Critical Severity
Published: Jul 16, 2025
An open-source tool for scoring and auditing CVE Numbering Authorities (CNAs) based on the quality, timeliness, and completeness of their vulnerability disclosures.
# CNA ScoreCard
**Comprehensive, data-driven scorecards for CVE Numbering Authorities (CNAs) — empowering transparency and quality in vulnerability reporting.**
**🌐 Live Site:** [cnascorecard.org](https://cnascorecard.org)
---
## Table of Contents
- [What is a CNA?](#what-is-a-cna)
- [Overview](#overview)
- [Quick Start](#quick-start)
- [Architecture](#architecture)
- [Deployment](#deployment)
- [Development](#development)
- [Scoring Methodology](#scoring-methodology)
- [Features](#features)
- [Project Structure](#project-structure)
- [Contributing](#contributing)
- [License](#license)
- [Related Resources](#related-resources)
- [Inspiration](#inspiration)
## What is a CNA?
A **CVE Numbering Authority (CNA)** is an organization authorized to assign CVE IDs and publish CVE records for vulnerabilities affecting products within their scope. Throughout this documentation, "CNA" refers to a CVE Numbering Authority.
## Overview
CNA ScoreCard is an open-source, fully automated static website that evaluates and visualizes the quality of CVE reporting by CNAs worldwide. Updated every 6 hours, it leverages the Enhanced Aggregate Scoring (EAS) methodology to provide transparent, actionable insights into CVE record quality across five key dimensions.
**NEW: Data Completeness Analysis** - We now include comprehensive CVE schema completeness analysis, evaluating how well CNAs populate all available fields and arrays in CVE records according to the official [CVE 5.1 Schema](https://github.com/CVEProject/cve-schema/blob/main/schema/CVE_Record_Format.json).
**Why CNA ScoreCard?**
- **Transparency:** Shine a light on the quality of vulnerability reporting across the ecosystem.
- **Accountability:** Help CNAs identify strengths and areas for improvement.
- **Automation:** No manual intervention required—always up to date.
- **Schema Compliance:** Evaluate completeness against the official CVE schema structure.
**Note:** Inspired by the [CNA Enrichment Recognition program](ht