I’m incredibly excited to finally share something I’ve been pouring my heart into at RogoLabs. For those of you who caught my talk at BSidesLV, you got a sneak peek, but today it’s official: CNAScorecard.org is live!
For years, the CVE program has been our shared language for identifying vulnerabilities. But lately, we’ve all felt the growing pains. We’re seeing more CVEs with incomplete, vague, or missing data. This isn’t just a small problem; it’s a huge one that leads to alert fatigue, slow response times, and automated tools that simply can’t do their jobs.
The recent NVD backlog shined a spotlight on this issue. Thousands of CVEs were left unanalyzed, lacking critical CVSS scores and CPE data. The truth is, the responsibility for data enrichment has shifted back to the CVE Numbering Authorities (CNAs), and many simply haven’t been providing this level of detail for over a decade.
This is precisely the challenge RogoLabs was created to solve. Moving beyond just counting vulnerabilities and focusing on measuring the quality and completeness of that data. CNAScorecard.org is a core part of this mission, alongside my other projects like CVE.icu, a platform for exploring vulnerability data, and CVEForecast.org, an open-source tool that predicts annual CVE volume.
The Four Pillars of a Truly Useful CVE
A CVE needs more than a basic ID to be actionable. It needs solid information across four key pillars:
- The Weakness (CWE): This identifies the root cause of the vulnerability (e.g., SQL Injection), helping us understand why it exists.
- The Product (CPE): This is how we precisely identify affected software (e.g., cpe:/a:apache:http_server:2.4.54). Without a complete CPE, your scanners are flying blind. In 2024 alone, more than 14,000 CVEs were published without a CPE—more than the previous four years combined.
- The Severity (CVSS): This gives you a score (0.0-10.0) to prioritize a vulnerability. Without it, you’re left guessing which issues to tackle first.
- The Fix (Patch Info): The ultimate goal is to fix vulnerabilities. A CVE without a clear path to a solution—like a vendor advisory, patch link, or code commit—is just a problem statement, not a solution.
Introducing CNAScorecard.org
The old saying holds true: you can’t improve what you don’t measure. CNAScorecard.org is a public, data-driven scorecard for every CVE Numbering Authority. It gives us the objective measurement we need to demand better data across the board and helps you identify which sources you can truly trust.
The system is open-source, updates every six hours, and focuses on the last six months of CVE data to keep the information current. It scores CVE records against the four pillars, rolling those scores up into an overall quality grade for each CNA.
A Look at the Initial Data
The first results are eye-opening:
- Foundational Completeness: 100.0%
- Root Cause Analysis (CWE): 87.4%
- Severity & Impact (CVSS): 88.4%
- Software Identification (CPE): 2.0%
- Patch Information: 4.8%
These low scores for CPE and patch links highlight a critical problem. They lead to impaired automation, endless manual research, and inaccurate reporting for security teams everywhere.
How This Helps You
CNAScorecard.org is designed to empower everyone in the security community.
- For Defenders: Use these scores to quickly identify and act on complete CVEs. The CNA grades are a powerful trust metric for evaluating your vendors.
- For CNAs: This is a clear benchmark to see how your disclosure processes stack up against your peers. It’s a roadmap for improvement, showing you exactly where you can enhance your data quality. High-quality disclosure is a key driver of customer trust.
- For the Ecosystem: We’re providing a continuously updated, public metric for the health of the CVE program. This brings much-needed accountability to a federated system.
Get Involved
This project isn’t just about a website; it’s about building a better, more transparent future for vulnerability management. Every line of code, every data point, and every score on CNAScorecard.org is part of a larger mission to improve the CVE ecosystem for everyone. With the right tools and a collaborative community, we can solve the challenges facing our industry.
The entire codebase is available on GitHub, and we’d love for you to contribute, provide feedback, or use it to build your own solutions.
