- TWCERT/CC
- TXOne Networks, Inc.
- TYPO3 Association
- upKeeper Solutions
- Vivo Mobile Communication Technology Co., LTD.
- VulDB
- WatchGuard Technologies, Inc.
- Wind River Systems Inc.
- Wordfence
- WSO2 LLC
- Xerox Corporation
- Xiaomi Technology Co Ltd
- Yandex N.V.
- Yokogawa Group
- Zabbix
- Zephyr Project
- Zero Day Initiative
- Zohocorp
- Zoom Video Communications, Inc.
- Zscaler, Inc.
- ZTE Corporation
- ZUSO Advanced Research Team (ZUSO ART)
- Zyxel Corporation
Share this CVE article:
Community
CERT@VDE Is Now a Root in the CVE Program
As of July 15, 2025, the CVE Program is expanding its partnership with CERT@VDE for managing the assignment of CVE Identifiers (CVE IDs) and publication of CVE Records for the CVE Program. CERT@VDE is now designated as a Root for organizations that are cooperative partners of CERT@VDE.
As a Root, CERT@VDE is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CVE Numbering Authorities (CNAs) under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope.
A CNA is an organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. There are currently 469 CNAs (466 CNAs and 3 CNA-LRs) from 39 countries and 1 no country affiliation actively participating in the CVE Program.
Currently, CERT@VDE and CISA ICS are Roots under the CISA Top-Level Root. Google, JPCERT/CC, Red Hat, Spanish National Cybersecurity Institute (INCIBE), and Thales Group are Roots under the MITRE Top-Level Root. Learn more about how the CVE Program is organized on the Structure page on the CVE.ORG website.
Share or comment on this CVE article on Medium:
https://medium.com/@cve_program/cert-vde-is-now-a-root-in-the-cve-program-6c04ab78ad8d
- Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3, The Hacker News
- Apple fixes zero-day vulnerability exploited in “extremely sophisticated attack” (CVE-2025-43300), Help Net Security
- Chrome High-Severity Vulnerability Let Attackers Execute Arbitrary Code, Cyber Security News
- Phishing attacks exploit WinRAR flaw CVE-2025-8088 to install RomCom, Security Affairs
- Trend Micro Apex One flaws exploited in the wild (CVE-2025-54948, CVE-2025-54987), Help Net Security
- Cursor AI Code Editor Vulnerability Enables RCE via Malicious MCP File Swaps Post Approval, The Hacker News
Follow us for the latest from CVE:
- X feed of the latest CVE Records
- X feed of news and announcements about CVE
- Mastodon feed of news and announcements about CVE
- Bluesky feed of news and announcements about CVE
- CVE Website News page
- CVE LinkedIn page
- CVE-CWE LinkedIn showcase page
- CVE Blog on Medium
- We Speak CVE Podcast
- CVEProject on GitHub
- CVE Program YouTube Channel
- CVE Announce Email Newsletter
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
