VAPTCoordinated vulnerability disclosure platformResearcher recognition, vendor coordination, and CVE support
LoginRequest CVE
CNA governance

VAPT CVE Numbering Authority (CNA) policy.

Effective Date: April 2026 | Document Version: 1.0

1. Introduction

VAPT is an authorized Coordinator CVE Numbering Authority (CNA) operating the Coordinated Vulnerability Disclosure (CVD) platform at vapt.com.

As a Coordinator CNA, our mission is to empower professional security firms and independent researchers by providing a structured, secure, and globally recognized pathway for vulnerability disclosure, while assisting vendors in mitigating risks before public release.

2. CNA assignment scope

Our CNA scope dictates the boundaries within which VAPT is authorized to assign CVE Identifiers (CVE IDs).

2.1 Primary regional scope (GCC)

Vulnerabilities in software, hardware, and Internet of Things (IoT/OT) products or services developed, manufactured, or headquartered within the GCC member states:

  • United Arab Emirates (UAE)
  • Kingdom of Saudi Arabia (KSA)
  • State of Kuwait
  • State of Qatar
  • Sultanate of Oman
  • Kingdom of Bahrain

Condition: This applies exclusively to vendors in these regions that do not maintain their own active CNA status.

2.2 Global coordination scope

Vulnerabilities in third-party products, services, and open-source projects discovered by professional security firms (for example during penetration testing or red teaming engagements) or reported by international independent researchers, provided that:

  • The vulnerability is reported directly through the VAPT.com platform for coordinated disclosure.
  • The affected vendor is not already an active CNA.

2.3 Out of scope (exclusions)

  • Existing Vendor CNAs: If the vulnerable product belongs to a vendor that is an active CNA (for example Microsoft, Apple, Oracle), the report must be routed directly to that vendor. VAPT enforces a strict right of first refusal policy.
  • Non-security issues: Bugs that do not pose a demonstrable security impact (for example UI glitches or theoretical physical attacks without bypassed controls).
  • Malware: General-purpose deliberately malicious code.
  • Out-of-scope platforms: Vulnerabilities that fall under the specific scope of another specialized coordinator CNA, unless coordinated jointly.
  • Industrial control systems (ICS) and SCADA-related vulnerabilities. These reports should be submitted through the CISA / CERT Coordination Center VINCE portal: https://kb.cert.org/vince/

3. Coordinated Vulnerability Disclosure (CVD) timeline

VAPT adheres to standard industry practices for coordinated vulnerability disclosure. When a vulnerability is reported to VAPT.com, the following timeline applies:

  • Day 0: Vulnerability is submitted via VAPT.com. VAPT triage begins.
  • Day 1-5 (Validation): VAPT validates the vulnerability. If valid, a CVE ID is reserved (not yet public).
  • Day 5-14 (Vendor notification): VAPT attempts to notify the affected vendor securely to initiate coordination.
  • Day 15-90 (Remediation window): The vendor is given up to 90 days to develop and test a patch or mitigation. VAPT acts as the coordination bridge between the researcher and the vendor.
  • Day 90+ (Public disclosure): Upon the vendor releasing a patch, or upon expiration of the 90-day window (if the vendor is unresponsive or refuses to patch), VAPT publicly discloses the vulnerability and publishes the CVE Record to the global CVE List.

Note: Timelines may be accelerated in the case of active in-the-wild exploitation, or extended upon mutual agreement if the vendor demonstrates active progress on a complex patch.

4. CNA shopping and duplicate assignments

  • Reporters and researchers must use best efforts to determine whether the affected product or service already falls within an existing CNA's scope before submitting to VAPT.
  • VAPT performs automated and manual CNA scope checks, but submitters remain responsible for making a good-faith scope determination before using the VAPT request workflow.
  • VAPT will reject requests if a CVE ID has already been assigned or is pending assignment by another authority for the same issue.

5. Dispute resolution

If a vendor or researcher disagrees with VAPT's vulnerability determination, CVE ID assignment, or the contents of a published CVE Record, we encourage reaching out to our coordination team to resolve the issue amicably.

If a resolution cannot be reached, parties may escalate through the official CVE Program Policy and Procedure for Disputing a CVE Record, mediated by our Root CNA.

For workflow complaints, researcher-vendor disagreements, or disputes about how VAPT handled a CVE-related matter, use our complaints process first: https://vapt.com/legals/complaints-policy

6. Public advisories and hacktivity

As part of our commitment to transparency and in compliance with CNA Operational Rules, all CVE Records published by VAPT are accompanied by a free, publicly accessible advisory.

7. Submit a vulnerability

To request a CVE ID or initiate a coordinated disclosure, submit your report via our secure portal:

Submission Portal: https://vapt.com/request-cve

8. Public points of contact

VAPT maintains a global presence to facilitate regional and international coordination. For administrative CNA inquiries, contact:

Email: [email protected]