MITRE CNA of Last Resort

The "MITRE CNA of Last Resort (MITRE CNA-LR)" refers to the CNA-LR at the top of the MITRE TL-Root hierarchy within the CVE Program’s federated governance model. In fulfilling its responsibilities, the MITRE CNA-LR does not engage with vulnerability data or other matters that fall within the scope of another CVE Program TL-Root hierarchy (e.g., the CISA TL-Root). Visit the Structure page on cve.org to learn more about how the CVE Program is organized.

CVE ID assignment and CVE Record publication by the MITRE CNA-LR typically occur when there is no designated CNA at the Supplier producing the product, or when there has been a valid dispute over an assignment decision by a CNA or Root within the MITRE TL-Root hierarchy. The MITRE CNA-LR helps advance the CVE Program’s goal of expanding coverage by assigning CVE IDs to vulnerabilities that would otherwise go unaddressed.

The year 2026 has presented substantial challenges for all parties involved in producing or consuming vulnerability data, largely because of expanded AI capabilities. The value proposition of complete, accurate, timely, and actionable CVE Records remains in place. The MITRE CNA-LR team is collaborating with other organizations to identify effective solutions. Planned improvements for the second half of 2026 include improved operational efficiency through (A) an expanded domain verification capability to verify authoritative Supplier source requests such that they can be passed through to consumers more quickly and directly, (B) a more automated capability to request more quality submitted data in the initial request, and (C) technology enhancements that can assist in triage of vulnerability claims.

The MITRE CNA-LR prioritizes covering vulnerabilities that can be identified in a cost-effective manner and whose inclusion in the CVE List best serves the public interest. This often involves assisting defenders but may also extend to providing critical reference material for broader cybersecurity efforts, such as identifying software and hardware weaknesses or raising awareness of emerging threats.

The MITRE CNA-LR is committed to a range of activities to fulfill its mission. Notably, it focuses on accepting submissions (i.e., CVE ID requests) from the public, including Suppliers who are not CNAs, as well as other vulnerability discoverers. This approach is effective because, for many vulnerabilities, an external submitter may be the first to have knowledge of public disclosure or have a clear understanding of the vulnerability. However, there have also been important vulnerabilities historically where no external parties have submitted requests.

In many jurisdictions, contacting the MITRE CNA-LR for CVE ID assignments remains unrestricted, and vulnerability discoverers may still prefer MITRE due to its neutral third-party status and the absence of commercial interests. Regardless of such evolving legal landscapes, the MITRE CNA-LR's mission remains unchanged.

Before publishing a CVE Record, the MITRE CNA-LR will assess, to the extent practical, whether there is reasonable evidence to determine the existence of the vulnerability and whether its essential details are publicly disclosed. The MITRE CNA-LR does not publish CVE Records for vulnerabilities that are not publicly disclosed.

To request a CVE ID, the submitter must identify what is affected by the vulnerability, categorize it (e.g., as a weakness or impact), and express a good-faith belief that the vulnerability is unique and valid according to the CNA Operational Rules.

It is important to note that a CVE ID request to the MITRE CNA-LR does not make it a Coordinator in a CVD (Coordinated Vulnerability Disclosure) process. For example, if the vulnerability is discovered by a party other than the product's Supplier, all coordination responsibility lies with the discoverer and the Supplier. This helps scale the process effectively. However, the MITRE CNA-LR is sometimes given the same level of vulnerability detail that is exchanged in CVD. This enables the MITRE CNA-LR to offer limited assistance with some pre-disclosure CVD tasks (e.g., how many CVE IDs should be assigned). If any party in a CVD makes an early public disclosure (inconsistent with the planned CVD timeline), then the MITRE CNA-LR may publish the CVE Record if necessary to assist defenders.

While the MITRE CNA-LR covers a broad spectrum of vulnerabilities, its coverage patterns are influenced by the activities of other producers and consumers of CVE information. Major software suppliers and others with mature vulnerability management processes take a keen interest in the CVE Program’s CNA role. Likewise, defenders who use CVE Record data are often working at the enterprise level, where CVE Records from other CNAs are more commonly referenced.

In instances where there is no Supplier CNA and the MITRE CNA-LR is approached for a CVE ID, the vulnerability is more likely to be of lower risk and associated with software that has limited distribution. Consequently, the information contained in such CVE Records may be of interest to fewer defenders. Enriching CVE Records with CVSS and CWE information can be resource-intensive as third party to the product, so the MITRE CNA-LR tends to operate on a breadth-first model. However, if it becomes apparent that the affected software is widely used, the enrichment process may be reassessed. The MITRE CNA-LR may, when resources allow, provide guidance on the best mechanisms for prompt data enrichment in such cases, particularly when the vulnerability is important to enterprises, but the MITRE CNA-LR happens to be the most effective means of obtaining a CVE ID.

If a Supplier is not a CNA and there is a vulnerability in one of its products, the preferred method for obtaining a CVE ID is through the Supplier making an ID request from the MITRE CNA-LR. If the Supplier is unwilling to submit an ID request or cannot be contacted by the vulnerability discoverer, the MITRE CNA-LR will accept a CVE ID request from the discoverer if it determines that its claim is unique and valid according to the CNA Operational Rules. Vulnerability discoverers sometimes obtain a CVE ID from the MITRE CNA-LR and provide it to the Supplier before making the vulnerability public.

Periodically, a Supplier or third party may file a dispute with the MITRE TL-Root after a CVE Record has been published. This can occur when the Supplier lacked a product security process or when there are communication issues. This type of dispute is more common than those that occur before a CVE Record is published (i.e., during vulnerability determination). More information about CVE Record disputes can be found in the CVE Program Policy and Procedure for Disputing a CVE Record.

The MITRE CNA-LR can assign CVE IDs within the scope of another CNA in the MITRE TL-Root hierarchy if there has been a valid dispute over the CNA's decision not to assign a CVE ID to a vulnerability. If the MITRE TL-Root directs the MITRE CNA-LR to assign a CVE ID, this is treated as a dispute about the validity of a vulnerability rather than a dispute over the assignment process itself. This is common when CNAs operate with a "bug bar" model, where only vulnerabilities that meet a specific risk threshold are assigned CVE IDs.

In these cases, a submitter is not entitled to additional resources from the MITRE CNA-LR compared to what would be expended for vulnerabilities in products without a Supplier CNA. Once the MITRE CNA-LR is informed by the Supplier CNA that they will not assign the CVE ID, the dispute is handled as a CVE ID request, prioritized among all other pending submissions.