Metrics
Use the scroll bar to navigate the data tables.
Published CVE Records
Comparison of published CVE Records by quarter for all years from 1999 to present.
A CVE Record contains descriptive data, (i.e., a brief description and at least one reference) about a vulnerability associated with a CVE ID. CVE Records are published by CVE Numbering Authorities (CNAs).
| Year | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Qtr4 | 11,073 | 7,876 | 6,231 | 5,200 | 4,387 | 4,822 | 3,614 | 3,570 | 1,590 | 1,652 | 2,528 | 1,416 | 1,244 | 1,133 | 1,071 | 1,100 | 1,500 | 1,884 | 1,737 | 1,725 | 376 | 154 | 104 | 81 | 393 | 0 |
| Qtr3 | 8,591 | 6,936 | 6,448 | 5,541 | 4,170 | 5,150 | 4,350 | 4,037 | 1,713 | 1,747 | 2,220 | 1,297 | 1,926 | 988 | 1,020 | 1,547 | 1,343 | 1,564 | 1,643 | 1,477 | 741 | 265 | 304 | 573 | 218 | 321 |
| Qtr2 | 11,716 | 7,134 | 6,365 | 5,005 | 5,011 | 4,091 | 4,613 | 3,612 | 1,775 | 1,443 | 1,660 | 1,147 | 1,058 | 901 | 1,408 | 1,381 | 1,279 | 1,887 | 1,887 | 2,013 | 229 | 630 | 593 | 337 | 198 | 0 |
| Qtr1 | 8,697 | 7,015 | 6,015 | 4,415 | 4,807 | 3,245 | 3,935 | 3,426 | 1,379 | 1,652 | 1,540 | 1,282 | 1,060 | 1,128 | 1,140 | 1,704 | 1,551 | 1,987 | 1,618 | 1,493 | 266 | 174 | 690 | 332 | 629 | 0 |
| TOTAL | 40,077 | 28,961 | 25,059 | 20,161 | 18,375 | 17,308 | 16,512 | 14,645 | 6,457 | 6,494 | 7,948 | 5,142 | 5,288 | 4,150 | 4,639 | 5,732 | 5,673 | 7,322 | 6,885 | 6,708 | 1,612 | 1,223 | 1,691 | 1,323 | 1,438 | 321 |
Reserved CVE IDs
Comparison of Reserved CVE IDs by year from 1999 to present.
A “Reserved” CVE ID is the initial state for a CVE Record; when the associated CVE ID is reserved by a CNA.
| Year | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Count | 52,316 | 40,051 | 34,553 | 28,506 | 30,680 | 24,179 | 21,407 | 18,196 | 14,472 | 9,959 | 9,465 | 7,334 | 7,370 | 5,630 | 5,379 | 6,094 | 5,968 | 7,607 | 7,077 | 7,041 | 1,357 | 1,209 | 1,909 | 1,445 | 1,178 | 991 |
CVE Record Publications by All CNAs Combined Versus CNA-LRs
Comparison of CVE Records published by all CNAs combined versus CVE Records published by the two CNAs of Last Resort (CNA-LRs) (CISA* and MITRE) from 1999 to present.
| Year | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016-1999 |
|---|---|---|---|---|---|---|---|---|---|
| All CNAs | 87% | 79% | 68% | 65% | 58% | 53% | 53% | 50% | 0% |
| CNA-LRs | 13% | 21% | 32% | 35% | 42% | 47% | 47% | 50% | 100% |
*Note: CISA became a CNA-LR in calendar year 2020.
CNA Partners Added by Year
Comparison of CVE Numbering Authority (CNA) partners added by year from 1999 to present.
Currently, there are 450 CNAs (447 CNAs and 3 CNA-LRs) from 40 countries and 1 no country affiliation participating in the CVE Program.
Note: Occasionally, CNAs become inactive due to corporate mergers or changes in business activities. In these cases, deactivated CNAs are not removed from the recruitment total CNAs added for a calendar year in the table below. Therefore, the totals by year columns if added together will not match the program’s grand total numbers above.
| Year | 2025 | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| January | 3 | 10 | 4 | 1 | 3 | 3 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| February | 10 | 7 | 9 | 2 | 1 | 3 | 1 | 2 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 6 | 0 | 0 | 0 | 0 | 0 | N/A |
| March | 4 | 5 | 5 | 3 | 9 | 1 | 1 | 1 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| April | 3 | 4 | 6 | 3 | 5 | 4 | 0 | 2 | 3 | 1 | 0 | 0 | 0 | 0 | 4 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| May | TBA | 9 | 8 | 5 | 1 | 7 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| June | TBA | 6 | 8 | 5 | 10 | 1 | 1 | 1 | 7 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| July | TBA | 9 | 4 | 6 | 2 | 4 | 0 | 0 | 4 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| August | TBA | 6 | 8 | 5 | 3 | 1 | 2 | 2 | 6 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| September | TBA | 8 | 8 | 1 | 8 | 4 | 3 | 1 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
| October | TBA | 7 | 9 | 12 | 9 | 2 | 1 | 0 | 2 | 0 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| November | TBA | 6 | 9 | 10 | 7 | 4 | 4 | 0 | 1 | 12 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| December | TBA | 11 | 6 | 3 | 7 | 2 | 2 | 3 | 0 | 7 | 0 | 0 | 0 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| TOTAL | 20 | 88 | 84 | 56 | 65 | 36 | 16 | 12 | 30 | 23 | 0 | 3 | 0 | 3 | 4 | 1 | 3 | 1 | 1 | 0 | 6 | 0 | 0 | 0 | 0 | 0 | 1 |
CNA Enrichment Recognition
Getting more precise and quality vulnerability information in the hands of defenders and downstream customers on a timelier basis helps the cybersecurity community better address risks. Additional vulnerability-related information provides increased transparency, enables vulnerability root cause understanding, and helps prioritize vulnerability and incident response. Information standards and knowledge repositories like CVSS, CWE, and others help provide a common language for this additional information.
In April 2024, the CVE Program highlighted how its data format evolved to better facilitate automation and data enrichment. This means that CNAs, as the authoritative source of vulnerability information within their scope, and those with access to the most reliable source for accurate determinations, can easily provide data enrichment directly to a CVE Record, as opposed to waiting for a third-party to do so in a less timely and potentially less accurate manner. As such, the CVE Program called on all CNAs to provide this enrichment to their CVE Records directly, and, in so doing, contribute more substantially to the vulnerability management process. Many have answered that call.
In recognition of these CNAs, the CVE Program publishes this “CNA Enrichment Recognition List” every two weeks. Currently, CNAs are added to the list if they provide CVSS and CWE information 98% of the time or more within the two-week period of their last published CVE Record. For more information about vulnerability information types like CVSS and CWE, see the CVE Record User Guide.
CNA Enrichment Recognition List
Last Updated:
Total CNAs: 249
- 1E Limited
- 9front Systems
- Absolute Software
- Acronis International GmbH
- Adobe Systems Incorporated
- Advanced Micro Devices Inc.
- Alias Robotics S.L.
- Amazon
- AMI
- ARC Informatique
- Arista Networks, Inc.
- Asea Brown Boveri Ltd.
- ASR Microelectronics Co., Ltd.
- ASUSTeK Computer Incorporation
- ATISoluciones Diseño de Sistemas Electrónicos, S.L.
- Austin Hackers Anonymous
- Autodesk
- Automotive Security Research Group (ASRG)
- Avaya Inc.
- Axis Communications AB
- Baicells Technologies Co., Ltd.
- Baxter Healthcare
- Beckman Coulter Life Sciences
- Becton, Dickinson and Company (BD)
- BeyondTrust Inc.
- Bitdefender
- Bizerba SE & Co. KG
- Black Duck Software, Inc.
- Black Lantern Security
- BlackBerry
- Brocade Communications Systems LLC, a Broadcom Company
- Canon EMEA
- Canon Inc.
- Canonical Ltd.
- Carrier Global Corporation
- Cato Networks
- CERT.PL
- CERT@VDE
- Check Point Software Technologies Ltd.
- Checkmarx
- Checkmk GmbH
- cirosec GmbH
- Cisco Systems, Inc.
- ClickHouse, Inc.
- Cloudflare, Inc.
- Concrete CMS
- Crafter CMS
- CrowdStrike Holdings, Inc.
- CyberArk Labs
- CyberDanube
- Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
- Dassault Systèmes
- Delinea, Inc.
- Dell EMC
- Delta Electronics, Inc.
- Dfinity Foundation
- DirectCyber
- Docker Inc.
- dotCMS LLC
- Dragos, Inc.
- Dutch Institute for Vulnerability Disclosure (DIVD)
- Eaton
- Eclipse Foundation
- Elastic
- EnterpriseDB Corporation
- Environmental Systems Research Institute, Inc. (Esri)
- Ericsson
- ESET, spol. s r.o.
- EU Agency for Cybersecurity (ENISA)
- Exodus Intelligence
- F5 Networks
- Fedora Project (Infrastructure Software)
- Fluid Attacks
- Forcepoint
- Forescout Technologies
- Fortinet, Inc.
- Fortra, LLC
- FPT SOFTWARE CO., LTD
- Gallagher Group Ltd
- GE Healthcare
- Genetec Inc.
- Gitea Limited
- GitHub (maintainer security advisories)
- GitHub Inc, (Products Only)
- GitLab Inc.
- Glyph & Cog, LLC
- Google LLC
- Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
- Grafana Labs
- Gridware Cybersecurity
- Hanwha Vision Co., Ltd.
- HashiCorp Inc.
- HCL Software
- HeroDevs
- HiddenLayer, Inc.
- Hillstone Networks Inc.
- Hitachi Vantara
- Hitachi, Ltd.
- Honeywell International Inc.
- HP Inc.
- Huawei Technologies
- HYPR Corp
- IBM Corporation
- ICS-CERT
- Indian Computer Emergency Response Team (CERT-In)
- Intel Corporation
- Internet Systems Consortium (ISC)
- Israel National Cyber Directorate
- Ivanti
- Jamf
- JetBrains s.r.o.
- JFROG
- Johnson Controls
- JPCERT/CC
- Juniper Networks, Inc.
- Kaspersky
- KrCERT/CC
- Kubernetes
- Lenovo Group Ltd.
- Lexmark International Inc.
- LG Electronics
- Liferay, Inc.
- Logitech
- M-Files Corporation
- Mattermost, Inc
- Mautic
- Microchip Technology
- Microsoft Corporation
- Milestone Systems A/S
- Mitsubishi Electric Corporation
- MongoDB
- Moxa Inc.
- N-able
- National Cyber Security Centre - Netherlands (NCSC-NL)
- National Cyber Security Centre Finland
- National Cyber Security Centre SK-CERT
- National Instruments
- NetApp, Inc.
- Netflix, Inc.
- Netskope
- NLnet Labs
- NortonLifeLock Inc
- Nozomi Networks Inc.
- Nvidia Corporation
- Odoo
- Okta
- OMRON Corporation
- ONEKEY GmbH
- Open Design Alliance
- Open-Xchange
- OpenAnolis
- openEuler
- OpenHarmony
- OpenText (formerly Micro Focus)
- OPPO
- OTRS AG
- Palantir Technologies
- Palo Alto Networks
- Panasonic Holdings Corporation
- Pandora FMS
- PaperCut Software Pty Ltd
- Patchstack OÜ
- Pegasystems
- Pentraze Cybersecurity
- Perforce
- Phoenix Technologies, Inc.
- Ping Identity Corporation
- PlexTrac, Inc.
- Progress Software Corporation
- Proofpoint Inc.
- Protect AI
- Pure Storage, Inc.
- QNAP Systems, Inc.
- Qualcomm, Inc.
- rami.io GmbH
- Rapid7, Inc.
- Real-Time Innovations, Inc.
- Red Hat CNA-LR
- Red Hat, Inc.
- Robert Bosch GmbH
- Roche Diagnostics
- SailPoint Technologies
- Samsung TV & Appliance
- SAP SE
- SBA Research gGmbH
- Schneider Electric SE
- Seal Security
- SEC Consult Vulnerability Lab
- Secomea
- Securin
- ServiceNow
- SHENZHEN CoolKit Technology CO., LTD.
- SICK AG
- Siemens
- Silicon Labs
- Snow Software
- Snyk
- SoftIron
- SolarWinds
- Sonatype Inc.
- Sophos
- Spanish National Cybersecurity Institute, S.A.
- Splunk
- STAR Labs SG Pte. Ltd.
- Super Micro Computer, Inc.
- Suse
- Switzerland National Cyber Security Centre (NCSC)
- Synaptics
- Synology Inc.
- Talos
- TeamViewer Germany GmbH
- Teltonika Networks
- Temporal Technologies Inc.
- Tenable Network Security, Inc.
- Thales Group
- The Document Foundation
- The Tcpdump Group
- TianoCore.org
- Tigera
- Toshiba Corporation
- TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
- Trellix
- TWCERT/CC
- TXOne Networks, Inc.
- upKeeper Solutions
- Vivo Mobile Communication Technology Co., LTD.
- VulDB
- VulnCheck
- VULSec Labs
- WatchGuard Technologies, Inc.
- Western Digital
- Wind River Systems Inc.
- Wiz, Inc.
- Wordfence
- WSO2 LLC
- Xerox Corporation
- Xiaomi Technology Co Ltd
- Yandex N.V.
- Yokogawa Group
- Yugabyte, Inc.
- Zabbix
- Zephyr Project
- Zero Day Initiative
- Zohocorp
- Zoom Video Communications, Inc.
- Zscaler, Inc.
- ZTE Corporation
- ZUSO Advanced Research Team (ZUSO ART)
- Zyxel Corporation