DIVD is a CVE Numbering Authority

DIVD is a CVE Numbering Authority

01 February 2022, by Frank Breedijk

DIVD has been authorized by the CVE® Program as a CNA, enabling us to register CVE IDs

It is with great joy that we announce that as of February 1st we have joined ’the CVE Community as a CVE Numbering Authority (CNA). As a CNA, we are able to swiftly and discretely register CVE IDs and publish them on the CVE List. We can do this for new vulnerabilities discovered by our own researchers and those reported to us, e.g., via our soon-to-be-released bounty program for MSP and SME software.

CVE IDs are unique numbers assigned to vulnerabilities which help the security community by providing a unique ID for a vulnerability and thus alleviating misunderstandings and miscommunications when discussing or referring to vulnerabilities. They make vulnerability management and research more effective and efficient.

Being able to create CVE Records on our own is important to our mission. We aim to make the digital world safer by reporting vulnerabilities found in digital systems to the people who can fix them.

In the coordinated vulnerability disclosure (CVD) process, timeliness and confidentiality are often crucial. We had to rely on other CNAs to register a CVE ID in the past. Now that we are able to independently register CVE IDs, there are less parties involved and we can speed up the process. Besides that, we help the entire CVE community.

The mission of the CVE® Program, to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities, greatly aligns with that of our own, and we are proud to be a member of the CVE community.


What is CVE?

  • CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE List.
  • Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
  • The CVE Records published in the catalog enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks.
  • The CVE List is built by CVE Numbering Authorities (CNAs). Every CVE Record added to the list is assigned by a CNA.
  • The CVE List feeds the U.S. National Vulnerability Database (NVD).

CVE Value:

CVE enables two or more people or tools to refer to a vulnerability and know they are talking about the same thing, resulting in significant time and cost savings.

CVE is Community Driven:

  • The CVE Program relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program.
  • Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
  • The CVE Board, which drives the direction of the CVE Program, consists of industry, academic, and government representatives from around the world.
  • CVE Working Groups develop the program’s policies (approved by the CVE Board) and are open to the community.

About the CVE Program:

The mission of the ® CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.

Sponsored by:

The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), of the U.S. Department of Homeland Security (DHS) and is operated by the MITRE Corporation in close collaboration with international industry, academic, and government stakeholders.

What are CNAs (CVE Numbering Authorities)

CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. Each CNA has a specific Scope of responsibility for vulnerability identification and publishing.

About the Dutch Institute for Vulnerability Disclosure

DIVD is a group of voluntary security researchers who aim to make the digital world safer by scanning the whole IPv4 space for known and new vulnerabilities in digital systems and reporting them to the people who can fix them. A full list of researches performed, the team and a Code of Conduct can be found on divd.nl


Last modified: 20 Jun 2022 06:08