Measuring CVE Data Quality Across the Vulnerability Ecosystem
π Live Site β’ π Leaderboard β’ π Methodology β’ π Get Your Badge
CNA Scorecard is an automated system that measures how completely CVE Numbering Authorities (CNAs) populate vulnerability records. By analyzing the most recent 6 months of CVE data, we provide transparent, data-driven insights that help:
- Security Teams β Understand which CNAs provide the most actionable vulnerability data
- CNAs β Identify areas for improvement in their disclosure practices
- Researchers β Track ecosystem-wide trends in vulnerability data quality
- Organizations β Make informed decisions about vulnerability prioritization
π‘ Why 6 months? We focus on recent data to reflect current CNA practices, not historical baggage. This gives CNAs credit for improvements and provides users with relevant, actionable insights.
| Feature | Description |
|---|---|
| π CNA Rankings | Live leaderboard of 300+ CNAs ranked by data completeness |
| π 5-Category Scoring | Comprehensive scoring across foundational, root cause, severity, software ID, and patch info |
| π Trend Analysis | Track how CNA performance evolves over time with rolling 7-day charts |
| π Individual Profiles | Deep-dive into any CNA's recent CVEs with per-record scoring |
| π± Mobile-First Design | Fully responsive interface optimized for all devices |
| π Embeddable Badges | SVG badges CNAs can display on their sites (auto-updated every 6h) |
| π€ Data Export | Download rankings and CVE data in CSV or JSON format |
| βΏ Accessible | WCAG-compliant with skip links, ARIA labels, and keyboard navigation |
| β‘ Always Fresh | Automated pipeline updates data every 6 hours via GitHub Actions |
Each CVE record is scored on a 100-point scale across five categories:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FOUNDATIONAL COMPLETENESS (50 pts) β
β βββ Description quality and detail β
β βββ Affected products clearly identified β
β βββ Reference URLs provided β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β ROOT CAUSE ANALYSIS (15 pts) β
β βββ CWE (Common Weakness Enumeration) identifier β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SEVERITY & IMPACT (15 pts) β
β βββ CVSS score with vector string β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SOFTWARE IDENTIFICATION (10 pts) β
β βββ CPE identifiers (supports CVE 5.1 cpeApplicability) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β PATCH INFORMATION (10 pts) β
β βββ References tagged as patches/fixes β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Grade Thresholds:
- π₯ A+ (97-100%) - Exceptional data quality
- π₯ A (90-96%) - Excellent completeness
- π₯ B (80-89%) - Good, room for improvement
- C (70-79%) - Adequate but missing key fields
- D (60-69%) - Below expectations
- F (<60%) - Significant data gaps
π Full methodology details: cnascorecard.org/scoring.html
Visit cnascorecard.org to explore CNA rankings, trends, and individual profiles.
# Clone the repository
git clone https://github.com/RogoLabs/CNAScoreCard.git
cd CNAScoreCard
# Install Python dependencies
pip install -r requirements.txt
# Run the data pipeline (analyzes last 6 months of CVE data)
python cnascorecard_pipeline/pipeline.py
# Serve the web interface
cd web && python -m http.server 8000
# Open http://localhost:8000 in your browserpython cnascorecard_pipeline/pipeline.py \
--start-date 2024-01-01 \
--end-date 2024-06-30 \
--output-dir ./custom-outputDisplay your CNA Scorecard rating on your website, README, or security advisories:
- Visit the Badge Generator
- Search for your CNA
- Copy the Markdown or HTML code
Markdown Example:
[](https://cnascorecard.org/cna/cna-detail.html?shortName=YourCNA)HTML Example:
<a href="https://cnascorecard.org/cna/cna-detail.html?shortName=YourCNA">
<img src="https://cnascorecard.org/badges/YourCNA-combined.svg" alt="CNA Scorecard">
</a>Badges are color-coded by score and auto-update every 6 hours.
CNAScoreCard/
βββ cnascorecard_pipeline/ # Python data pipeline
β βββ pipeline.py # Main orchestrator
β βββ ingest.py # CVE data loading & filtering
β βββ scoring.py # 5-category scoring engine
β βββ aggregation.py # CNA statistics & rankings
β βββ completeness.py # Field utilization analysis
β βββ trends.py # Historical trend calculations
β βββ config.py # Configuration & rules
β
βββ web/ # Static web frontend
β βββ index.html # Homepage dashboard
β βββ cna/ # CNA leaderboard & profiles
β βββ completeness/ # Field completeness analysis
β βββ trends.html # Performance trend charts
β βββ scoring.html # Methodology documentation
β βββ badges.html # Badge generator
β βββ data/ # JSON data files (auto-generated)
β
βββ cve_data/ # CVE source data (gitignored)
βββ .github/workflows/ # GitHub Actions automation
CVEProject/cvelistV5 β Ingest β Score β Aggregate β JSON β Web Frontend
β β
βββββββββ GitHub Actions (every 6 hours) βββββββ
The pipeline generates structured JSON files in web/data/:
| File | Description |
|---|---|
cna_combined.json |
Complete CNA data with scores and metadata |
cna_summary.json |
Lightweight rankings for the leaderboard |
cna_list.json |
Official CNA registry information |
field_utilization.json |
CVE field usage statistics |
performance_trends.json |
Daily scoring trends |
top_improvers.json |
CNAs with biggest improvements |
completeness_summary.json |
Analysis period metadata |
cna/{shortName}.json |
Individual CNA detailed profiles |
π Full schema documentation: web/data/README.md
We welcome contributions from the cybersecurity community!
- π Report bugs via GitHub Issues
- π‘ Suggest features or improvements
- π Improve documentation
- π§ Submit pull requests
# Fork and clone
git clone https://github.com/YOUR-USERNAME/CNAScoreCard.git
cd CNAScoreCard
# Create a virtual environment
python -m venv venv
source venv/bin/activate # or `venv\Scripts\activate` on Windows
# Install dependencies
pip install -r requirements.txt
# Run tests
cd cnascorecard_pipeline
pytest
# Run the pipeline
python pipeline.py- Python: Follow PEP 8, use type hints
- JavaScript: ES6+, no external frameworks
- CSS: Use CSS custom properties from
theme.css
This project is licensed under the MIT License - see the LICENSE file for details.
- Inspired by the CVE CNA Enrichment Recognition Program
- Built on data from the CVE Program and CVEProject/cvelistV5
- Thanks to the global cybersecurity community for their commitment to better vulnerability disclosure
Made with β€οΈ for the cybersecurity community