What is a Candidate Naming Authority?

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023

At the inception of CVE in 1999, Candidate Naming Authorities (CNAs) were introduced as entities that could assist identifying and naming vulnerabilities. First a 'problem' was identified as a candidate - potential vulnerability - and given the prefix CAN e.g. CAN-1999-0345. This step could be done by a CNA.

For a candidate to become a published vulnerability, the CVE Board had to discuss, review, and vote on whether a candidate was a vulnerability (something done for every candidate). If the Board agreed, a candidate was given CVE status and the prefix changed accordingly, so CAN-1999-0345 became CVE-1999-0345. The final step of populating the CVE ID on the master, published list controlled by CVE, was done solely by CVE.

'Discussing, reviewing, and voting' on each candidate was a drawn out process and, as the number of vulnerabilities grew with each passing year, it became harder for CVE to handle the workload on its own. In 2016, CVE implemented process improvements and one of these was a 'new look' CNA program, where CNAs were renamed "CVE Numbering Authorities" (still CNA) and allowed to assign CVE IDs.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203