Bouncy Castle Joins the CVE Program as a Numbering Authority (CNA)
2025-08-06
We are proud to share that Bouncy Castle has been authorized by the CVE Program as a CVE Numbering Authority (CNA).
This milestone marks a key step forward in our commitment to transparency, security, and supporting the users and organizations who rely on our cryptographic APIs.
What Is the CVE Program
The Common Vulnerabilities and Exposures (CVE™) Program is an international initiative that identifies and catalogs publicly disclosed cybersecurity vulnerabilities. A CVE Numbering Authority (CNA) is an organization authorized to assign CVE IDs and publish CVE Records for vulnerabilities in its own products or those within a defined scope.
By becoming a CNA, Bouncy Castle joins a trusted network of security-focused organizations, including vendors, open-source projects, and research groups, working together to standardize how vulnerabilities are disclosed and communicated.
What This Means for You
As a Bouncy Castle user, CNA status brings several key benefits:
- Faster notifications: We can assign and publish CVEs for our software directly, without delays or intermediaries.
- Greater transparency: You will have immediate access to trusted, authoritative information when a vulnerability is discovered.
- Improved supply chain security: CVEs we issue can be easily integrated into SBOMs, vulnerability scanners, and compliance reports.
- Encouraged responsible disclosure: Security researchers and contributors have a clear path to report issues and receive credit for their findings associated with the Bouncy Castle APIs.
We see this as part of our broader mission to support secure development and help teams build resilient systems with confidence. Thank you for continuing to trust Bouncy Castle and stay tuned for further updates as we continue to strengthen our security posture.
Related resources
