{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreidgonu3cyinz4h4j7tc7pcftstd6hdeflhozwmecf7gjdujbr34ge",
"uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3motket4kz2g2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreidzg6vhyppime5akzhebbd45kaig42pilknasjfbpolhl5fbqp6ua"
},
"mimeType": "image/webp",
"size": 63914
},
"path": "/nara_naghi/inside-the-cve-list-how-vulnerabilities-get-their-id-cards-3545",
"publishedAt": "2026-06-21T22:27:58.000Z",
"site": "https://dev.to",
"tags": [
"cybersecurity",
"vulnerabilities"
],
"textContent": "Thousands of software bugs are discovered every day around the world. But turning these bugs into an official, globally recognized CVE code (such as CVE-2026-1234) is a rigorous and coordinated process.\n\n**Who Maintains the CVE List?**\nThe Master CVE List is managed by the MITRE Corporation, a non-profit organization, a federally funded research center in the United States. The program is funded by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). MITRE is responsible for the integrity of the database and maintaining the rules.\n\n**What are CVE Numbering Authorities (CNAs)?**\nSince MITRE cannot register all the software vulnerabilities in the world on its own, it delegates the authority to assign IDs to a global network of partners called CVE Numbering Authorities (CNAs).\n\n**Who are the CNAs?**\nBig Tech Companies: Giants like Microsoft, Apple, Google, Cisco assign CVE IDs to vulnerabilities found in their products.\nSecurity Companies and Bug Bounty Platforms: For example, HackerOne or cybersecurity firms can provide code for vulnerabilities they find during research.\nOpen Source Projects: Groups like the Linux Kernel or Apache manage their own ecosystems.\nIf a vulnerability finder (for example, a cybersecurity student or pentester) finds a vulnerability in a product of a small company that is not a CNA, they can contact MITRE directly and request a CVE ID.\n\n**Conclusion**\nThanks to MITRE and the global CNA network, vulnerability reporting is not done haphazardly, but in a coordinated manner. This system allows programmers to develop patches and protects users from attacks.",
"title": "Inside the CVE List: How Vulnerabilities Get Their ID Cards"
}