What is a CNA?
A CNA (CVE Numbering Authority) is an organization located around the world that has the authority to assign CVE IDs to vulnerabilities. These organizations include bug bounty programs, national and industry computer emergency response teams (CERTs), vendors, and vulnerability researchers (well known CNAs include Google, Apple, Microsoft, Adobe, IBM, Cisco and Red Hat).
Organisations don't pay to become a CNA and must agree to become a public service of sorts, volunteering their time and providing CVE IDs for free. They must also have a "public vulnerability disclosure policy" and a "public source for new vulnerability disclosures."
As of February 4, 2020, there are 115 organizations in 22 countries acting as CNAs. The USA leads the way with 68 ...
Australia: 1
Austria: 1
Belgium: 1
Canada: 3
China: 9
France: 1
Germany: 7
India: 1
Ireland: 1
Israel: 2
Japan: 3
Netherlands: 2
Norway: 1
Philippines: 1
Romania: 1
Russia: 2
South Korea: 2
Spain: 2
Switzerland: 1
Taiwan: 3
UK: 2
USA: 68
SecAlerts isn't a CNA but alerts you to CVEs as soon as they are published (sometimes vendors delay releasing CVEs). Enter your software stack and receive a free weekly report with a round-up of CVEs (& security news) unique to your stack: www.secalerts.co
Other terms concisely explained:
What is a CVE?
What is a CVE ID?
What is a vulnerability?
What is a CVSS?
What is a zero-day?
What is a bug bounty program?
What is CVE?
What is a Candidate Naming Authority?
