Measuring CVE Data Quality Across the Vulnerability Ecosystem
🌐 Live Site • 🏆 Leaderboard • 📖 Methodology • 🏅 Get Your Badge
CNA Scorecard is an automated system that measures how completely CVE Numbering Authorities (CNAs) populate vulnerability records. By analyzing the most recent 6 months of CVE data, we provide transparent, data-driven insights that help:
- Security Teams → Understand which CNAs provide the most actionable vulnerability data
- CNAs → Identify areas for improvement in their disclosure practices
- Researchers → Track ecosystem-wide trends in vulnerability data quality
- Organizations → Make informed decisions about vulnerability prioritization
💡 Why 6 months? We focus on recent data to reflect current CNA practices, not historical baggage. This gives CNAs credit for improvements and provides users with relevant, actionable insights.
| Feature | Description |
|---|---|
| 🏆 CNA Rankings | Live leaderboard of 300+ CNAs ranked by data completeness |
| 📊 5-Category Scoring | Comprehensive scoring across foundational, root cause, severity, software ID, and patch info |
| 📈 Trend Analysis | Track how CNA performance evolves over time with rolling 7-day charts |
| 🔍 Individual Profiles | Deep-dive into any CNA's recent CVEs with per-record scoring |
| 📱 Mobile-First Design | Fully responsive interface optimized for all devices |
| 🏅 Embeddable Badges | SVG badges CNAs can display on their sites (auto-updated every 6h) |
| 📤 Data Export | Download rankings and CVE data in CSV or JSON format |
| ♿ Accessible | WCAG-compliant with skip links, ARIA labels, and keyboard navigation |
| ⚡ Always Fresh | Automated pipeline updates data every 6 hours via GitHub Actions |
Each CVE record is scored on a 100-point scale across five categories:
┌─────────────────────────────────────────────────────────────────┐
│ FOUNDATIONAL COMPLETENESS (50 pts) │
│ ├── Description quality and detail │
│ ├── Affected products clearly identified │
│ └── Reference URLs provided │
├─────────────────────────────────────────────────────────────────┤
│ ROOT CAUSE ANALYSIS (15 pts) │
│ └── CWE (Common Weakness Enumeration) identifier │
├─────────────────────────────────────────────────────────────────┤
│ SEVERITY & IMPACT (15 pts) │
│ └── CVSS score with vector string │
├─────────────────────────────────────────────────────────────────┤
│ SOFTWARE IDENTIFICATION (10 pts) │
│ └── CPE identifiers (supports CVE 5.1 cpeApplicability) │
├─────────────────────────────────────────────────────────────────┤
│ PATCH INFORMATION (10 pts) │
│ └── References tagged as patches/fixes │
└─────────────────────────────────────────────────────────────────┘
Grade Thresholds:
- 🥇 A+ (97-100%) - Exceptional data quality
- 🥈 A (90-96%) - Excellent completeness
- 🥉 B (80-89%) - Good, room for improvement
- C (70-79%) - Adequate but missing key fields
- D (60-69%) - Below expectations
- F (<60%) - Significant data gaps
📖 Full methodology details: cnascorecard.org/scoring.html
Visit cnascorecard.org to explore CNA rankings, trends, and individual profiles.
# Clone the repository
git clone https://github.com/RogoLabs/CNAScoreCard.git
cd CNAScoreCard
# Install Python dependencies
pip install -r requirements.txt
# Run the data pipeline (analyzes last 6 months of CVE data)
python cnascorecard_pipeline/pipeline.py
# Serve the web interface
cd web && python -m http.server 8000
# Open http://localhost:8000 in your browserpython cnascorecard_pipeline/pipeline.py \
--start-date 2024-01-01 \
--end-date 2024-06-30 \
--output-dir ./custom-outputDisplay your CNA Scorecard rating on your website, README, or security advisories:
- Visit the Badge Generator
- Search for your CNA
- Copy the Markdown or HTML code
Markdown Example:
[](https://cnascorecard.org/cna/cna-detail.html?shortName=YourCNA)HTML Example:
<a href="https://cnascorecard.org/cna/cna-detail.html?shortName=YourCNA">
<img src="https://cnascorecard.org/badges/YourCNA-combined.svg" alt="CNA Scorecard">
</a>Badges are color-coded by score and auto-update every 6 hours.
CNAScoreCard/
├── cnascorecard_pipeline/ # Python data pipeline
│ ├── pipeline.py # Main orchestrator
│ ├── ingest.py # CVE data loading & filtering
│ ├── scoring.py # 5-category scoring engine
│ ├── aggregation.py # CNA statistics & rankings
│ ├── completeness.py # Field utilization analysis
│ ├── trends.py # Historical trend calculations
│ └── config.py # Configuration & rules
│
├── web/ # Static web frontend
│ ├── index.html # Homepage dashboard
│ ├── cna/ # CNA leaderboard & profiles
│ ├── completeness/ # Field completeness analysis
│ ├── trends.html # Performance trend charts
│ ├── scoring.html # Methodology documentation
│ ├── badges.html # Badge generator
│ └── data/ # JSON data files (auto-generated)
│
├── cve_data/ # CVE source data (gitignored)
└── .github/workflows/ # GitHub Actions automation
CVEProject/cvelistV5 → Ingest → Score → Aggregate → JSON → Web Frontend
↑ ↓
└──────── GitHub Actions (every 6 hours) ──────┘
The pipeline generates structured JSON files in web/data/:
| File | Description |
|---|---|
cna_combined.json |
Complete CNA data with scores and metadata |
cna_summary.json |
Lightweight rankings for the leaderboard |
cna_list.json |
Official CNA registry information |
field_utilization.json |
CVE field usage statistics |
performance_trends.json |
Daily scoring trends |
top_improvers.json |
CNAs with biggest improvements |
completeness_summary.json |
Analysis period metadata |
cna/{shortName}.json |
Individual CNA detailed profiles |
📖 Full schema documentation: web/data/README.md
We welcome contributions from the cybersecurity community!
- 🐛 Report bugs via GitHub Issues
- 💡 Suggest features or improvements
- 📝 Improve documentation
- 🔧 Submit pull requests
# Fork and clone
git clone https://github.com/YOUR-USERNAME/CNAScoreCard.git
cd CNAScoreCard
# Create a virtual environment
python -m venv venv
source venv/bin/activate # or `venv\Scripts\activate` on Windows
# Install dependencies
pip install -r requirements.txt
# Run tests
cd cnascorecard_pipeline
pytest
# Run the pipeline
python pipeline.py- Python: Follow PEP 8, use type hints
- JavaScript: ES6+, no external frameworks
- CSS: Use CSS custom properties from
theme.css
This project is licensed under the MIT License - see the LICENSE file for details.
- Inspired by the CVE CNA Enrichment Recognition Program
- Built on data from the CVE Program and CVEProject/cvelistV5
- Thanks to the global cybersecurity community for their commitment to better vulnerability disclosure
Made with ❤️ for the cybersecurity community
