New CNA Scorecard Tool Ranks CVE Data Quality Across the Ecosystem

Security researcher Jerry Gamblin announced a new tool this week at BSides Las Vegas aimed at measuring the completeness of vulnerability data published by CVE Numbering Authorities (CNAs). The CNA Scorecard is a public dashboard that evaluates how thoroughly CNAs populate key fields in CVE records, such as root cause, severity, software identifiers, and patch information.

The tool comes at a time when the quality of vulnerability metadata is under increasing scrutiny, due in large part to the slowdown of the National Vulnerability Database (NVD). For years, NVD played a central role in enriching CVE records with additional details that made them actionable for security teams. That responsibility now falls back on CNAs, and many are not prepared to step up to the plate.

“The NVD slowdown exposed a critical gap," Gamblin told Socket in an interview on the inspiration for CNA Scorecard. "For years, the NVD did the heavy lifting, enriching CVEs with CVSS and CPE data. Now, that's back on CNAs, many of whom haven't consistently provided this detail for 15+ years.

"The data quality is inconsistent. The CNA Scorecard aims to fix that by publicly measuring how well CNAs populate these critical fields, moving beyond just counting CVEs to evaluating their usability and actionability.”

Patch Links and CPEs Missing from Most Records#

The CNA Scorecard evaluates CVE records across five essential categories, analyzing over 23,000 CVEs from February 7 to August 7, 2025. The average overall score across all CNAs is 77.4%.

• Foundational Completeness: 100.0%
• Root Cause Analysis (CWE): 89.8%
• Severity & Impact (CVSS): 88.4%
• Software Identification (CPE): 2.1%
• Patch Information: 4.7%

Two categories, CPE and patch links, show strikingly low completeness scores, which Gamblin attributes to systemic workflow issues and lack of awareness.

“It's primarily a workflow issue," he said. "Many CNAs focus on enabling patches, not on comprehensive data enrichment. The NVD historically handled complex CPE generation, which CNAs relied on. There's also no strict mandate for these fields, and many CNAs simply lack the awareness of tags like Patch Reference and their downstream usefulness."

Gamblin said this lack of data enrichment leads to impaired automation for security teams, forcing manual research, ineffective prioritization, and inaccurate reporting. He also noted that newer standards like PURL, which allow precise, ecosystem-specific identification of packages, aren't even supported in the CVE schema yet, making it harder for tools to precisely map a CVE to a specific package and version for automated triage and cleaner matching in SBOMs and SCA tools.

A Tool for Transparency and Accountability#

Each CNA featured on the scorecard has a dedicated page that breaks down their performance in detail. For example, Harborist, a CNA covering all projects under npmjs.com/~ljharb, has published three CVEs and scored 90% overall, placing it in the 100th percentile. Harborist’s entries score 100% in every category except Software Identification (CPE), which is 0%, a common pattern across CNAs. Each CVE entry is individually scored, allowing users to assess the completeness of specific disclosures and track consistency over time.

The CNA Scorecard is designed to serve both as a public accountability tool for CNAs and a resource for users of vulnerability data. Gamblin said he designed it with a strong emphasis on transparency for improvement.

“The goal isn't to name and shame, but to provide clear visibility," he said. "If CNAs and consumers don't know who's producing what quality of data, improvement is impossible. For consumers, it's a valuable resource to identify reliable data sources. Reactions from CNAs are likely varied: mature CNAs welcome validation, while smaller ones may cite resource constraints.”

Growing Pains in CNA Expansion#

The number of CNAs has expanded rapidly in recent years, with MITRE minting over 460 organizations. Many of them have little or no disclosure history, raising concerns about the CVE program's priorities.

“The CVE program's expansion has leaned towards quantity over quality," Gamblin said. "This aligns with Christopher Butera's two-step strategy he mentioned in our BSides Las Vegas Panel yesterday: first, broad publisher expansion, then a focus on data quality.

"However, the utility of incomplete data diminishes. Instead of making it harder to become a CNA, the focus should be on requiring a higher standard for CVE records themselves. Broad participation in the program is a good thing, but the value of each CVE is dependent on its data quality.”

Gamblin believes the future of the CVE program will require stronger standards and enforcement mechanisms to ensure fields like CVSS scores and patch links are consistently included.

“Absolutely, it's past time for this shift," he said. "The CVE program's volunteer origins kept publication requirements minimal, with only three fields still formally required. Stronger standards and enforcement for mandatory CVSS and patch links would yield enhanced actionability, improved automation, superior risk assessment, and increased trust.

"Achieving this requires clear mandates, automated validation tools, incentives and recognition, phased implementation, community advocacy, resource support for struggling CNAs, and consequences for non-compliance.”

Explore the CNA Scorecard#

The CNA Scorecard is available at cnascorecard.org, offering a leaderboard of CNA performance, full data downloads, and an overview of how each CNA is contributing to (or falling short on) data completeness.

Top-performing CNAs, all scoring 90.0%, include Digi, MongoDB, EEF, Okta, and Harborist. The most active CNAs by volume are Patchstack (3431 CVEs), VulDB (3280), and the Linux CNA (2730).

For organizations that rely on accurate vulnerability metadata to defend their systems, tools like the CNA Scorecard offer critical insight into which data sources can be trusted and where gaps remain.

The CNA Scorecard is powered by an open source system that combines a Python-based data pipeline with a static web front-end. Together, these components provide fully automated scoring of CVE records, updated every six hours via GitHub Actions.

The pipeline analyzes only the last six months of CVE data, ensuring all scores reflect recent CNA behavior. It pulls CVE data from the CVEProject/cvelistV5 repository, the official source for JSON-format CVE records. All updates are committed back to the repository and deployed to the website automatically.

Bug reports, feature requests, and scoring suggestions are welcome via GitHub Issues. The project is licensed under MIT and all methodology details, schema references, and algorithms are documented for full transparency.