Metrics
Use the scroll bar to navigate the data tables.
Published CVE Records
Comparison of published CVE Records by quarter for all years from 1999 to present.
A CVE Record contains descriptive data, (i.e., a brief description and at least one reference) about a vulnerability associated with a CVE ID. CVE Records are published by CVE Numbering Authorities (CNAs).
| Year | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Qtr4 | 11,073 | 7,876 | 6,231 | 5,200 | 4,387 | 4,822 | 3,614 | 3,570 | 1,590 | 1,652 | 2,528 | 1,416 | 1,244 | 1,133 | 1,071 | 1,100 | 1,500 | 1,884 | 1,737 | 1,725 | 376 | 154 | 104 | 81 | 393 | 0 |
| Qtr3 | 8,591 | 6,936 | 6,448 | 5,541 | 4,170 | 5,150 | 4,350 | 4,037 | 1,713 | 1,747 | 2,220 | 1,297 | 1,926 | 988 | 1,020 | 1,547 | 1,343 | 1,564 | 1,643 | 1,477 | 741 | 265 | 304 | 573 | 218 | 321 |
| Qtr2 | 11,716 | 7,134 | 6,365 | 5,005 | 5,011 | 4,091 | 4,613 | 3,612 | 1,775 | 1,443 | 1,660 | 1,147 | 1,058 | 901 | 1,408 | 1,381 | 1,279 | 1,887 | 1,887 | 2,013 | 229 | 630 | 593 | 337 | 198 | 0 |
| Qtr1 | 8,697 | 7,015 | 6,015 | 4,415 | 4,807 | 3,245 | 3,935 | 3,426 | 1,379 | 1,652 | 1,540 | 1,282 | 1,060 | 1,128 | 1,140 | 1,704 | 1,551 | 1,987 | 1,618 | 1,493 | 266 | 174 | 690 | 332 | 629 | 0 |
| TOTAL | 40,077 | 28,961 | 25,059 | 20,161 | 18,375 | 17,308 | 16,512 | 14,645 | 6,457 | 6,494 | 7,948 | 5,142 | 5,288 | 4,150 | 4,639 | 5,732 | 5,673 | 7,322 | 6,885 | 6,708 | 1,612 | 1,223 | 1,691 | 1,323 | 1,438 | 321 |
Reserved CVE IDs
Comparison of Reserved CVE IDs by year from 1999 to present.
A “Reserved” CVE ID is the initial state for a CVE Record; when the associated CVE ID is reserved by a CNA.
| Year | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Count | 52,316 | 40,051 | 34,553 | 28,506 | 30,680 | 24,179 | 21,407 | 18,196 | 14,472 | 9,959 | 9,465 | 7,334 | 7,370 | 5,630 | 5,379 | 6,094 | 5,968 | 7,607 | 7,077 | 7,041 | 1,357 | 1,209 | 1,909 | 1,445 | 1,178 | 991 |
CVE Record Publications by All CNAs Combined Versus CNA-LRs
Comparison of CVE Records published by all CNAs combined versus CVE Records published by the two CNAs of Last Resort (CNA-LRs) (CISA* and MITRE) from 1999 to present.
| Year | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016-1999 |
|---|---|---|---|---|---|---|---|---|---|
| All CNAs | 87% | 79% | 68% | 65% | 58% | 53% | 53% | 50% | 0% |
| CNA-LRs | 13% | 21% | 32% | 35% | 42% | 47% | 47% | 50% | 100% |
*Note: CISA became a CNA-LR in calendar year 2020.
CNA Partners Added by Year
Comparison of CVE Numbering Authority (CNA) partners added by year from 1999 to present.
Currently, there are 455 CNAs (452 CNAs and 3 CNA-LRs) from 39 countries and 1 no country affiliation participating in the CVE Program.
Note: Occasionally, CNAs become inactive due to corporate mergers or changes in business activities. In these cases, deactivated CNAs are not removed from the recruitment total CNAs added for a calendar year in the table below. Therefore, the totals by year columns if added together will not match the program’s grand total numbers above.
| Year | 2025 | 2024 | 2023 | 2022 | 2021 | 2020 | 2019 | 2018 | 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| January | 3 | 10 | 4 | 1 | 3 | 3 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| February | 10 | 7 | 9 | 2 | 1 | 3 | 1 | 2 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 6 | 0 | 0 | 0 | 0 | 0 | N/A |
| March | 3 | 5 | 5 | 3 | 9 | 1 | 1 | 1 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| April | 7 | 4 | 6 | 3 | 5 | 4 | 0 | 2 | 3 | 1 | 0 | 0 | 0 | 0 | 4 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| May | 5 | 9 | 8 | 5 | 1 | 7 | 1 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| June | 4 | 6 | 8 | 5 | 10 | 1 | 1 | 1 | 7 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| July | TBA | 9 | 4 | 6 | 2 | 4 | 0 | 0 | 4 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| August | TBA | 6 | 8 | 5 | 3 | 1 | 2 | 2 | 6 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | N/A |
| September | TBA | 8 | 8 | 1 | 8 | 4 | 3 | 1 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
| October | TBA | 7 | 9 | 12 | 9 | 2 | 1 | 0 | 2 | 0 | 0 | 3 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| November | TBA | 6 | 9 | 10 | 7 | 4 | 4 | 0 | 1 | 12 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| December | TBA | 11 | 6 | 3 | 7 | 2 | 2 | 3 | 0 | 7 | 0 | 0 | 0 | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| TOTAL | 32 | 88 | 84 | 56 | 65 | 36 | 16 | 12 | 30 | 23 | 0 | 3 | 0 | 3 | 4 | 1 | 3 | 1 | 1 | 0 | 6 | 0 | 0 | 0 | 0 | 0 | 1 |
CNA Enrichment Recognition
alert
UPDATE: As of June 2, 2025, the “CNA Enrichment Recognition List (ERL)” will be issued monthly based upon a data pull of the previous six months. This is a change from the initial publication schedule of every two weeks with a data pull of the previous 12 months. These changes are informed by a review of existing trends in data change, maintain a regular publication cadence, and better align the ERL with the Inactive CNA Policy.
Future changes to the ERL qualification criteria and reporting may occur over time as the CVE Program continually aims to recognize those CNAs taking on the work to increase the value of CVE Records for downstream consumers, and encourage others to do the same.
Getting more precise and quality vulnerability information in the hands of defenders and downstream customers on a timelier basis helps the cybersecurity community better address risks. Additional vulnerability-related information provides increased transparency, enables vulnerability root cause understanding, and helps prioritize vulnerability and incident response. Information standards and knowledge repositories like CVSS, CWE, and others help provide a common language for this additional information.
In April 2024, the CVE Program highlighted how its data format evolved to better facilitate automation and data enrichment. This means that CNAs, as the authoritative source of vulnerability information within their scope, and — in the case of Supplier CNAs — those with access to the most reliable source for accurate determinations, can easily provide data enrichment directly to a CVE Record as opposed to waiting for a third-party to do so in a less timely and potentially less accurate manner. As such, the CVE Program called on all CNAs to provide this enrichment to their CVE Records directly, and, in so doing, contribute more substantially to the vulnerability management process. Many have answered that call.
In recognition of these CNAs, the CVE Program publishes this “CNA Enrichment Recognition List” once per month. Currently, any CNA who has published a record in the past six months is placed on the list if they have been providing CVSS and CWE information consistently in the recent past. In particular, the requirement is CVSS and CWE information in at least 98% of their records that were published within two weeks of their most recently published record.
For more information about vulnerability information types like CVSS and CWE, see the CVE Record User Guide.
CNA Enrichment Recognition List
Last Updated:
Total CNAs: 229
- 1E Limited
- Acronis International GmbH
- Adobe Systems Incorporated
- Advanced Micro Devices Inc.
- Alias Robotics S.L.
- Amazon
- AMI
- ARC Informatique
- Asea Brown Boveri Ltd.
- ASUSTeK Computer Incorporation
- ATISoluciones Diseño de Sistemas Electrónicos, S.L.
- Austin Hackers Anonymous
- Autodesk
- Avaya Inc.
- Axis Communications AB
- Baxter Healthcare
- Beckman Coulter Life Sciences
- Becton, Dickinson and Company (BD)
- BeyondTrust Inc.
- Bitdefender
- Bizerba SE & Co. KG
- Black Duck Software, Inc.
- Black Lantern Security
- BlackBerry
- Brocade Communications Systems LLC, a Broadcom Company
- CA Technologies
- Canon Inc.
- Canonical Ltd.
- Carrier Global Corporation
- Cato Networks
- Centreon
- CERT.PL
- CERT@VDE
- Check Point Software Technologies Ltd.
- Checkmarx
- Checkmk GmbH
- cirosec GmbH
- Cisco Systems, Inc.
- Cloudflare, Inc.
- Concrete CMS
- ConnectWise LLC
- Crafter CMS
- Crestron Electronics, Inc.
- CrowdStrike Holdings, Inc.
- CyberArk Labs
- CyberDanube
- Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
- Dahua Technologies
- Danfoss
- Dassault Systèmes
- Delinea, Inc.
- Dell EMC
- Dfinity Foundation
- Digi International Inc.
- Docker Inc.
- Dremio Corporation
- Dutch Institute for Vulnerability Disclosure (DIVD)
- Eaton
- Eclipse Foundation
- Edgewatch Security Intelligence
- Elastic
- EnterpriseDB Corporation
- Environmental Systems Research Institute, Inc. (Esri)
- Ericsson
- ESET, spol. s r.o.
- EU Agency for Cybersecurity (ENISA)
- F5 Networks
- Fedora Project (Infrastructure Software)
- Financial Security Institute (FSI)
- Fluid Attacks
- Forcepoint
- Forescout Technologies
- Fortinet, Inc.
- Fortra, LLC
- FPT SOFTWARE CO., LTD
- Gallagher Group Ltd
- GE Vernova
- GitHub (maintainer security advisories)
- GitHub Inc, (Products Only)
- GitLab Inc.
- Glyph & Cog, LLC
- Google LLC
- Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
- Grafana Labs
- Gridware Cybersecurity
- Hanwha Vision Co., Ltd.
- HashiCorp Inc.
- HCL Software
- HeroDevs
- Hillstone Networks Inc.
- Hitachi Energy
- Hitachi Vantara
- Hitachi, Ltd.
- Honeywell International Inc.
- HP Inc.
- Huawei Technologies
- HYPR Corp
- IBM Corporation
- ICS-CERT
- iManage LLC
- Indian Computer Emergency Response Team (CERT-In)
- Intel Corporation
- Internet Systems Consortium (ISC)
- Israel National Cyber Directorate
- Ivanti
- JetBrains s.r.o.
- JFROG
- Johnson Controls
- JPCERT/CC
- Kaspersky
- Kong Inc.
- Kubernetes
- Lenovo Group Ltd.
- Lexmark International Inc.
- Liferay, Inc.
- M-Files Corporation
- Mattermost, Inc
- Mautic
- Microsoft Corporation
- Milestone Systems A/S
- Mitsubishi Electric Corporation
- Monash University - Cyber Security Incident Response Team
- MongoDB
- Moxa Inc.
- N-able
- National Cyber Security Centre Finland
- National Cyber Security Centre SK-CERT
- National Instruments
- NetApp, Inc.
- Netskope
- NLnet Labs
- NortonLifeLock Inc
- Nozomi Networks Inc.
- Nvidia Corporation
- Odoo
- OMRON Corporation
- ONEKEY GmbH
- Open Design Alliance
- Open-Xchange
- OpenAnolis
- openEuler
- OpenHarmony
- OpenText (formerly Micro Focus)
- OPPO
- OTRS AG
- Palantir Technologies
- Palo Alto Networks
- Panasonic Holdings Corporation
- Pandora FMS
- PaperCut Software Pty Ltd
- Patchstack OÜ
- Pegasystems
- Perforce
- Philips
- Phoenix Technologies, Inc.
- Ping Identity Corporation
- PlexTrac, Inc.
- PostgreSQL
- Proofpoint Inc.
- Protect AI
- Pure Storage, Inc.
- Python Software Foundation
- QNAP Systems, Inc.
- Qualcomm, Inc.
- Rapid7, Inc.
- Real-Time Innovations, Inc.
- Red Hat CNA-LR
- Red Hat, Inc.
- Robert Bosch GmbH
- Roche Diagnostics
- SailPoint Technologies
- Samsung TV & Appliance
- SAP SE
- Saviynt Inc.
- SBA Research gGmbH
- Schneider Electric SE
- Schweitzer Engineering Laboratories, Inc.
- Seal Security
- Secomea
- ServiceNow
- SICK AG
- Siemens
- Silicon Labs
- Snyk
- SoftIron
- SolarWinds
- Sonatype Inc.
- Sophos
- Spanish National Cybersecurity Institute, S.A.
- Splunk
- Super Micro Computer, Inc.
- Switzerland National Cyber Security Centre (NCSC)
- Symantec - A Division of Broadcom
- Synaptics
- Synology Inc.
- Talos
- TeamViewer Germany GmbH
- Temporal Technologies Inc.
- Tenable Network Security, Inc.
- The Document Foundation
- The Missing Link Australia (TML)
- The Qt Company
- The Wikimedia Foundation
- TianoCore.org
- TIBCO Software Inc.
- TP-Link Systems Inc.
- TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
- Trellix
- TWCERT/CC
- TXOne Networks, Inc.
- Vivo Mobile Communication Technology Co., LTD.
- VulDB
- VulnCheck
- VULSec Labs
- WatchGuard Technologies, Inc.
- Wind River Systems Inc.
- Wordfence
- Xerox Corporation
- Xiaomi Technology Co Ltd
- Yandex N.V.
- Yokogawa Group
- Zabbix
- Zephyr Project
- Zero Day Initiative
- Zohocorp
- Zoom Video Communications, Inc.
- ZTE Corporation
- ZUSO Advanced Research Team (ZUSO ART)
- Zyxel Corporation