Structure

organizational chart of CVE program structure, including current organizations in each role, which is described below

The CVE Board oversees CVE Program operations and determines its strategic direction. The Secretariat (currently The MITRE Corporation) provides administrative and logistical support to the CVE Board and maintains the CVE Program’s infrastructure. CVE Working Groups focus on specific work areas and are created by, and report to, the CVE Board.

CVE ID assignment and CVE Record publishing occur within a hierarchal structure defined by the CVE Board. In that hierarchal structure, Top-Level Roots (TL-Root) report directly to the CVE Board and manage their own Root / CVE Numbering Authority (CNA) hierarchies that may include one or more Roots, one or more CNAs, and one CNA of Last Resort (CNA-LR). In those hierarchies, managerial functions are performed by Roots and operational functions (i.e., ID assignment and record publishing) are performed by CNAs.

There are currently two TL-Roots in the CVE Program: Cybersecurity and Infrastructure Security Agency (CISA) and MITRE. The CISA TL-Root hierarchy includes one Root (CISA ICS), multiple CNAs, and one CNA-LR managed by the CISA ICS Root. The MITRE TL-Root hierarchy includes five Roots (Google, INCIBE, JPCERT/CC, Red Hat, and Thales Group), multiple CNAs, and two CNA-LRs, one managed by Red Hat for its own Root hierarchy and one managed by the MITRE TL-Root. In both TL-Root hierarchies, each of the six Roots also manages their own CNAs.

Authorized Data Publishers (ADPs) are organizations authorized by the CVE Board to enrich the content of CVE Records published by CNAs with additional, related information (e.g., risk scores, references, vulnerability characteristics, translations, etc.).

Ask questions by accessing the CVE Program Request forms and selecting “Other” from the dropdown menu.