فرق بین CNA و CVE چیست؟

یکی از ابزارهای کلیدی برای مقابله با این تهدیدات، سیستم شناسایی و مستندسازی آسیب‌پذیری‌ها است. در این راستا CNA و CVE دو مفهوم اصلی هستند که به بهبود امنیت...

انتشار: , زمان مطالعه: 1 ساعت 52 دقیقه
فرق بین CNA و CVE چیست؟
دسته بندی: امنیت سایبری تعداد بازدید: 125

لیست مطالب

امنیت سایبری به یک بخش حیاتی از فناوری اطلاعات تبدیل شده است، به ویژه در دنیای امروز که تهدیدات امنیتی به طور مداوم در حال افزایش است. یکی از ابزارهای کلیدی برای مقابله با این تهدیدات، سیستم شناسایی و مستندسازی آسیب‌پذیری‌ها است. در این راستا، CVE (Common Vulnerabilities and Exposures) و CNA (CVE Numbering Authority) دو مفهوم اصلی هستند که به بهبود امنیت سایبری کمک می‌کنند. این مقاله به بررسی این دو مفهوم و تفاوت‌های آنها می‌پردازد.

CVE چیست؟

CVE یا Common Vulnerabilities and Exposures یک سیستم استاندارد برای شناسایی و نام‌گذاری آسیب‌پذیری‌ها و نقاط ضعف امنیتی در نرم‌افزارها و سیستم‌ها است. این سیستم توسط MITRE، یک سازمان غیرانتفاعی که به دولت آمریکا در زمینه امنیت سایبری و دیگر حوزه‌ها کمک می‌کند، مدیریت می‌شود. هدف اصلی CVE ایجاد یک روش یکنواخت و قابل فهم برای شناسایی و پیگیری آسیب‌پذیری‌ها است. هر آسیب‌پذیری یا نقطه ضعف که در سیستم CVE ثبت می‌شود، یک شناسه یکتا به نام CVE ID دریافت می‌کند، به عنوان مثال CVE-2023-12345.

اهمیت CVE

اهمیت CVE در استانداردسازی اطلاعات مربوط به آسیب‌پذیری‌ها نهفته است. قبل از ایجاد CVE، محققان امنیتی و توسعه‌دهندگان نرم‌افزارها ممکن بود از اصطلاحات و روش‌های متفاوتی برای اشاره به یک آسیب‌پذیری خاص استفاده کنند. این موضوع منجر به سردرگمی و کاهش کارایی در شناسایی و مقابله با تهدیدات امنیتی می‌شد. با ایجاد CVE، اکنون همه افراد و سازمان‌ها می‌توانند از یک سیستم یکنواخت و استاندارد برای ارجاع به آسیب‌پذیری‌ها استفاده کنند، که این امر بهبود همکاری و اشتراک‌گذاری اطلاعات در جامعه امنیتی را فراهم می‌کند.

CNA چیست؟

CNA (CVE Numbering Authority) به سازمان‌هایی گفته می‌شود که مجاز به اختصاص شناسه‌های CVE به آسیب‌پذیری‌های امنیتی هستند. این سازمان‌ها می‌توانند شرکت‌های نرم‌افزاری، سازمان‌های امنیتی، و حتی تیم‌های تحقیقاتی مستقل باشند. هر CNA مسئول اختصاص شناسه‌های CVE برای آسیب‌پذیری‌هایی است که در حوزه محصولات یا خدمات تحت پوشش آن سازمان شناسایی می‌شوند.

به عبارت دیگر، CNA ها نهادهایی هستند که آسیب‌پذیری‌ها را شناسایی می‌کنند و سپس یک شناسه CVE به آن‌ها اختصاص می‌دهند. برای مثال، شرکت‌هایی مانند مایکروسافت، گوگل، و اوراکل هر کدام CNAهای خاص خود را دارند. این شرکت‌ها مسئول تخصیص شناسه‌های CVE برای آسیب‌پذیری‌هایی هستند که در محصولات یا خدمات خود شناسایی می‌کنند.

تفاوت بین CVE و CNA

در حالی که CVE به خودِ شناسه‌های آسیب‌پذیری اشاره دارد، CNA سازمان‌هایی هستند که آن شناسه‌ها را اختصاص می‌دهند. به بیان ساده‌تر:

  • CVE: یک سیستم استاندارد برای شناسایی و مستندسازی آسیب‌پذیری‌ها است. این سیستم یک لیست از آسیب‌پذیری‌ها ارائه می‌دهد که هر کدام یک شناسه یکتا دارند.
  • CNA: سازمان‌هایی هستند که مسئول تخصیص شناسه‌های CVE به آسیب‌پذیری‌ها هستند. آنها وظیفه دارند تا اطمینان حاصل کنند که هر آسیب‌پذیری یک شناسه یکتا دارد و به درستی مستندسازی شده است.

این تفاوت مهم است زیرا CVE یک استاندارد جهانی برای شناسایی آسیب‌پذیری‌ها است، در حالی که CNA ها به عنوان مدیران محلی این استاندارد عمل می‌کنند و مسئولیت دارند که از صحت و دقت فرآیند اختصاص شناسه CVE اطمینان حاصل کنند.

نقش CNA در امنیت سایبری

CNA ها نقش بسیار مهمی در امنیت سایبری ایفا می‌کنند. آنها اولین خط دفاعی در فرآیند شناسایی و مستندسازی آسیب‌پذیری‌ها هستند. با اختصاص شناسه‌های CVE، CNA ها به تضمین یکتایی و قابل ردگیری بودن آسیب‌پذیری‌ها کمک می‌کنند. این کار به محققان امنیتی و توسعه‌دهندگان نرم‌افزارها این امکان را می‌دهد که به سرعت به آسیب‌پذیری‌ها پاسخ دهند و تدابیر لازم برای رفع آن‌ها را اتخاذ کنند.

علاوه بر این، CNA ها با همکاری با دیگر CNA ها و سازمان‌های امنیتی، تضمین می‌کنند که سیستم CVE به صورت هماهنگ و یکپارچه عمل می‌کند. این همکاری باعث می‌شود که اطلاعات مربوط به آسیب‌پذیری‌ها به صورت سریع و کارآمد به اشتراک گذاشته شود و از تکرار بی‌مورد تلاش‌ها جلوگیری شود.

CVE و CNA دو مفهوم حیاتی در حوزه امنیت سایبری هستند که به شناسایی و مدیریت آسیب‌پذیری‌های امنیتی کمک می‌کنند. CVE به عنوان یک سیستم استاندارد برای شناسایی و نام‌گذاری آسیب‌پذیری‌ها عمل می‌کند، در حالی که CNA ها به عنوان نهادهایی که این شناسه‌ها را اختصاص می‌دهند، نقش کلیدی در فرآیند مدیریت آسیب‌پذیری‌ها ایفا می‌کنند. تفاوت بین CVE و CNA از اهمیت بالایی برخوردار است، زیرا نشان‌دهنده ساختار و مسئولیت‌های مختلف در سیستم امنیت سایبری جهانی است. این سیستم به بهبود شفافیت، همکاری و پاسخگویی در برابر تهدیدات امنیتی کمک می‌کند و به این ترتیب، امنیت کلی سیستم‌های اطلاعاتی را تقویت می‌کند.

لیست  CNA ها برای اختصاص  مجوز  CVE

شریک دامنه یا محدوده نقش در برنامه نوع سازمان کشور
1E Limited All 1E products (including end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by 1E that are not in another CNA’s scope CNA Vendor, Researcher UK
42Gears Mobility Systems Pvt Ltd 42Gears branded products and technologies only CNA Vendor India
9front Systems All software produced as part of the Plan9front open source operating system, as well as its applications and cyberinfrastructure. Vulnerabilities discovered by or reported to 9front Systems for all Plan 9 software not covered by the scope of another CNA CNA Open Source USA
Absolute Software Absolute issues only CNA Vendor USA
Acronis International GmbH All Acronis products, including Acronis Cyber Protect, Acronis Cyber Protect Home Office, Acronis DeviceLock DLP, and Acronis Snap Deploy CNA Vendor Switzerland
Adobe Systems Incorporated Adobe issues only CNA Vendor USA
Advanced Micro Devices Inc. AMD branded products and technologies only CNA Vendor USA
Airbus All Airbus products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Airbus that are not in another CNA’s scope CNA Vendor, Researcher Netherlands
AlgoSec AlgoSec products only CNA Vendor Israel
Alias Robotics S.L. All Alias Robotics products, as well as vulnerabilities in third-party robots and robot components (software and hardware), as well as machine tool and machine tool components, discovered by Alias Robotics that are not in another CNA’s scope CNA Vendor, Researcher Spain
Alibaba, Inc. Projects listed on its Alibaba GitHub website only CNA Vendor, Open Source China
Amazon All Amazon and AWS products (including subsidiaries, supported, and EOL/EOS products), as well as vulnerabilities in third party software discovered by Amazon/AWS that are not in another CNA’s scope CNA Vendor, Bug Bounty Provider, Open Source USA
AMI Vulnerabilities in AMI firmware and software products, as well as vulnerabilities discovered by AMI that are not covered by another CNA scope CNA Vendor, Open Source, Researcher USA
Ampere Computing Ampere issues only CNA Vendor USA
Analog Devices, Inc. Vulnerabilities in ADI firmware and software products CNA Vendor USA
Android (associated with Google Inc. or Open Handset Alliance) Android issues, as well as vulnerabilities in third-party software discovered by Android that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
Apache Software Foundation All Apache Software Foundation issues only CNA Vendor, Open Source USA
AppCheck Ltd. Vulnerabilities discovered by AppCheck that are not within another CNA’s scope CNA Researcher UK
Apple Inc. Apple issues only CNA Vendor USA
ARC Informatique ARC Informatique products and services CNA Vendor France
ARCON Techsolutions Private Limited Vulnerabilities in ARCON’s products only CNA Vendor India
Arista Networks, Inc. All Arista products only CNA Vendor USA
Arm Limited Arm-branded products and technologies and Arm-managed open source projects CNA Open Source, Vendor UK
Arxscan, Inc. Arxscan issues only CNA Vendor USA
Asea Brown Boveri Ltd. (ABB) ABB issues only CNA Vendor Switzerland
ASR Microelectronics Co., Ltd. ASR products only CNA Vendor China
ASUSTeK Computer Incorporation ASUS issues only CNA Vendor Taiwan
ASUSTOR, Inc. ASUSTOR issues only CNA Vendor Taiwan
Atlassian All Atlassian products, as well as Atlassian-maintained projects hosted on https://bitbucket.org/ and https://github.com/atlassian/ CNA Vendor, Open Source Australia
Austin Hackers Anonymous Vulnerabilities in the AHA! website and other AHA! controlled assets, as well as vulnerabilities identified in assets owned, operated, or maintained by another organization unless covered by the scope of another CNA CNA Researcher USA
Autodesk All currently supported Autodesk Applications and Cloud Services CNA Vendor USA
Automotive Security Research Group (ASRG) All automotive and related infrastructure vulnerabilities that are not in another CNA’s scope CNA Researcher USA
Avaya, Inc. All Avaya Generally Available (GA) products that are not in another CNA’s scope. A CVE ID will not be issued for End of Manufacturing Support (EoMS) products/versions CNA Vendor USA
Axis Communications AB All products of Axis Communications AB and 2N including end-of-life/end-of-service products CNA Vendor Sweden
B. Braun SE B. Braun’s commercially available products only CNA Vendor Germany
Baicells Technologies Co., Ltd. All Baicells products CNA Vendor China
Baidu, Inc. Projects listed on Baidu’s PaddlePaddle GitHub website only CNA Vendor, Open Source China
Baxter Healthcare Baxter’s commercially available products only CNA Vendor USA
Becton, Dickinson and Company (BD) BD software-enabled medical devices only CNA Vendor USA
BeyondTrust Inc. All BeyondTrust products, including PasswordSafe, Privileged Remote Access, Remote Support, Privilege Management for Windows/Mac, Privilege Management for Unix/Linux, Identity Security Insights, Active Directory (AD) Bridge, and Total PASM CNA Vendor USA
Biohacking Village Vulnerabilities discovered by researchers in collaboration with Biohacking Village, with approval of Biohacking Village’s sponsors, that are not in another CNA’s scope CNA Researcher USA
Bitdefender All Bitdefender products, as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope CNA Vendor, Researcher Romania
Black Duck Software, Inc. All Black Duck (formerly Synopsys Software Integrity Group) products, as well as vulnerabilities in third-party software discovered by Black Duck that are not in another CNA’s scope CNA Vendor, Researcher USA
Black Lantern Security Vulnerabilities in vendor products discovered by BLSOPS, or related parties, while performing vulnerability research or security assessments, unless covered by another CNA’s scope CNA Researcher USA
BlackBerry All BlackBerry products identified on https://www.blackberry.com/us/en CNA Vendor Canada
Brocade Communications Systems, LLC Brocade products only CNA Vendor USA
Bugcrowd Inc. Vulnerabilities discovered by researchers in collaboration with Bugcrowd, with approval of Bugcrowd’s clients, and not in the scope of another CNA CNA Bug Bounty Provider, Vendor, Open Source USA
CA Technologies - A Broadcom Company CA Technologies issues only CNA Vendor USA
Caliptra Project Caliptra Project components and vulnerabilities that are not in another CNA’s scope CNA Open Source USA
Canon EMEA Products, services, and solutions developed internally by Canon EMEA and those from Canon Production Printing, IRIS, NT-ware, and Therefore Corporation. CNA Vendor UK
Canon Inc. Vulnerabilities in products and services designed and developed by Canon Inc. CNA Vendor Japan
Canonical Ltd. All Canonical issues (including Ubuntu Linux) only CNA Vendor, Open Source UK
Carrier Global Corporation Carrier Global products only CNA Hosted Service, Vendor USA
Cato Networks All Cato Networks products and vulnerabilities in third-party products affecting Cato products unless covered by the scope of another CNA CNA Vendor, Researcher Israel
Censys All Censys products, and vulnerabilities discovered by Censys that are not in another CNA’s scope CNA Vendor, Researcher USA
CERT.PL Vulnerabilities in software discovered by CERT.PL, and vulnerabilities reported to CERT.PL for coordinated disclosure, which are not in another CNA’s scope CNA CERT Poland
CERT/CC Vulnerability assignment related to its vulnerability coordination role CNA CERT USA
CERT@VDE Products of CERT@VDE cooperative partners and brands listed at https://cert.vde.com/en/cna/. Also, industrial and infrastructure control systems (and its components) of European Union (EU) based vendors unless covered by the scope of another CNA. Partners and brands include but are not limited to: ADS-TEC Industrial IT, Auma, sipos, Beckhoff, Bender, Bucher Automation, CLAAS, 365FarmNet, Satinfo, Carlo Gavazzi Controls, Codesys, DURAG GROUP, Draeger, Endress+Hauser, Euchner, Festo Didactic, Festo, Frauscher, GEA, HIMA, Harman, Helmholz, Hilscher, K4 DIGITAL, KEB, Krohne, Kuka, Lenze, BHN Services, MB connect line, Miele, Murrelektronik, PHOENIX CONTACT, Etherwan Systems, Innominate, Pepperl+Fuchs, Pilz, SMA, SWARCO, Trumpf, TRUMPF Laser, TRUMPF Werkzeugmaschinen, VARTA Storage, VEGA, WAGO, M&M Software, Weidmueller, Welotec, Wiesemann & Theis, ifm. CNA CERT Germany
Check Point Software Ltd. Check Point Security Gateways product line only, and any vulnerabilities discovered by Check Point that are not in another CNA’s scope CNA Vendor, Researcher Israel
Checkmarx Vulnerabilities in Checkmarx products and open source vulnerabilities discovered by, or reported to, Checkmarx, that are not in another CNA’s scope CNA Vendor, Open Source, Researcher Israel
Checkmk GmbH All products of Checkmk GmbH including Checkmk and Checkmk Appliance CNA Vendor, Open Source Germany
Chrome Chrome issues and projects that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
ChromeOS Project Vulnerabilities that are (1) reported to ChromeOS Security, (2) affect ChromeOS device software and hardware, including our open source dependencies, and (3) are not covered by another CNA’s scope CNA Vendor, Bug Bounty Provider USA
Ciena Corporation Ciena and Blue Planet branded products and technologies only CNA Vendor USA
cirosec GmbH Vulnerabilities discovered by or reported to cirosec researchers that are not in another CNA’s scope CNA Researcher Germany
Cisco Systems, Inc. All Cisco products, and any third-party research targets that are not in another CNA’s scope. Cisco will not issue a CVE ID for issues reported on products that are past the Last Day of Support milestone, as defined on Cisco’s End-of-Life Policy, which is available at https://www.cisco.com/c/en/us/products/eos-eol-policy.html CNA Hosted Service, Open Source, Researcher, Vendor USA
Citrix Systems, Inc. Citrix issues only CNA Vendor USA
ClickHouse, Inc. ClickHouse-owned products, not including end-of-life components CNA Vendor, Open Source USA
Cloudflare, Inc. All Cloudflare products, projects hosted at https://github.com/cloudflare/, and any vulnerabilities discovered by Cloudflare that are not in another CNA’s scope CNA Vendor USA
Concrete CMS Concrete CMS Core versions 8.5 and above CNA Open Source USA
ConnectWise LLC All ConnectWise products and services and vulnerabilities discovered by ConnectWise in third party products that are not within another CNA’s scope CNA Vendor, Researcher USA
Crafter CMS Crafter CMS issues only CNA Vendor, Open Source USA
Crestron Electronics, Inc. Crestron products CNA Vendor USA
CrowdStrike Holdings, Inc. All CrowdStrike products CNA Vendor USA
curl All products made and managed by the curl project. This includes curl, libcurl, and trurl CNA Open Source Sweden
Cybellum Technologies LTD All Cybellum products, as well as vulnerabilities in third-party software discovered by Cybellum that are not in another CNA’s scope CNA Vendor Israel
Cyber Security Agency of Singapore Vulnerabilities reported to CSA unless covered by the scope of another CNA CNA CERT Singapore
Cyber Security Works Pvt. Ltd. Vulnerabilities in third-party software discovered by CSW that are not in another CNA’s scope CNA Researcher India
CyberArk Labs Vulnerabilities discovered by CyberArk Labs that are not in another CNA’s scope CNA Vendor, Researcher Israel
CyberDanube All CyberDanube products, as well as vulnerabilities in third-party hardware/software discovered by CyberDanube or partners actively engaged in vulnerability research coordination, which are not within the scope of another CNA CNA Researcher, Vendor Austria
Cybersecurity and Infrastructure Security Agency (CISA) Top-Level Root Scope: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
ADP Scope: View scope here		 Top-Level Root, ADP N/A USA
Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope Root, CNA-LR CERT USA
Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government Vulnerabilities that are (1) reported to or observed by CISA, (2) affect critical infrastructure or U.S. civilian government, and (3) are not covered by another CNA’s scope CNA CERT USA
Cytiva Cytiva branded products only CNA Vendor USA
Dahua Technologies Dahua consumer Internet of Things (IoT) products, excludes End-of-Life products CNA Vendor China
Dassault Systèmes All websites of the corporate group and of any subsidiaries, including but not limited to www.3ds.com and www.solidworks.com; all Software as a Service solutions, such as 3DEXPERIENCE or ScienceCloud, but also any online hosting linked to our brands; and all Dassault Systèmes licensed software products CNA Vendor France
Debian GNU/Linux Debian issues only CNA Vendor, Open Source USA
DeepSurface Security, Inc. All DeepSurface products, as well as vulnerabilities in third-party software discovered by DeepSurface that are not in another CNA’s scope CNA Vendor, Researcher USA
Dell Dell, Dell EMC, and VCE issues only CNA Vendor USA
DevCycle All DevCycle products (including end-of-life/end-of-service products) as listed on https://devcycle.com/ CNA Vendor, Hosted Service, Open Source Canada
Devolutions Inc. Remote Desktop Manager and Devolutions Server products CNA Vendor, Open Source Canada
DFINITY Foundation All Internet Computer projects as found on the following GitHub pages: https://github.com/dfinity and https://github.com/dfinity-lab CNA Vendor, Open Source Switzerland
DirectCyber Issues in third-party products identified by or reported to DirectCyber, unless covered by the scope of another CNA CNA Researcher, Open Source Australia
Docker Inc. All Docker products, including Docker Desktop and Docker Hub, as well as Docker maintained open source projects CNA Vendor, Open Source USA
Document Foundation, The Projects within The Document Foundation only, e.g., LibreOffice, LibreOffice Online; The Document Foundation discourages reporting denial of service bugs as security issues CNA Vendor, Open Source Germany
dotCMS LLC All dotCMS product services including the vulnerabilities reported in our open source core located at https://github.com/dotCMS/core CNA Hosted Service USA
Dragos, Inc. Dragos products and third-party products it researches related to operational technology (OT)/industrial control systems (ICS) not covered by another CNA CNA Vendor, Researcher USA
Dremio Corporation All Dremio Corporation products CNA Vendor, Open Source USA
Drupal.org All projects hosted under drupal.org only CNA Vendor, Open Source USA
Dual Vipers LLC Dual Vipers projects and products (both open and closed source), as well as vulnerabilities in third-party software discovered by Dual Vipers that are not in another CNA’s scope CNA Hosted Service, Open Source, Researcher, Vendor USA
Dutch Institute for Vulnerability Disclosure (DIVD) Vulnerabilities in software discovered by DIVD, and vulnerabilities reported to DIVD for coordinated disclosure, which are not in another CNA’s scope CNA Researcher Netherlands
Eaton Eaton issues only CNA Vendor Ireland
Eclipse Foundation All projects hosted by the Eclipse Foundation as listed at https://www.eclipse.org/projects/ and services provided by the Eclipse Foundation to support open source projects as listed at https://www.eclipsestatus.io/ CNA Vendor, Open Source Belgium
Edgewatch Security Intelligence Vulnerabilities in third-party software discovered by Edgewatch that are not in another CNA’s scope CNA Hosted Service, Researcher Spain
ELAN Microelectronics Corp. ELAN issues only CNA Vendor Taiwan
Elastic Elasticsearch, Kibana, Beats, Logstash, X-Pack, and Elastic Cloud Enterprise products only CNA Vendor Netherlands
Electronic Arts, Inc. EA issues only CNA Vendor USA
EnterpriseDB Corporation All EnterpriseDB products and vulnerabilities identified in open source libraries used by EnterpriseDB products unless covered by another CNA’s scope CNA Vendor, Open Source USA
Environmental Systems Research Institute, Inc. All Esri products only CNA Vendor USA
Ericsson Ericsson issues only CNA Vendor Sweden
ESET, spol. s r.o. All ESET products only and vulnerabilities discovered by ESET that are not covered by another CNA’s scope CNA Vendor, Researcher Slovak Republic
EU Agency for Cybersecurity (ENISA) Vulnerabilities in information technology (IT) products discovered by European Union (EU) Computer Security Incident Response Teams (CSIRTs) or reported to EU CSIRTs for coordinated disclosure, as long as they do not fall under a CNA with a more specific scope CNA Consortium Greece
Exodus Intelligence Vulnerabilities discovered by Exodus Intelligence as well as acquisitions from independent researchers via its Research Sponsorship Program (RSP) CNA Bug Bounty Provider, Researcher USA
F5, Inc. All F5 products and services, commercial and open source, which have not yet reached End of Technical Support (EoTS). All legacy acquisition products and brands including, but not limited to, NGINX, Shape Security, Volterra, and Threat Stack. F5 does not issue CVEs for products which are no longer supported CNA Vendor, Open Source USA
Fedora Project Vulnerabilities in open source projects affecting the Fedora Project, that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported releases by the Fedora Project CNA Vendor, Open Source USA
Fidelis Cybersecurity, Inc. Fidelis issues only CNA Vendor USA
Financial Security Institute (FSI) Vulnerability assignment related to FSI’s vulnerability coordination role in the South Korea financial sector that are not in another CNA’s scope CNA CERT, Researcher, Bug Bounty Provider South Korea
Flexera Software LLC All Flexera products, and vulnerabilities discovered by Secunia Research that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
floragunn GmbH All issues related to Search Guard only CNA Vendor, Open Source Germany
Fluid Attacks Vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNA’s scope CNA Researcher Colombia
Forcepoint Forcepoint products only CNA Vendor USA
Forescout Technologies Forescout issues only CNA Vendor USA
ForgeRock, Inc. ForgeRock issues only CNA Vendor, Open Source USA
Fortinet, Inc. Fortinet issues only CNA Vendor USA
Fortra, LLC All Fortra products and vulnerabilities discovered by Fortra in other products not covered by the scope of another CNA CNA Vendor, Researcher USA
FPT Software Co., Ltd. All products and services developed and operated by FPT Software, as well as vulnerabilities in third-party software discovered by FPT Software that are not in another CNA’s scope CNA Vendor, Researcher Vietnam
Frappe Technologies Pvt. Ltd. Vulnerabilities relating to Frappe Framework, ERPNext product, erpnext.com, and frappecloud.com hosting services, as well as other vulnerabilities discovered by Frappe Technologies that are not under the scope of any other CNA CNA Bug Bounty Provider India
FreeBSD Primarily FreeBSD issues only CNA Vendor, Open Source USA
FULL INTERNET All FULL products, as well as vulnerabilities in third-party software discovered by FULL that are not in another CNA’s scope CNA Bug Bounty Provider, Hosted Service, Vendor, Researcher Brazil
Gallagher Group Ltd. All Gallagher security products only CNA Vendor New Zealand
GE Healthcare GE Healthcare products CNA Vendor USA
General Electric (Gas Power) GE (Gas Power) issues only CNA Vendor USA
Genetec Inc. Genetec products and solutions only CNA Hosted Service, Vendor Canada
Gitea Limited Gitea issues only CNA Open Source, Vendor China
GitHub, Inc. CVEs requested by code owners using the GitHub Security Advisories feature and vulnerabilities affecting open source projects discovered by security researchers at GitHub or Microsoft not covered by another CNA’s scope CNA Vendor, Open Source, Researcher USA
GitHub, Inc. (Products Only) GitHub Enterprise Server issues only CNA Vendor USA
GitLab Inc. The GitLab application, any project hosted on GitLab.com in a public repository, and any vulnerabilities discovered by GitLab that are not in another CNA’s scope CNA Vendor, Researcher USA
Glyph & Cog, LLC Xpdf open source project, including the xpdf viewer and associated command line tools CNA Open Source, Vendor USA
GNU C Library Security issues and vulnerabilities in the GNU C Library CNA Open Source USA
Go Project Vulnerabilities in software published by the Go Project (including the Go standard library, Go toolchain, and the golang.org modules) and publicly disclosed vulnerabilities in publicly importable packages in the Go ecosystem, unless covered by another CNA’s scope CNA Vendor, Open Source USA
Google Devices Google Devices - Pixel, Nest, and Chromecast CNA Vendor USA
Google LLC Root Scope: Alphabet organizations
CNA Scope: Google products, including open source software published and maintained by Google, and vulnerabilities in third-party software discovered by Google that are not in another CNA’s scope		 Root, CNA Vendor, Open Source, Researcher USA
Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) Vulnerabilities discovered by GovTech CSG only that are not in another CNA’s scope CNA Researcher Singapore
Grafana Labs All Grafana Labs open source and commercial products CNA Vendor, Open Source USA
Green Rocket Security Inc. Green Rocket Security products including EOL unless covered by another CNA’s scope CNA Vendor USA
GS McNamara LLC GS McNamara LLC products and services, including the Floodspark portfolio, and any vulnerabilities discovered in components or projects that we are researching or coordinating that are not in another CNA’s scope CNA Vendor, Researcher USA
HackerOne Provides CVE IDs for its customers as part of its bug bounty and vulnerability coordination platform CNA Bug Bounty Provider USA
Halborn All blockchain and Web3 products that rely on smart contracts written in Rust, Go, and Solidity, as well as blockchain associated Web2 and Web3 infrastructure not covered by another CNA CNA Researcher USA
Hallo Welt! GmbH BlueSpice vulnerabilities only CNA Vendor Germany
Hangzhou Hikvision Digital Technology Co., Ltd. All Hikvision Internet of Things (IoT) products including cameras and digital video recorders (DVRs) CNA Vendor China
Hanwha Vision Co., Ltd. Hanwha Vision (formerly Samsung Techwin and Hanwha Techwin) products and solutions only, including end-of-life (EOL) CNA Vendor South Korea
HashiCorp Inc. All HashiCorp products and projects unless covered by another CNA’s scope CNA Vendor USA
HCL Software All HCL products only CNA Vendor India
HeroDevs End of life open source projects supported by HeroDevs if hosted on HeroDevs.com, or issues in open source projects discovered by or reported to HeroDevs, unless covered by the scope of another CNA CNA Vendor, Open Source, Researcher USA
Hewlett Packard Enterprise (HPE) HPE issues only CNA Vendor USA
HiddenLayer, Inc. All HiddenLayer systems, services, and products, as well as vulnerabilities in third-party software discovered by HiddenLayer that are not in another CNA’s scope CNA Vendor, Hosted Service, Researcher USA
Hillstone Networks Inc. Vulnerabilities in our products listed at https://www.hillstonenet.com/hillstone-networks-product-portfolio and the products we sell only in China listed at https://www.hillstonenet.com.cn/product_service/, not including our websites CNA Vendor China
Hitachi Energy Hitachi Energy products only CNA Vendor Switzerland
Hitachi Vantara All Hitachi Vantara products and technologies CNA Vendor USA
Hitachi, Ltd. Hitachi products excluding Hitachi Energy and Hitachi Vantara products CNA Vendor Japan
Honeywell International Inc. All Honeywell products CNA Vendor USA
Honor Device Co., Ltd. Vulnerabilities in Honor products and services unless covered by the scope of another CNA CNA Vendor China
HP Inc. Issues with any HP-branded product, including computing software and hardware, imaging and printing, as well as HyperX, Teradici, Poly, and Plantronics branded devices CNA Vendor USA
Huawei Technologies Huawei issues only CNA Vendor China
Huntress Labs Inc. All Huntress products, as well as vulnerabilities in third-party software discovered by Huntress that are not in another CNA’s scope CNA Vendor, Researcher USA
HYPR Corp All HYPR products only CNA Vendor USA
IBM Corporation All IBM branded products (IBM will confirm support status and notify researcher) CNA Vendor, Open Source USA
ID Business Solutions IDBS products as listed on https://www.idbs.com/products/ CNA Vendor UK
IDEMIA All IDEMIA products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by IDEMIA that are not in another CNA’s scope CNA Researcher, Vendor France
Illumio Illumio issues only CNA Vendor USA
Imagination Technologies Imagination Technologies branded products and technologies and Imagination Technologies (IMG) managed open source projects CNA Vendor, Open Source UK
Indian Computer Emergency Response Team (CERT-In) Vulnerability coordination for vulnerabilities in all products reported to CERT-In in accordance with our vulnerability coordination role as a CERT. Vulnerability assignments for vulnerabilities impacting all products designed, developed, and manufactured in India CNA CERT India
Integrated Control Technology LTD All ICT security products CNA Vendor New Zealand
Intel Corporation Intel branded products and technologies and Intel managed open source projects CNA Vendor, Open Source USA
Internet Systems Consortium (ISC) All ISC.org projects CNA Vendor, Open Source USA
Intigriti Vulnerabilities in Intigriti products and vulnerabilities discovered by, or reported to, Intigriti that are not in another CNA’s scope CNA Bug Bounty Provider, Hosted Service, Vendor Belgium
IoT83 Ltd Vulnerabilities in IoT83 product(s), services, and components only. Third-party, open source components used in IoT83 product(s), services, and components are not in scope CNA Vendor USA
Israel National Cyber Directorate (INCD) Vulnerability assignment related to its vulnerability coordination role CNA CERT Israel
Ivanti Vulnerabilities in supported Ivanti products and infrastructure, excluding third-party components, and meeting severity thresholds defined in Ivanti’s Disclosure Policy found here CNA Vendor USA
Jamf Jamf issues and Jamf Open Source CNA Vendor, Open Source USA
Jenkins Project Jenkins and Jenkins plugins distributed by the Jenkins Project (listed on plugins.jenkins.io) only CNA Open Source USA
JetBrains s.r.o. JetBrains products only CNA Vendor, Open Source Czech Republic
JFrog All JFrog products (supported products and end-of-life/end-of-service products); vulnerabilities in third-party software discovered by JFrog that are not in another CNA’s scope; and vulnerabilities in third-party software discovered by external researchers and disclosed to JFrog (includes any embedded devices and their associated mobile applications) that are not in another CNA’s scope CNA Vendor, Researcher Israel
Johnson Controls Johnson Controls products only CNA Vendor USA
Joomla! Project Core Joomla! CMS, the Joomla Framework, and Joomla! Extensions issues only CNA Vendor, Open Source USA
JPCERT/CC Root Scope: Japan organizations
CNA Scope: Vulnerability assignment related to its vulnerability coordination role		 Root, CNA CERT Japan
Juniper Networks, Inc. Juniper issues only CNA Vendor, Open Source USA
Kaspersky Kaspersky B2C and B2B products, as well as vulnerabilities discovered in third-party software not in another CNA’s scope CNA Vendor, Researcher Russia
KCF Technologies, Inc. All KCF Technologies products including base stations, repeaters, numerous sensor types, and the SMARTdiagnostics cloud software CNA Vendor, Hosted Service USA
Keeper Security, Inc. Keeper Security products and services only CNA Vendor USA
kernel.org Any vulnerabilities in the Linux kernel as listed on kernel.org, excluding end-of-life (EOL) versions CNA Vendor, Open Source USA
KNIME AG All vulnerabilities on software products that our company provides, including KNIME Analytics Platform, KNIME Server, and KNIME Hub CNA Vendor Switzerland
Kong Inc. Kong products; Kong Konnect, Kong Enterprise, Kong Mesh, and Kong Insomnia, including Kong Opensource; Kong Gateway, Kuma, Insomnia CNA Vendor USA
KoreLogic Security Vulnerabilities in the KoreLogic website and other KoreLogic controlled assets, as well as vulnerabilities discovered by or reported to KoreLogic, unless covered by the scope of another CNA CNA Researcher USA
KrakenD, S.L. KrakenD EE, KrakenD CE, and Lura issues only CNA Vendor, Open Source Spain
KrCERT/CC Vulnerability assignment related to its vulnerability coordination role CNA CERT South Korea
Kubernetes Kubernetes issues only CNA Vendor, Open Source USA
Larry Cashdollar Third-party products he researches that are not in another CNA’s scope CNA Researcher USA
Leica Microsystems Leica Microsystems products as listed on https://www.leica-microsystems.com/products CNA Vendor Germany
Lenovo Group Ltd. Lenovo general-purpose computers, software for general-purpose operating systems, mobile devices, enterprise storage, and networking products only CNA Vendor USA
Lexmark International Inc. Lexmark products only CNA Vendor USA
LG Electronics LG Electronics products only CNA Vendor South Korea
Libreswan Project Libreswan software CNA Vendor, Open Source No country affiliation
Liferay, Inc. All Liferay supported products and end-of-life/end-of-service products CNA Vendor USA
Logitech All current products/software/apps made by Logitech, Ultimate Ears, Jaybird, Streamlabs, Logitech G, Logicool, Blue, and Astro Gaming CNA Vendor Switzerland
LY Corporation Current versions of LINE Messenger Application for iOS, Android, Mac, and Windows, plus LINE Open Source projects hosted on https://github.com/line CNA Open Source Japan
M-Files Corporation M-Files and Hubshare products CNA Vendor Finland
Mammotome All Mammotome products CNA Vendor USA
ManageEngine ManageEngine products only CNA Vendor India
Mandiant Inc. Vulnerabilities in Mandiant products or discovered by Mandiant while performing vulnerability research or security assessments, unless covered by another CNA’s scope CNA Researcher, Vendor USA
Mattermost, Inc. All Mattermost issues, and vulnerabilities discovered by Mattermost that are not in another CNA’s scope CNA Vendor, Researcher USA
Mautic Mautic core and officially supported plugins CNA Vendor, Open Source USA
MediaTek, Inc. MediaTek product issues only CNA Vendor Taiwan
Medtronic All products of Medtronic or a Medtronic company including supported products and end-of-life/end-of-service products, as well as vulnerabilities in third-party software discovered in Medtronic products that are not in another CNA’s scope CNA Vendor USA
Mend Vulnerabilities in Mend (formerly WhiteSource) products and vulnerabilities in third-party software discovered by Mend that are not in another CNA’s scope CNA Vendor, Researcher USA
Meta Platforms, Inc. Meta-supported open source projects, mobile apps, and other software, as well as vulnerabilities in third-party software discovered by Meta that are not in another CNA’s scope; see: https://www.facebook.com/whitehat and https://github.com/facebook/ CNA Vendor, Open Source, Researcher USA
Microchip Technology Microchip Technology products only CNA Vendor USA
Microsoft Corporation Microsoft issues only, excluding end-of-life (EOL) as listed in the Microsoft Lifecycle Policy CNA Vendor USA
Milestone Systems A/S Supported Milestone XProtect products CNA Vendor Denmark
MIM Software Inc. MIM software products, platforms, and services as well as vulnerabilities reported to MIM Software in third-party components or libraries used by MIM Software products, platforms, and services not covered by another CNA CNA Vendor USA
Mirantis All Mirantis products (supported products and end-of-life/end-of-service products) and open source offerings, as well as vulnerabilities in third-party software discovered by Mirantis that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
MITRE Corporation All vulnerabilities, and Open Source software product vulnerabilities, not already covered by a CNA listed on this website Top-Level Root, CNA-LR, Secretariat N/A USA
Mitsubishi Electric Corporation Vulnerabilities related to products of Mitsubishi Electric Group CNA Vendor Japan
Monash University - Cyber Security Incident Response Team Vulnerabilities in any Monash University developed products, or vulnerabilities identified in third-party vendor products used by Monash University, unless covered by the scope of another CNA CNA CERT, Open Source, Researcher Australia
MongoDB, Inc. MongoDB products only, not including end-of-life components or products CNA Vendor, Open Source USA
Moxa Inc. Moxa products only CNA Vendor Taiwan
Mozilla Corporation Mozilla issues only CNA Vendor, Open Source USA
N-able N-able branded products and technologies only CNA Vendor USA
National Cyber Security Centre Finland (NCSC-FI) Vulnerabilities in software discovered by NCSC-FI, and vulnerabilities reported to NCSC-FI for coordinated disclosure, which are not in another CNA’s scope CNA CERT Finland
National Cyber Security Centre Netherlands (NCSC-NL) Vulnerabilities in software discovered by NCSC-NL, and vulnerabilities reported to NCSC-NL for coordinated disclosure, which are not in another CNA's scope CNA CERT Netherlands
National Cyber Security Centre SK-CERT Vulnerabilities in software discovered by National Cyber Security Centre SK-CERT, and vulnerabilities reported to National Cyber Security Centre SK-CERT for coordinated disclosure, which are not in another CNA’s scope CNA CERT Slovak Republic
National Instruments NI products only (including National Instruments) CNA Vendor USA
Naver Corporation Naver products only, except Line products CNA Vendor South Korea
NEC Corporation NEC issues only CNA Vendor Japan
NetApp, Inc. All NetApp products as well as projects hosted on https://github.com/netapp CNA Vendor USA
Netflix, Inc. Current versions of Netflix Mobile Streaming Application for iOS, Android, and Windows Mobile, plus all Netflix Open Source projects hosted on https://github.com/Netflix/ and https://github.com/spinnaker/ CNA Vendor, Open Source USA
NetRise Vulnerabilities in third-party Extended Internet of Things (XIoT) devices and firmware NetRise researches that are not covered by another CNA CNA Researcher USA
Netskope All Netskope products and services CNA Vendor USA
Network Optix All Network Optix products, including https://www.networkoptix.com/nx-witness and https://www.networkoptix.com/powered-by-nx CNA Vendor, Open Source USA
NLnet Labs All NLnet Labs projects CNA Vendor, Open Source Netherlands
Node.js All actively developed versions of software developed under the Node.js project on https://github.com/nodejs/ CNA Vendor, Open Source USA
Nokia All vulnerabilities in Nokia products CNA Vendor Finland
NortonLifeLock Inc. All NortonLifeLock product issues only CNA Vendor USA
Nozomi Networks Inc. All Nozomi Networks products, as well as vulnerabilities in third-party software discovered by Nozomi Networks that are not in another CNA’s scope CNA Vendor, Researcher USA
NVIDIA Corporation NVIDIA issues only CNA Vendor USA
Objective Development Software GmbH Objective Development issues only CNA Vendor Austria
Octopus Deploy All Octopus Deploy products, as well as Octopus Deploy maintained projects hosted on https://github.com/OctopusDeploy CNA Vendor, Open Source Australia
Odoo Odoo issues only CNA Vendor Belgium
Okta Okta issues only CNA Vendor USA
OMRON Corporation Omron Group companies’ Industrial Automation, Healthcare, Social Systems, Device & Module Solutions issues only CNA Vendor Japan
ONEKEY GmbH All ONEKEY products and vulnerabilities in third-party software discovered by ONEKEY that are not in another CNA’s scope CNA Vendor, Researcher Germany
Open Design Alliance Open Design Alliance products only CNA Vendor USA
Open-Xchange Products and services provided by Open-Xchange, PowerDNS, and Dovecot CNA Open Source, Vendor Germany
OpenAM Consortium Open source projects hosted on https://github.com/openam-jp CNA Open Source, Consortium Japan
OpenAnolis OpenAnolis issues only CNA Vendor, Open Source China
OpenCloudOS Community OpenCloud OS issues only, not including EOL products, unless covered by another CNA’s scope CNA Open Source China
openEuler openEuler issues only CNA Vendor, Open Source China
openGauss Community openGauss issues only CNA Open Source China
OpenHarmony openHarmony issues only CNA Open Source China
OpenSource Security GmbH Vulnerabilities discovered by or reported to OpenSource Security, unless covered by another CNA’s scope CNA Researcher Germany
OpenSSL Software Foundation OpenSSL software projects only CNA Vendor, Open Source USA
OpenText (formerly Micro Focus) All OpenText products (including Carbonite, Zix, Micro Focus, others) CNA Vendor USA
OpenVPN Inc. All products and projects in which OpenVPN is directly involved commercially and for OpenVPN community projects, including Private Tunnel CNA Vendor, Open Source USA
Opera Opera issues only CNA Vendor, Open Source Norway
OPPO Mobile Telecommunication Corp., Ltd. OPPO devices only CNA Vendor China
Oracle Oracle supported version product issues only; CVE IDs will not be assigned for unsupported products or versions (Oracle will confirm support status and notify researcher) CNA Hosted Service, Open Source, Vendor USA
OTORIO LTD. All OTORIO products, as well as vulnerabilities in third-party software discovered by OTORIO that are not in another CNA’s scope CNA Vendor, Researcher Israel
OTRS AG Vulnerabilities for OTRS and ((OTRS)) Community Edition and modules only CNA Vendor Germany
Palantir Technologies Palantir products and technologies only CNA Vendor USA
Pall Corporation Pall branded products only CNA Vendor USA
Palo Alto Networks, Inc. All Palo Alto Networks products, and vulnerabilities discovered by Palo Alto Networks that are not in another CNA’s scope CNA Vendor, Researcher USA
Panasonic Holdings Corporation All products and services developed and/or sold by Panasonic Group companies CNA Vendor Japan
Pandora FMS Pandora FMS, Pandora ITSM, and Pandora RC issues only CNA Vendor Spain
PaperCut Software Pty Ltd PaperCut MF, PaperCut NG, PaperCut Hive, PaperCut Pocket, PaperCut Mobility Print, QRdoc, PaperCut Views, PaperCut Multiverse, https://www.papercut.com, and all other PaperCut products and services CNA Vendor Australia
Patchstack Vulnerabilities in third-party products discovered by Patchstack and Patchstack Bug Bounty program unless covered by the scope of another CNA CNA Bug Bounty Provider, Hosted Service, Open Source, Researcher, Vendor Estonia
Payara All Payara Platform product distributions (Payara Server, Micro, Embedded) for both Enterprise (commercial) and Community (OSS) distributions CNA Open Source, Vendor UK
Pegasystems Inc. Pegasystems products only CNA Vendor USA
Pentraze Cybersecurity Vulnerabilities in third-party software discovered by Pentraze Cybersecurity that are not in another CNA’s scope CNA Researcher Dominican Republic
Perforce All Perforce products CNA Vendor, Open Source USA
Philips Philips issues only CNA Vendor Netherlands
Phoenix Technologies, Inc. All Phoenix Technologies products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Phoenix Technologies that are not in another CNA’s scope CNA Vendor, Researcher USA
PHP Group Vulnerabilities in PHP code (code in https://github.com/php/php-src) only CNA Vendor, Open Source USA
Ping Identity Corporation All Ping Identity products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Ping Identity that are not in another CNA’s scope CNA Hosted Service, Researcher, Bug Bounty Provider USA
PingCAP (US), Inc. Vulnerabilities in the following PingCAP maintained products and components: TiDB (code available at https://github.com/pingcap/tidb); TiKV (code available at https://github.com/tikv/tikv); PD (Placement Driver, code available at https://github.com/tikv/pd); TiFlash (code available at https://github.com/pingcap/tiflash); and tidbcloud (PingCAP’s cloud database service). This scope includes vulnerabilities in all supported versions of these products. CVE IDs will not be assigned for vulnerabilities found in unsupported versions or for third-party dependencies not maintained by PingCAP CNA Vendor, Open Source, Hosted Service USA
PlexTrac, Inc. Vulnerabilities within PlexTrac’s products CNA Vendor USA
PostgreSQL postgresql.org/download software and related projects listed at postgresql.org/support/security CNA Open Source Canada
Profelis IT Consultancy Products and services developed by Profelis IT Consultancy including enterprise directory solution SambaBox and password reset product PassBox CNA Vendor Türkiye
Progress Software Corporation Vulnerabilities in software published and maintained by Progress Software Corporation CNA Vendor USA
Proofpoint Inc. All Proofpoint products CNA Hosted Service, Vendor USA
Protect AI (formerly huntr.dev) Vulnerabilities in Protect AI products, third-party code vulnerabilities reported by researchers collaborating with huntr and vulnerabilities discovered by, or reported to, Protect AI that are not in another CNA’s scope CNA Bug Bounty Provider, Open Source, Researcher USA
Proton AG Proton AG issues only CNA Vendor Switzerland
Pure Storage, Inc. Pure Storage products only CNA Vendor USA
Python Software Foundation Only supported and end-of-life Python versions available at https://python.org/downloads and pip versions available at https://pypi.org/project/pip, Pallets projects available at https://github.com/pallets (such as Flask, Jinja, Click, MarkupSafe, Werkzeug, and ItsDangerous), and excluding distributions of Python, pip, and Pallets projects maintained by third-party redistributors CNA Vendor, Open Source USA
QNAP Systems, Inc. QNAP issues only CNA Vendor Taiwan
Qualcomm, Inc. Qualcomm and Snapdragon issues only CNA Vendor USA
Qualys, Inc. All Qualys products and vulnerabilities discovered by Qualys that are not covered by another CNA’s scope CNA Vendor, Researcher USA
rami.io GmbH All rami.io GmbH products and open source projects, including pretix, official pretix plugins and apps, and Venueless CNA Vendor, Hosted Service, Open Source Germany
Rapid7, Inc. All Rapid7 products, and vulnerabilities discovered by Rapid7 that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
Real-Time Innovations, Inc. All RTI Connext products, including EOL products. See https://www.rti.com/products for more information CNA Vendor USA
RealPage Vulnerabilities in RealPage products and services including but not limited to: Keyready, Knock CRM, HomeWiseDocs, REDS (Real Estate Data Solutions), G5, WhiteSky Communications, Chirp Systems, STRATIS IoT, Modern Message (Community Rewards), Hipercept, Investor Management Services, AIM, FUEL, Buildium, All Property Management, SimpleBills, DepositIQ, Rentlytics, ClickPay, LeaseLabs, PEX, On-Site, American Utility Management (AUM), Axiometrics, Lease Rent Optimization (LRO), AssetEye, NWP Services Corporation, Indatus, ActiveBuilding, RentMineOnline (RMO), MyNewPlace, Compliance Depot, SeniorLiving.net, eREI, Domin-8, Level One, Propertyware, Opstechnology, LeasingDesk, and YieldStar CNA Vendor USA
Red Hat, Inc. Root Scope: The Red Hat Root’s scope includes the open source community. Any open source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them better
CNA Scope: Vulnerabilities in open source projects affecting Red Hat software that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported Red Hat software		 Root, CNA Vendor, Open Source USA
Replicated, Inc. Replicated products and services only CNA Vendor USA
Rhino Mobility Rhino Mobility issues only CNA Vendor USA
Ribose Limited All Ribose products and services, including open source projects, supported products, and end-of-life/end-of-service products CNA Hosted Service, Open Source, Vendor UK
Robert Bosch GmbH Bosch products only CNA Vendor Germany
Rockwell Automation All Rockwell Automation products CNA Vendor USA
SailPoint Technologies SailPoint issues only CNA Vendor USA
Salesforce, Inc. Salesforce products only CNA Vendor USA
Samsung Mobile Samsung Mobile Galaxy products, personal computers, and related services only CNA Vendor South Korea
Samsung TV & Appliance Samsung TV & Appliance products, Samsung-owned open source projects listed on https://github.com/Samsung/, as well as vulnerabilities in third-party software discovered by Samsung that are not in another CNA’s scope. Vulnerabilities affecting end-of-life/end-of-service products are in scope. The following categories of Samsung Products are in scope: Internet-connected home appliances, B2C product (smart TV, smart monitor, soundbar, and projector), and B2B products (digital signage, interactive display, and kiosk) CNA Open Source, Researcher, Vendor South Korea
SAP SE All SAP products CNA Vendor Germany
SBA Research gGmbH Vulnerabilities discovered by SBA Research or reported to SBA Research by partner organizations that are not in another CNA’s scope CNA Researcher Austria
Schneider Electric All Schneider Electric products, including Proface, APC, and Eurotherm CNA Vendor France
Schweitzer Engineering Laboratories, Inc. All Schweitzer Engineering Laboratories products CNA Vendor USA
SCIEX SCIEX branded products only CNA Vendor USA
Seagate Technology Any Seagate or LaCie software or hardware, open or closed source, supported and end of life, as well as any vulnerabilities in third-party software discovered by Seagate that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
Seal Security Vulnerabilities in Seal products or services and vulnerabilities discovered in open source libraries unless covered by the scope of another CNA CNA Vendor, Open Source USA
SEC Consult Vulnerability Lab All vulnerabilities discovered in third-party hardware/software by SEC Consult Vulnerability Lab (part of SEC Consult, an Eviden business), which are not in another CNA’s scope CNA Researcher Austria
Sec1 Vulnerabilities found in cybersecurity software solutions developed and maintained by Sec1 as listed on https://sec1.io/, and vulnerabilities identified in software projects or products where Sec1 has a direct and substantial contribution or partnership, unless covered by the scope of another CNA CNA Vendor India
Secomea A/S Supported Secomea products only CNA Vendor Denmark
Securifera, Inc. Vulnerabilities in vendor products discovered by Securifera, or related parties, while performing vulnerability research or security assessments CNA Researcher USA
Securin Vulnerabilities found in Securin products and services (including end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Securin that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
Security Risk Advisors (SRA) Vulnerabilities discovered by SRA that are not within the scope of another CNA CNA Researcher USA
senhasegura Vulnerabilities in senhasegura products, and other vulnerabilities discovered by senhasegura that are not in another CNA’s scope CNA Vendor, Researcher Brazil
ServiceNow All ServiceNow products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by ServiceNow that are not in another CNA’s scope CNA Hosted Service, Researcher, Vendor USA
SHENZHEN CoolKit Technology CO., LTD. Products of eWeLink Solutions only, details are available at https://ewelink.cc/our-projects-scope/ CNA Vendor China
Shop Beat Solutions (Pty) LTD Vulnerabilities in Shop Beat products and services and vulnerabilities discovered by Shop Beat unless covered by the scope of another CNA CNA Hosted Service, Vendor South Africa
SICK AG SICK AG issues only CNA Vendor Germany
Siemens Siemens issues only CNA Vendor Germany
Sierra Wireless Inc. Sierra Wireless products only CNA Vendor Canada
Silicon Labs Silicon Labs issues only CNA Vendor USA
Silver Peak Systems, Inc. Silver Peak product issues only CNA Vendor USA
Simplinx Ltd. Simplinx products only CNA Vendor Türkiye
Smile CDR Inc. (doing business as “Smile Digital Health”) All Smile Digital Health products and HAPI FHIR CNA Vendor, Open Source Canada
Snow Software All Snow Software products CNA Vendor Sweden
Snyk Vulnerabilities in Snyk products and vulnerabilities discovered by, or reported to, Snyk that are not in another CNA’s scope CNA Open Source, Researcher UK
SoftIron SoftIron HyperCloud branded products and technologies only CNA Vendor USA
SolarWinds SolarWinds products only CNA Vendor USA
Solidigm Solidigm branded products and technologies CNA Vendor USA
Sonatype Inc. All Sonatype products and vulnerabilities in third-party software discovered by Sonatype that are not in another CNA’s scope CNA Vendor, Researcher USA
SonicWall, Inc. SonicWall issues only CNA Vendor USA
Sophos Limited Sophos issues only CNA Vendor UK
Spanish National Cybersecurity Institute, S.A. (INCIBE) Root Scope: Spain organizations
CNA Scope: Vulnerability assignment related to its vulnerability coordination role for Industrial Control Systems (ICS), Information Technologies (IT), and Internet of Things (IoT) systems issues at the national level, and vulnerabilities reported to INCIBE by Spain organizations and researchers that are not in another CNA’s scope		 Root, CNA CERT Spain
Splunk Inc. Splunk products only CNA Vendor USA
STAR Labs SG Pte. Ltd. Vulnerabilities discovered by, or reported to, STAR Labs SG that are not in another CNA’s scope CNA Researcher Singapore
StrongDM StrongDM issues only CNA Vendor USA
Stryker Corporation All products of Stryker or a Stryker company including end-of-life/end-of-service products, and vulnerabilities in third-party software used in Stryker products that are not in another CNA’s scope CNA Vendor, Researcher USA
Super Micro Computer, Inc. Supermicro branded products, managed system, or software projects CNA Vendor USA
SUSE SUSE and Rancher issues only CNA Vendor, Open Source USA
Swift Project The Swift Project only CNA Vendor, Open Source USA
Switzerland National Cyber Security Centre (NCSC) Switzerland Government Common Vulnerability Program CNA CERT Switzerland
Symantec - A Division of Broadcom Symantec Enterprise products as well as vulnerabilities in third-party software discovered by Symantec that are not in another CNA’s scope CNA Vendor, Researcher USA
Synaptics, Inc. Synaptics issues only CNA Vendor USA
Synology Inc. Synology issues only CNA Vendor Taiwan
Talos Third-party products it researches CNA Researcher USA
Tcpdump Group Tcpdump and Libpcap only CNA Vendor, Open Source Canada
TeamViewer Germany GmbH TeamViewer issues only CNA Vendor Germany
TECNO Mobile Limited Vulnerabilities in TECNO products and services only CNA Vendor China
Tego Cyber, Inc. Tego Cyber issues and vulnerabilities discovered by Tego in third-party products, unless covered under the scope of another CNA CNA Vendor, Researcher USA
Teleport All Teleport (Gravitational, Inc.) products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Teleport that are not in another CNA’s scope CNA Vendor, Open Source, Researcher USA
Teltonika Networks Teltonika Networks products and services only CNA Vendor Lithuania
Temporal Technologies Inc. All Temporal Technologies software CNA Hosted Service, Open Source USA
Tenable Network Security, Inc. Tenable products and third-party products it researches not covered by another CNA CNA Vendor USA
Thales Group Thales branded products and technologies, products and technologies of subsidiaries of Thales Group, unless covered by the scope of another CNA as well as vulnerabilities in third-party software discovered by Thales Group and subsidiaries that are not in another CNA’s scope CNA Vendor, Researcher France
The HISP Centre at the University of Oslo Security issues in DHIS2 open source web and mobile software applications CNA Vendor, Open Source Norway
The Missing Link Australia (TML) TML vulnerability disclosure policy applies to any third-party vendor products to whom TML will assign the CVEs for vulnerabilities, if the product is not a part of another CNA scope CNA Researcher Australia
The OpenBMC Project Vulnerabilities related to the repositories maintained by the OpenBMC project CNA Vendor, Open Source USA
The OpenNMS Group OpenNMS issues only CNA Vendor, Open Source USA
The Wikimedia Foundation Any code repository hosted under gerrit.wikimedia.org, gitlab.wikimedia.org, or github.com/wikimedia that is not labeled as archived or marked as a fork of an upstream project. Please see our disclosure policy for additional exclusions to scope CNA Open Source USA
TianoCore.org Software vulnerabilities related to the TianoCore Open Source CNA Vendor, Open Source USA
TIBCO Software Inc. TIBCO, Talarian, Spotfire, Data Synapse, Foresight, Kabira, Proginet, LogLogic, StreamBase, JasperSoft, and Mashery products/brands only CNA Vendor USA
Tigera, Inc. All vulnerabilities for Calico and all of Tigera’s products only CNA Vendor, Open Source USA
Toshiba Corporation Vulnerabilities related to products and services of Toshiba Group CNA Vendor Japan
TR-CERT (Computer Emergency Response Team of the Republic of Türkiye) Vulnerability assignment related to its vulnerability coordination role CNA CERT Türkiye
Trellix All Trellix Enterprise (formerly McAfee Enterprise and FireEye) products, as well as vulnerabilities in third-party software discovered by Trellix Advanced Research Center (Trellix ACR) that are not in another CNA’s scope CNA Vendor, Researcher USA
Trend Micro, Inc. Trend Micro supported products, including any end-of-life products CNA Vendor Japan
TWCERT/CC Vulnerability assignment related to its vulnerability coordination role CNA CERT Taiwan
TXOne Networks, Inc. Vulnerabilities in TXOne Networks products, including end-of-life products, or third-party operational technology (OT) and industrial control systems (ICS) products, unless covered by the scope of another CNA CNA Vendor, Researcher Taiwan
Unisoc (Shanghai) Technologies Co., Ltd. Unisoc issues only CNA Vendor China
upKeeper Solutions All upKeeper Solutions products, excluding end-of-life (EOL) as listed in the upKeeper Solutions End of Life Policy CNA Vendor Sweden
Vaadin Ltd. All Vaadin products and supported open source projects hosted at https://github.com/vaadin CNA Vendor, Open Source Finland
Vivo Mobile Communication Co., Ltd. Vivo issues only CNA Vendor China
VMware by Broadcom VMware, Spring, and Cloud Foundry issues only CNA Vendor, Open Source USA
VotingWorks Vulnerabilities in VotingWorks voting systems, hardware, and software CNA Vendor, Open Source USA
VulDB Vulnerabilities in VulDB products and vulnerabilities discovered by, or reported to, the VulDB vulnerability database that are not in another CNA’s scope CNA Researcher Switzerland
VulnCheck Vulnerabilities discovered by, or reported to, VulnCheck that are not in another CNA’s scope CNA Bug Bounty Provider, Researcher USA
Vulnscope Technologies Provides CVE IDs for customers as part of our bug bounty and vulnerability coordination platform CNA Bug Bounty Provider Chile
VULSec Labs Vulnerabilities discovered by, or reported to, VULSec Labs that are not in another CNA’s scope CNA Researcher Israel
WatchDogDevelopment.com, LLC All WatchDog products CNA Vendor USA
WatchGuard Technologies, Inc. Vulnerabilities in all WatchGuard products and products of WatchGuard subsidiaries CNA Vendor USA
Western Digital Western Digital products including WD, SanDisk, SanDisk Professional, G-Technology, and HGST only CNA Vendor USA
Wind River Systems Inc. All Wind River branded products as found on windriver.com including vulnerabilities in natively developed or modified product incorporated components, and only product incorporated third-party components not in another CNA’s scope CNA Vendor USA
Wiz, Inc. Vulnerabilities identified in Wiz products, and vulnerabilities discovered by, or reported to, Wiz that are not in another CNA’s scope CNA Vendor, Researcher USA
wolfSSL Inc. Transport Layer Security (TLS) and Cryptographic issues found in wolfSSL products CNA Vendor, Open Source USA
Wordfence WordPress Plugins, Themes, and Core Vulnerabilities discovered by, or reported to, the Wordfence/Defiant team CNA Vendor, Researcher USA
WPScan WordPress core, plugins, and themes CNA Vendor, Open Source France
Wren Security Wren Security maintained software CNA Open Source Czech Republic
WSO2 LLC WSO2 products and services scoped under Responsible Disclosure Program https://security.docs.wso2.com/en/latest/security-reporting/reward-and-acknowledgement-program/#products-services-in-scope CNA Vendor, Open Source, Hosted Service USA
Xen Project All sub-projects under Xen Project’s umbrella (see Xen Project Teams), except those sub-projects that have their own security response process; and the Xen components inside other projects, where Xen Project is the primary developer CNA Vendor, Open Source UK
Xerox Corporation Xerox Corporation issues only CNA Vendor USA
Xiaomi Technology Co., Ltd. Xiaomi issues only CNA Vendor China
Xylem Xylem products and technologies only CNA Vendor USA
Yandex N.V. Yandex issues only CNA Vendor Russia
Yokogawa Group Yokogawa Group companies’ products and Yokogawa Group subsidiaries’ products CNA Vendor Japan
Yugabyte, Inc. Yugabyte products only CNA Hosted Service, Vendor USA
Zabbix Zabbix products and Zabbix projects listed on https://git.zabbix.com/ only CNA Vendor Latvia
Zephyr Project Zephyr project components, and vulnerabilities that are not in another CNA’s scope CNA Vendor, Open Source USA
Zero Day Initiative Products and projects covered by its bug bounty programs that are not in another CNA’s scope CNA Bug Bounty Provider Japan
ZGR ZGR manufactured products CNA Vendor Spain
Zoom Video Communications, Inc. Zoom and Keybase issues only CNA Vendor USA
Zowe Vulnerabilities in Zowe.org open source projects CNA Open Source USA
Zscaler, Inc. Zscaler issues only CNA Vendor USA
ZTE Corporation ZTE products only CNA Vendor China
ZUSO Advanced Research Team (ZUSO ART) Vulnerabilities in third-party products discovered by ZUSO ART that are not in another CNA’s scope CNA Researcher Taiwan
Zyxel Corporation Zyxel products issues only CNA Vendor Taiwan

دیدگاه های مربوط به این مقاله (برای ارسال دیدگاه در سایت حتما باید عضو باشید و پروفایل کاربری شما تکمیل شده باشد)