CVE Announce - January 2026 (opt-in newsletter from the CVE website)
Featured
- European Union Agency for Cybersecurity (ENISA) Is Now a Root in the CVE Program
- CVE Record Disputes, Explained: A Community Path to Clearer Vulnerability Data in a Compliance-Driven World
- CVE Program to Normalize Formatting of Date/Time Fields Across Historical CVE Records Beginning in Mid-February 2026
- Searching by Date and Exact Phrases Available in “CVE List Keyword Search” on CVE.ORG Website
- 39,080 CVE Records Used as Basis for the “2025 CWE Top 25 Most Dangerous Software Weaknesses List”
CVE Numbering Authorities (CNAs)
- 11 Additional Organizations Added as CNAs
- Vulnerability Data Enrichment for CVE Records: 263 CNAs on the Enrichment Recognition List for January 5, 2026
Community
· Register Now for CVE/FIRST VulnCon 2026 on April 13-16, 2026!
· Videos from CVE Program Technical Workshop 2025 Available
· CVE Podcast — The CVE Consumer Working Group (CWG)
Featured
European Union Agency for Cybersecurity (ENISA) Is Now a Root in the CVE Program
On November 20, 2025, the CVE Program is expanded its partnership with the European Union Agency for Cybersecurity (ENISA) for managing the assignment of CVE Identifiers (CVE IDs) and publication of CVE Records for the CVE Program. ENISA is now designated as a Root for EU member states/EU authorities, EU CSIRTs network members, and cooperative partners under ENISA’s mandate, as well as other CVE Numbering Authorities (CNAs) who choose ENISA as their Root. Read the ENISA news release.
The addition of ENISA as a Root is a significant milestone for the CVE Program. ENISA’s new role directly supports shared goals around expanding international participation in operational and governance roles. It also demonstrates continued progress by the program in growing the Root community and advancing federated operations where additional organizations help scale CNA engagement, onboarding, and data quality across respective program hierarchies.
As a Root, ENISA is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CNAs under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope.
A CNA is an organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. There are currently 490 CNAs (487 CNAs and 3 CNA-LRs) from 41 countries and 1 no country affiliation actively participating in the CVE Program.
For existing CNAs who are eligible and interested in moving under ENISA’s Root, the CVE Program encourages a collaborative and voluntary transition. The CVE Program will closely engage with each organization to ensure a smooth transition process. A transition period is foreseen for those CNAs who intend to change Root. The phased approach by ENISA will allow for thoughtful coordination, ongoing support, and alignment with the preferences and operational needs of each CNA.
As a Root, ENISA will join the CVE Program Council of Roots, which focuses on operational coordination across the CVE Program’s Root hierarchies. At an international level, CVE Program Roots include MITRE, CISA, Google, and Red Hat from the US, and JPCERT/CC from Japan. Within the EU, Roots include INCIBE, Thales Group, and, most recently, CERT@VDE.
Currently, ENISA, Google, JPCERT/CC, Red Hat, Spanish National Cybersecurity Institute (INCIBE), and Thales Group are Roots under the MITRE Top-Level Root. CERT@VDE and CISA ICS are Roots under the CISA Top-Level Root. Learn more about how the CVE Program is organized on the Structure page on the CVE website.
Share this CVE article:
Author: Council of Roots
In a global program as broad and dynamic as CVE, differences in interpretation are inevitable. One area where these differences occasionally surface is in the determination of whether a reported issue constitutes a vulnerability, and how that determination should be reflected in a CVE Records. CVE Program policy exists precisely to navigate those moments of disagreement — constructively, transparently, and in service of the broader cybersecurity ecosystem.
In recent Council of Roots discussions, participants have debated the nuances of how disputes are managed within the CVE Program, where there are current challenges, and how they might be best resolved. The conversation reflected a healthy diversity of perspectives and a shared recognition that handling disputes thoughtfully is essential to maintaining both accuracy and trust in CVE data.
The Intent of the Current Policy
The “CVE Program Policy and Procedure for Disputing a CVE Record” (last updated July 2, 2025) defines how disagreements about CVE Records are handled. In the context of CVE, a CVE Record “dispute” is not an indication that the program or the record publisher has failed. Rather, it means that there are two credible, differing interpretations of the same issue — each supported by its own claim, perspective, or evidence.
When a dispute arises, the CVE Record is updated to include both positions. Each side’s rationale is documented, and the record itself is explicitly tagged as “disputed.” Unless there is a convergence of perspective, the record may remain in this state indefinitely.
This approach is intentional. It reflects a deliberate program choice: that it is often better to preserve a balanced representation of differing perspectives than to risk introducing false negatives (removing a valid vulnerability) or false positives (retaining an invalid one) through premature judgment.
Why Disputes Persist
Perpetual disputes may feel unsatisfying to some. Stakeholders naturally seek closure and final determinations wherever possible. But in a federated ecosystem like CVE that deals with supplier, researcher, and other third party perspectives, ambiguity is not failure — it’s realism. The ambiguity is often compounded by the fact that software maintainers frequently operate under their own distinct security policies, which define what constitutes a 'vulnerability' in their context and can, in turn, lead to a disagreement over whether an exploitable security bug should be claimed as a CVE.
When disagreement remains unresolved, the disputed state itself communicates something important: that involved parties hold differing views, that context or data may be incomplete, and that downstream consumers should apply their own judgment when acting on the information.
This model acknowledges that vulnerability understanding can evolve. What is uncertain today may become clear tomorrow through new research, supplier clarification, or community input. The dispute framework keeps that door open, allowing the record — and the CVE Program — to adapt without erasing history.
Diverse Perspectives, Shared Goals
Recent Council of Roots discussions underscore that participants bring different but compatible values to the table. Some emphasize the importance of clear resolution in published information. They note that persistent disputes may challenge consumer interpretation and could be perceived as inconsistency. Others emphasize openness and preservation of context, arguing that multiple perspectives empower consumers to make their own informed assessments.
Both views reflect legitimate priorities: clarity and completeness. The policy's current structure seeks to balance them. It allows disagreement to be documented and visible, while keeping the record itself authoritative and traceable.
The Challenge of Perpetual Disputes
Although the total number of perpetually disputed records is small compared to the tens of thousands of CVE Records published each year, they can create downstream challenges.
This is especially true for organizations that must demonstrate compliance with regulations or pass audits tied to the presence of CVE Records within products. In some industries (e.g., finance and other critical infrastructure domains), a disputed CVE Record may complicate audits and delay compliance approvals. While this is primarily a failure of some regulatory and compliance regimes, the CVE Program is aware of the challenges and is actively consideration options.
Some in the community have suggested that a consortium, such as the Council of Roots itself, could serve as a body to make final determinations for disputed records. While somewhat appealing, this approach reintroduces the core risk the current policy was designed to avoid: the potential for false negatives/positives resulting from decisions made with inconclusive evidence.
Others propose modified or new information elements to help downstream consumers interpret disputed records, such as a measure of severity or potential impact. In theory, this could allow auditors or compliance teams to differentiate low-impact disputes from high-impact ones. But in practice, such measures may not fully resolve the issue. Many compliance frameworks treat the mere existence of a CVE Record as binary — either it exists or it doesn’t — without accommodating shades of uncertainty or varying interpretations of severity.
This underscores a broader truth: improving the handling of disputed records is not just a program policy question — it is an ecosystem-wide challenge. Reaching shared understanding and consistent interpretation across regulatory, technical, and operational domains takes time, collaboration, and mutual trust.
A Living Policy, Evolving Through Collaboration
Like many CVE Program policies, the “CVE Program Policy and Procedure for Disputing a CVE Record” is a living document. It was designed to evolve alongside the community's understanding of how best to balance accuracy, transparency, and trust.
The CVE Program reaffirms that updates to this policy, like all that help frame the program’s operations, emerge through community discussion, collaboration, and consensus-building. Engagement can take many forms: working group participation, direct feedback through program channels, or informal sharing of experiences from real-world dispute cases. Each contributes to a clearer, stronger policy that serves everyone in the ecosystem.
Looking Ahead
Disputes are a natural outcome of a large, diverse, and dynamic vulnerability reporting ecosystem. The fact that they occur is evidence of engagement, not dysfunction. What matters most is how we handle them — with fairness and transparency.
As the CVE Program continues to mature, the Council of Roots encourages all community members — CVE Numbering Authorities (CNAs), Roots, researchers, suppliers, and consumers alike — to share their insights and ideas for improving this process. To reflect the full diversity of the ecosystem and address downstream audit and compliance challenges, we invite engagement from all key stakeholders, including maintainers of community-driven software, independent security researchers, regulators, and authors of compliance frameworks.
By refining how we document, communicate, and interpret disagreement, we collectively strengthen the integrity of the CVE List and the value it provides to the cybersecurity ecosystem.
We invite you to be part of that conversation. As a first step, we’ve developed a brief survey to collect feedback and gauge interest in a potential workshop on this subject in the new year. Let us know your thoughts here.
Share this CVE article:
The CVE™ Program is planning to begin normalizing the formatting of date/time fields across historical CVE Records in mid-February 2026 (see the “Timeline” section below). This update will align older records with the standardized format already used for all new and updated records since February 2025:
- yyyy-MM-ddTHH:mm:ss.sssZ (ISO-8601, UTC)
For example: 2025-07-11T19:32:03.983Z
Why This Matters
CVE Records have been created over many years, and date fields have appeared in several formats depending on the tools, processes, and publishing systems used at the time. While these values all communicate the same information, inconsistent formatting can complicate ingestion, parsing, correlation, and automation for data consumers.
Standardizing these fields will help:
- Improve data consistency across the entire CVE corpus
- Reduce parsing ambiguity in automated systems
- Support long-term modernization efforts in the CVE Quality Era
- Enable more reliable analytics and historical research
What Is Changing – and What Is Not
Date/time fields in CVE Records are (and will remain) strings, not numerical timestamps. The combination of characters that are used to represent a date/time value will change. As a result, consumers that had been making string comparisons during data analysis or retrieval may see different results. For example, the CVE List previously contained the 00:00:00Z string, which is lexicographically after (i.e., “greater than”) the 00:00:00.000Z string. Because the 00:00:00Z string will not exist in the CVE List after the change, the CVE Program believes these results will be more intuitive.
(Consumers with their own systems/applications to convert date/time strings to numerical timestamps should not see different results, because the date/time strings have the same meaning after the change.)
The date/time strings that will be made consistent are:
- datePublished
- dateUpdated
- dateReserved
- dateRejected
- datePublic
- dateAssigned
- time values under timeline
What will not change:
- Date/time values within custom fields
- Any other parts of the CVE Record
What to Expect
Because this update will touch more than 200,000 historical CVE Records, some automated systems may interpret these records as “modified” during the update window and trigger reprocessing or customer notifications.
To minimize disruption, the CVE Program is conducting an awareness campaign around this to ensure the community is informed and prepared ahead of time. This will include public messaging, meeting discussions, and social media. The program is working hard to minimize disruption to CVE Program partners and the downstream CVE data consumer.
Timeline
- January 6, 2026 ® February 16, 2026
- Communications campaign utilizing blog, email list, e-newsletter, social media, and community Q&A presentations at CVE Working Group meetings (Automation, Quality, Consumer, etc.), to inform community of the upcoming change
- February 16, 2026
- Timestamps within CVE Records published prior to February 2025 will begin to be normalized to the new format (i.e., yyyy-MM-ddTHH:mm:ss.sssZ)
Community Feedback
This data normalization update is part of a continuous effort to improve data quality and reduce friction for the global community that depends on CVE Records every day.
If you have questions or concerns, please leave a comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu.
Share this CVE article:
Searching by Date and Exact Phrases Available in “CVE List Keyword Search” on CVE.ORG Website
“CVE List Keyword Search” on the CVE.ORG was updated in November based upon feedback back from users . As a reminder, this search is for the CVE List only. It will only search CVE Records. To search the overall website, use the “Site Search” located to the right of the CVE List search box above.
This update to the CVE List Keyword Search adds support for date and date range searches and exact phrase searches, as follows:
Date and Date Range Search
CVE Records may now be searched by a specified date or a specified date range, in the following formats:
- Date Search format
- YYYY-MM-DD (e.g., 2025-10-28)
- YYYY-MM-DDTHH:MM:SS (e.g., 2025-10-28T12:00:00-4:00)
- Date Range Search format
- YYYY-MM-DD..YYYY (e.g., 2025-10-27..2025-10-28)
- YYYY-MM-DDTHH:MM:SS..YYYY-MM-DDTHH:MM:SS (e.g., 2025-10-28T01:30:00..2025-10-28T01:45:00)
Exact Phrase Search
CVE Records may now be searched using an exact phrase that is surrounded by double quotes. For example, searching for the phrase “access denied” would return CVE Records that contain the full phrase “access denied” and not CVE Records that contain those words separately.
- Exact Phrase Search format
- Surround the phrase in double quotes (e.g., “access denied”)
All CVE List Keyword Search Tips
View the complete list of CVE List keyword search tips here.
We thank everyone who provided feedback, which continues to help us improve the capability for the community over time.
Share this CVE article:
https://www.cve.org/Media/News/item/news/2025/11/12/CVE-List-Keyword-Search-Updated-CVE-ORG
39,080 CVE Records Used as Basis for the “2025 CWE Top 25 Most Dangerous Software Weaknesses List”
Analyzing the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place. These weaknesses can lead to serious vulnerabilities in software, and an attacker can often exploit them to take control of an affected system, steal data, or prevent applications from working.
The CVE Numbering Authority (CNA) community directly contributed CWE mapping reviews within the dataset for the 2025 CWE Top 25, leveraging their expert knowledge of the products and access to information that might not be present in the CVE Record. In general, CNAs are best positioned to provide accurate CWE mapping determinations compared to third-party analysts, as CNAs are the authority for vulnerability information within their CNA scope and those closest to the products themselves.
The CVE Program regularly recognizes those CNAs that are actively providing CWE and Common Vulnerability Scoring System (CVSS) information in their CVE Records by publishing the “CNA Enrichment Recognition List” each month on the Metrics page on the CVE website. View the qualifications criteria and most current list here.
Visit the CWE Top 25 page on the CWE website to view the full 2025 CWE Top 25 List, key insights, methodology, and more.
Share this CVE article:
https://www.cve.org/Media/News/item/blog/2026/01/06/CVE-Records-Basis-2025-CWE-Top-25
CVE Numbering Authorities (CNAs)
11 Additional Organizations Added as CNAs
As of November, eleven additional organizations from around the world have partnered with the program as CNAs:
- 2N Telekomunikace a.s. - All products of 2N Telekomunikace a.s. including end-of-life/end-of-service products. (Czech Republic)
- Altera - Altera products only. (USA)
- ByteDance, Ltd. - ByteDance issues only. (China)
- Hackrate Kft. - Vulnerabilities that are discovered, validated, and coordinated through the Hackrate Ethical Hacking Platform, including: software, web applications, APIs, and cloud services; vulnerabilities validated and triaged by our internal security team; and findings disclosed under our coordination that are not in another CNA’s scope. (Hungary)
- NetScaler - NetScaler issues only. (USA)
- NIBE Group - Products, services, and solutions developed or sold by NIBE Industrier AB or any of its subsidiaries; open-source projects owned by NIBE Industrier AB or any of its subsidiaries; vulnerabilities in third-party products used by NIBE Industrier AB or any of its subsidiaries which are outside the scope of another CNA; and subsidiaries of NIBE Industrier AB are listed on https://www.nibe.com. (Sweden)
- Nintendo Co., Ltd. - System vulnerabilities regarding the Nintendo Switch 2, Nintendo Switch, Nintendo Switch Lite, and vulnerabilities regarding Nintendo Switch 2 and Nintendo Switch applications for which Nintendo is the publisher worldwide. (Japan)
- runZero, Inc. - Vulnerabilities in runZero products, as well as vulnerabilities discovered by, or reported to, runZero that are not in another CNA’s scope. (USA)
- Tanium Inc. - Vulnerabilities found in Tanium products and vulnerabilities in third-party software discovered by Tanium that are not in another CNA’s scope. (USA)
- TCL Electronics Holdings Limited - TCL smart TV, smart pad, and mobile phone devices only. Projects listed on https://github.com/TclSecLab/CNA/blob/main/README_EN.md. (China)
- Vantive - Vantive’s commercially available products only. (USA)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 490 CNAs (487 CNAs and 3 CNA-LRs) from 41 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.
The “CNA Enrichment Recognition List” for January 5, 2026, is now available with 263 CNAs listed. Published monthly on the CVE website, the list recognizes those CVE Numbering Authorities (CNAs) that are actively providing enhanced vulnerability data in their CVE Records. CNAs are added to the list if they provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) in at least 98% of their records that were published within two weeks of their most recently published record.
CNA Enrichment Recognition List criteria and reporting are intended to recognize those CNAs taking on the work to increase the value of CVE Records for downstream consumers, and encourage others to do the same. Enrichment Recognition List criteria may change over time. The most recent modifications occurred in June 2025 when data pulls were moved from every two weeks and based upon data from the last 12 months, to the current reporting of once-per-month data pulls based upon data from the previous six months.
For more about the recognition list, see “Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records.” To learn more about vulnerability information types like CVSS and CWE, see the CVE Record User Guide. View the most current CNA Enrichment Recognition List on the CVE website Metrics page here.
CNA Enrichment Recognition List for January 5, 2026, with 263 CNAs listed:
- Acronis International GmbH
- Adobe Systems Incorporated
- Advanced Micro Devices Inc.
- Airbus
- AlgoSec
- Altera
- Amazon
- AMI
- ARC Informatique
- Arista Networks, Inc.
- Armis, Inc.
- Asea Brown Boveri Ltd.
- ASR Microelectronics Co., Ltd.
- ASUSTeK Computer Incorporation
- ASUSTOR Inc.
- ATISoluciones Diseño de Sistemas Electrónicos, S.L.
- Austin Hackers Anonymous
- Autodesk
- Automotive Security Research Group (ASRG)
- Axis Communications AB
- AxxonSoft Limited
- Azure Access Technology
- BeyondTrust Inc.
- Bitdefender
- Bizerba SE & Co. KG
- Black Duck Software, Inc.
- Black Lantern Security
- BlackBerry
- Brocade Communications Systems LLC, a Broadcom Company
- Bugcrowd Inc.
- Canon EMEA
- Canon Inc.
- Canonical Ltd.
- Carrier Global Corporation
- Cato Networks
- Centreon
- CERT.PL
- CERT@VDE
- Check Point Software Technologies Ltd.
- Checkmarx
- Checkmk GmbH
- cirosec GmbH
- Cisco Systems, Inc.
- Citrix Systems, Inc.
- Cloudflare, Inc.
- Commvault Systems Inc
- Concrete CMS
- ConnectWise LLC
- Crestron Electronics, Inc.
- CrowdStrike Holdings, Inc.
- CyberArk Labs
- CyberDanube
- Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
- Dahua Technologies
- Danfoss
- Dassault Systèmes
- Dell EMC
- Delta Electronics, Inc.
- Digi International Inc.
- Docker Inc.
- dotCMS LLC
- Dragos, Inc.
- Eaton
- Eclipse Foundation
- Elastic
- EnterpriseDB Corporation
- Environmental Systems Research Institute, Inc. (Esri)
- Ericsson
- Erlang Ecosystem Foundation
- ESET, spol. s r.o.
- EU Agency for Cybersecurity (ENISA)
- Extreme Networks, Inc.
- F5 Networks
- Fedora Project (Infrastructure Software)
- Fermax Technologies SLU
- Financial Security Institute (FSI)
- Flexera Software LLC
- floragunn GmbH
- Fluid Attacks
- Fortinet, Inc.
- Fortra, LLC
- Foxit Software Incorporated
- Gallagher Group Ltd
- GE Vernova
- Genetec Inc.
- GitHub (maintainer security advisories)
- GitHub Inc, (Products Only)
- GitLab Inc.
- Glyph & Cog, LLC
- GNU C Library
- Google Cloud
- Google LLC
- Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
- Gridware Cybersecurity
- Hallo Welt! GmbH
- Hanwha Vision Co., Ltd.
- Harborist
- HashiCorp Inc.
- HCL Software
- HeroDevs
- HiddenLayer, Inc.
- Hitachi Energy
- Hitachi Vantara
- Hitachi, Ltd.
- Honeywell International Inc.
- Honor Device Co., Ltd.
- HP Inc.
- Huawei Technologies
- HYPR Corp
- IBM Corporation
- ICS-CERT
- Indian Computer Emergency Response Team (CERT-In)
- Insyde Software
- Intel Corporation
- Internet Systems Consortium (ISC)
- Israel National Cyber Directorate
- Ivanti
- Jaspersoft
- JetBrains s.r.o.
- JFROG
- Johnson Controls
- JPCERT/CC
- Kaspersky
- KNIME AG
- KrCERT/CC
- Kubernetes
- Larry Cashdollar
- Legion of the Bouncy Castle Inc.
- Lenovo Group Ltd.
- Lexmark International Inc.
- LG Electronics
- Liferay, Inc.
- M-Files Corporation
- Mandiant Inc.
- Mattermost, Inc
- Mautic
- Medtronic
- Microchip Technology
- Microsoft Corporation
- Milestone Systems A/S
- Mitsubishi Electric Corporation
- Monash University - Cyber Security Incident Response Team
- MongoDB
- Moxa Inc.
- N-able
- National Cyber Security Centre - Netherlands (NCSC-NL)
- National Cyber Security Centre Finland
- National Instruments
- NEC Corporation
- Neo4j
- NetApp, Inc.
- NETGEAR
- Netskope
- NLnet Labs
- NortonLifeLock Inc
- Nozomi Networks Inc.
- Nvidia Corporation
- OceanBase
- Okta
- Omnissa, LLC
- OMRON Corporation
- ONEKEY GmbH
- Open Design Alliance
- Open-Xchange
- OpenHarmony
- OpenJS Foundation
- OpenText (formerly Micro Focus)
- OPPO
- OTRS AG
- Palantir Technologies
- Palo Alto Networks
- Panasonic Holdings Corporation
- PaperCut Software Pty Ltd
- Pegasystems
- PHP Group
- Ping Identity Corporation
- Progress Software Corporation
- Proofpoint Inc.
- Protect AI
- Pure Storage, Inc.
- QNAP Systems, Inc.
- Qualcomm, Inc.
- Qualys, Inc.
- Radiometer Medical ApS
- rami.io GmbH
- Rapid7, Inc.
- Real-Time Innovations, Inc.
- Red Hat, Inc.
- Ribose Limited
- Robert Bosch GmbH
- Roche Diagnostics
- Rockwell Automation
- S21sec Cyber Solutions by Thales
- SailPoint Technologies
- Samsung TV & Appliance
- SAP SE
- Schneider Electric SE
- Seagate Technology
- Security Risk Advisors
- ServiceNow
- SICK AG
- Siemens
- Silicon Labs
- Snyk
- Softing
- SoftIron
- SolarWinds
- Solidigm
- Sonatype Inc.
- Sophos
- Spanish National Cybersecurity Institute, S.A.
- StrongDM
- Super Micro Computer, Inc.
- Suse
- Switzerland National Cyber Security Centre (NCSC)
- Synaptics
- Synology Inc.
- Talos
- TCS-CERT
- TeamViewer Germany GmbH
- Temporal Technologies Inc.
- Teradyne Robotics
- Thales Group
- The Browser Company of New York
- The Document Foundation
- The Missing Link Australia (TML)
- The Qt Company
- The Rust Project
- The Tcpdump Group
- The Wikimedia Foundation
- TianoCore.org
- TIBCO Software Inc.
- Toreon
- TP-Link Systems Inc.
- TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
- Trellix
- Trend Micro, Inc.
- TWCERT/CC
- TYPO3 Association
- upKeeper Solutions
- Vaadin Ltd.
- VMware
- VulDB
- VulnCheck
- WatchGuard Technologies, Inc.
- Western Digital
- Wind River Systems Inc.
- Wiz, Inc.
- wolfSSL Inc.
- Wordfence
- WSO2 LLC
- Xerox Corporation
- Yandex N.V.
- Yugabyte, Inc.
- Zabbix
- Zephyr Project
- Zero Day Initiative
- Zohocorp
- Zoom Video Communications, Inc.
- Zscaler, Inc.
- ZTE Corporation
- ZUSO Advanced Research Team (ZUSO ART)
- Zyxel Corporation
Share this CVE article:
Community
Register Now for CVE/FIRST VulnCon 2026 on April 13-16, 2026!
The CVE Program and FIRST will co-host VulnCon 2026 at the DoubleTree Resort by Hilton Hotel Paradise Valley – Scottsdale, in Scottsdale, Arizona, USA, on April 13-16, 2026.
CVE Numbering Authorities (CNAs) — VulnCon 2026 takes the place of the 2026 Spring CVE Global Summit.
Virtual and In-Person Registration Options
Registration, both virtual and in-person, is open now on the VulnCon 2026 conference registration page hosted on the FIRST website.
Discounted rates are not being offered for this event regardless of membership status. Sponsors and speakers should see the FIRST Events Office for their specific registration packages and instructions.
- Standard Admission (by March 14, 2026): US $525.00
- Late Rate Admission (after March 14, 2026): US $600.00
- Virtual Admission: US $100.00
Registration fees include full admission to conference activities Monday through Thursday; continental breakfast, lunch, and two coffee breaks Tuesday through Thursday; entry to the Monday welcome reception; entry to the Tuesday networking reception; entry to the vendor hall; all applicable conference materials; and access to live streams and applicable apps.
An After Party will be tentatively hosted off-site with tickets to be sold separately. More information to come. Tickets will cost US $30.00.
Registration closes on April 6, 2026, at 19:00 UTC. Registration is based on availability and may close before the indicated date.
Program Overview
Monday, April 13, 2026 | Pre-conference Day
- 09:00-17:30 - Various Workshops, International Coordinators Summit, Early Registration, Vendor Table Setup
- 18:00-19:00 - Welcome Reception for Early Arrivals
Tuesday, April 14, 2026 | Conference Opening Day
- 08:30-17:30 - Conference Sessions
- 17:30-19:30 - Opening Reception with Vendors
Wednesday, April 15, 2026 | Conference Day 2
- 09:00-17:30 - Conference Sessions, Vendor Move-out in the Afternoon
- 19:00-21:00 - Tentative Off-site Social Event (separate ticket purchase required)
Thursday, April 16, 2026 | Conference Day 3 and Close
- 09:00-15:00 - Conference Sessions
A detailed agenda will be available in February/March 2026.
Venue
DoubleTree Resort by Hilton Hotel Paradise Valley – Scottsdale
5401 N Scottsdale Rd
Scottsdale, Arizona, 85250
USA
Learn More About VulnCon 2026
The purpose of the VulnCon — which is open to the public — is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.
For the most up-to-date information, visit the CVE/FIRST VulnCon 2026 conference page hosted on the FIRST website. We look forward to seeing you at this exciting community event!
Share or comment on this CVE article on Medium:
Videos from CVE Program Technical Workshop 2025 Available
Videos from all 12 sessions of the virtual CVE Program Technical Workshop 2025, held October 22-23, 2025, are now available on the CVE Program Channel on YouTube. Meeting notes are available here. CVE Program workshops are a way for the CVE Numbering Authority (CNA) community to regularly collaborate on specific topics in a focused manner. Discussions are always informative, and many sessions result in creative recommendations from community members that directly impact and enhance the program.
The following workshop videos are available:
DAY 1
- Completeness, Quality, and Utility (Panel Discussion)
- Guided Listening Session #1
- Stakeholder-Specific Vulnerability Categorization (SSVC)
- Effectively Mapping CVEs to CWEs
- Goods and Bads: CVSS 3.1 vs. CVSS 4.0
- Software ID: CPE and PURL
DAY 2
- Keynote: CVE and VEX
- ADP Pilot (Supplier ADP)
- Guided Listening Session #2
- Reference Archive Experiment
- CVE Record Format Roadmap
- CVE Consumer Working Group (WG) — Engaging the Consumer Community More Effectively
View all of these videos and more on the CVE Program Channel on YouTube.
Share or comment on this CVE article on Medium:
We Speak CVE Podcast — “The CVE Consumer Working Group (CWG)”
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.
In this episode, host Shannon Sabens chats with CVE Consumer Working Group (CWG) co-chairs, Jay Jacobs and Bob Lord, and CVE™ Project Lead Alec Summers, about how the CWG was created to address the needs and perspectives of those who use CVE data — ranging from enterprise security teams to tool developers and managed security service providers — recognizing that their requirements and pain points often differ from those of upstream data providers.
Topics include the CWG’s goals to systematically capture and organize consumer feedback, identify common and unique challenges across different user types, and inform improvements in the CVE Program; the diversity and international participation among sign-ups, including organizations outside the usual sphere, such as medical companies; and the concept of “patch smarter, not harder,” stressing the importance of prioritization and high-quality data to help defenders manage the overwhelming volume of vulnerabilities. In addition, listeners are encouraged to join the CWG for meetings scheduled to accommodate global involvement and help participate in shaping the future of CVE.
The “We Speak CVE” podcast is available for free on the CVE Program Channel on YouTube, on the We Speak CVE page on Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others.
Please give the podcast a listen and let us know what you think!
Share or comment on this CVE article on Medium:
https://medium.com/@cve_program/we-speak-cve-podcast-the-cve-consumer-working-group-cwg-67bd63e94a93
Follow us for the latest from CVE:
- X feed of the latest CVE Records
- X feed of news and announcements about CVE
- Mastodon feed of news and announcements about CVE
- Bluesky feed of news and announcements about CVE
- CVE Website News page
- CVE LinkedIn page
- CVE-CWE LinkedIn showcase page
- CVE Blog on Medium
- We Speak CVE Podcast
- CVEProject on GitHub
- CVE Program YouTube Channel
- CVE Announce Email Newsletter
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
